Can't get tunnel up without pinging from remote site
We have a 3005 Concentrator at the central sites and multiple 3002 Clients working in network extension mode. If you are at the central site you cannot access the networks behind the 3002 until some one from that side "pings" a central site IP address. As they are pinging the first one times out and then the others go through. The VPN tunnel status shows that until the pings come across only the initial IKE sessions are built, and then after the pings the rest of the IPSEC SAs are established. In summary, the central site cannot access the remote sites until the remote sites access the central site. If you're confused please raise you hand.
Now the cheater solution is to setup some kind of always-on ping utility that would trigger the tunnels to fully come up by continuously passing traffic. Needless to say that is curing the symptoms and not the core problem. Any ideas? The only issues I can think of are that the 3002's are behind router's performing PAT and we are having to use IPSEC over TCP because the routers only allow that kind of traffic (no GRE, ESP, AUH, etc).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...