Only ASA can bring up tunnel

Unanswered Question
May 17th, 2010
User Badges:

Cisco router to ASA. Interesting traffic from router will not bring up tunnel. Packet tracker from ASA will bring up tunnel. Basic Phase 1 and Phase 2 configurations match. Router needs to be the side that brings up tunnel. Here is syslog from ASA when router tries. “May 14 01:02:16 odc-gw %ASA-7-710006: ESP request discarded from 6x.x.x.x to outside:2x.x.x.x.” When ASA tries Phase 2 completes and router can then access ASA’s network. ASA portions of config supplied if requested.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Mon, 05/17/2010 - 06:25
User Badges:
  • Cisco Employee,

Can you please confirm whether both peer addresses are static, or the ASA external ip address is dynamic hence you can only  bring up the tunnel from the ASA end?

If both peer addresses are static ip address, and you have configured static crypto map on both ASA and router end, there is no reason why tunnel can not be brought up from the router end.

Do you have zone base FW configured on the router that might be blocking the traffic to initiate the connection? Can you share the router config instead? Tue, 05/18/2010 - 06:00
User Badges:

Excellent and timely response, thank you. I have sent an email off to the router side of the LAN-to-LAN tunnel. I believe I did hear him comment on his “high availability” and multiple ISP’s.


This Discussion