Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asymmetry between two ipsec peers

The IPSec tunnel between two PIX'es can be initiated only from one side. What can be the reason?

The ipsec tunnel type is L2L with pre-shared key.

OS version is 7.1(2) on both sides.

3 REPLIES
Hall of Fame Super Silver

Re: asymmetry between two ipsec peers

Alexander

Assuming that both are configured to recognize the other as peers (doing static IPSec tunnels rather than dynamic tunnels) it sounds like the access lists used to identify traffic for IPSec may not quite match each other. I would suggest that you compare both configs and look for something that does not match between the peers.

HTH

Rick

New Member

Re: asymmetry between two ipsec peers

Thank you, Rick.

BTW could the problem be caused by the ACLs not strictly matching each other?

I mean if we have on the first site:

10.1.0.0/21

10.1.16.0/20

and on the second site the networks are aggregated in one prefix:

10.1.0.0/16

Hall of Fame Super Silver

Re: asymmetry between two ipsec peers

Alexander

Yes ACLs not matching would be a common example of mismatch which could cause the assymetry that you describe. There is traffic that would be matched by the 10.1.0.0/16 that is not matched by either of the other statements. For example if there is traffic from 10.1.65.0 it would match the /16 but not the /20 or the /21. So if there is traffic from 10.1.65.0 it would activate from one side but not from the other.

It is always good practice for the ACLs to be mirror images of each other. Sometimes it will work when they do not match. But sometimes it does not.

HTH

Rick

117
Views
0
Helpful
3
Replies