IPSEC VPN on ASA 7.2(4) works only in initiator mode .

Unanswered Question
Sep 22nd, 2010
User Badges:


i have multimesh ipsec vpn over pix ,asa and 2811 routers between various sites ,for a new site with Asa 7.2.4

but suprisingly when i initiate traffic from asa side tunnel is up and host between the sites can ping each other.

When the  session is end or isakmp sa is cleared and a initiate from other sites are attempted VPN tunnel is up bt cannot ping from any remote site.

anyone faced this before ? nat traversal ,sysopt all of them are enable, pfs is disabled

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Wed, 09/22/2010 - 12:52
User Badges:
  • Green, 3000 points or more

I've seen that you can only initiate a tunnel from one side on some cases:

1. When having the initiator-only command

2. When doing PAT through the VPN tunnel

3. When having IPsec redundancy

Maybe you have one of the above scenarios?


Andrew Ward Thu, 09/23/2010 - 08:28
User Badges:


you say that if you ping from a remote site the tunnel comes up but the ping fails. Can you confirm that the IPsec tunnel is really up i.e. you have bi-directional IPsec SAs? If so can you see the ping packets being encrypted at the remote site device?

nseshan Thu, 09/23/2010 - 10:25
User Badges:

Hey ,

can you confirm if the NAT exemption has been configured properly for both ends? Also check the crypto acls on both ends. It should be one of these issues. As i understand, when the tunnel is initiated from the router end, the tunnel comes up but you are unable to ping anything? In case the nat exempt acl and crypto acl are configured correctly, please check for the "ip nat inside source" statement on the router. there should be only one patting statement for the crypto map interface. In case there are multiple statements, then remove the one that is not having the nat exempt acl in it.

alanhong Fri, 09/24/2010 - 06:13
User Badges:

Thanks a Ton guys for your replies ,i have finally made it work

My mistake i had created the dynamic ipsec-isakmp on the same cryptomap with a sequence no 1 ,it just left me it should come least order with the static

it works fine now

thanks again


This Discussion