Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can't get tunnel up without pinging from remote site

The Setup:

We have a 3005 Concentrator at the central sites and multiple 3002 Clients working in network extension mode. If you are at the central site you cannot access the networks behind the 3002 until some one from that side "pings" a central site IP address. As they are pinging the first one times out and then the others go through. The VPN tunnel status shows that until the pings come across only the initial IKE sessions are built, and then after the pings the rest of the IPSEC SAs are established. In summary, the central site cannot access the remote sites until the remote sites access the central site. If you're confused please raise you hand.

Now the cheater solution is to setup some kind of always-on ping utility that would trigger the tunnels to fully come up by continuously passing traffic. Needless to say that is curing the symptoms and not the core problem. Any ideas? The only issues I can think of are that the 3002's are behind router's performing PAT and we are having to use IPSEC over TCP because the routers only allow that kind of traffic (no GRE, ESP, AUH, etc).


Re: Can't get tunnel up without pinging from remote site

This is the behaviour of hardware client in network extension mode.

You have to pass traffic from the client endd, before the central end can get to the remote end.

I guess you can contact your account manager to submit a feature request for hardware client to perform some sort of quick ping when it connect to the main concentrator.