Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Tunnel Initiation problem

I am running ASA5520 with Outside, Inside, Client and Branch interfaces.

The inside interface connects to the Server farm network ( only.

The client interface connects all the clients on the LAN network ( to the branches (through Branch interface) and server farm with each otehr.. all these 3 interfaces ar on same security level (100).

The branch interface connets to a Border router 3825 that has all the remote brnaches on DSl and point-to-point links connecting to it.

All branches have SOHO routers 837 and connects through DSl (Data circuit) to the 3825 router at the Head office, through a VPN tunnel. the VPN config at the head office 3825 is dynamic crypto map and the branche have static with head office ip as the peer.

The problem that i am facing is .. the vpn tunnel is initiated only when a packet destined to the inside or client network is sent...

eg when a ping for network is run only then it allows the branches to access the server farm network.

Now to connect to the client network ( i have to ping again to any host on from the branch..

my question.. since there is only one VPN tunnel from branch to head office. then why do i need to ping from the branch to and both seperately ?? i dont really havea problem for the network cause everyne at the branch connects to the servers for e mail internet etc.. but is a problem...

Cant there be a way to auto initiate the connection to network ..... riht now i have a script running at startup on the branches that pings ip to initiate the tunnel..

************** H E L P **************

Community Member

Re: Tunnel Initiation problem

attached is the netwrok diagram for clearification..

Community Member

Re: Tunnel Initiation problem

Each VPN tunnel has its own crypto map that must be activated. The specified "interesting" traffic should be enough to bring up the tunnel so there shouldnt be a need to ping across the tunnel.

Community Member

Re: Tunnel Initiation problem

theres only one vpn tunnel being initiated..

through that tunnel one subnet( is successfully connected while the other subnet ( cannot.

y ?? cause since the branch location ( did not send any packet to network.. the second this branch send the first ping packet to any machine on subnet the link is established..

but this is a problem for me since i want this link to be established if anyone on the subnet pings to subnet..

can this be done.. ?

CreatePlease to create content