Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

One way initialization of VPN

I have noticed that in my site-to-site VPN configuration only one end seems to be able to bring the tunnel up. For eg. pinging from the "remote" locations will work but pinging from the central site will not get a response from a remote PC unless the tunnel has already come up.

Used the GUI to configured the site-to-site VPN on the PIX's (501 w/ 6.34). All parameters seems to be configured correctly and pretty much the same except for peer and local addresses. Is there a problem here?

11 REPLIES
Gold

Re: One way initialization of VPN

has the remote site got a static public ip?

New Member

Re: One way initialization of VPN

Yes. Both sides have static public IP's.

Gold

Re: One way initialization of VPN

please post the config.

New Member

Re: One way initialization of VPN

Attached are configs for the central and remote PIX.

Gold

Re: One way initialization of VPN

Lall,

Add (in config mode) : isakmp identity address

on both side, it would be also useful to clear the SA's - to do this issue: clear cry isakmp sa and clear cry ipsec sa

Save with: write mem

Hope this helps.

Jay

New Member

Re: One way initialization of VPN

Thanks for the suggestion. Will add line to my configs.

New Member

Re: One way initialization of VPN

Adding the isakmp identity address statements did not make a difference.

I noticed that at the central site show crypto isakmp sa showed -

Total: 1

Embronic: 0

This was the same at the remote site.

'sh crypto ipsec sa' on the central pix shows "complete" information with packets encrypted, etc. At the remote end the same show command shows -

crypto map tag: outside_map, local addr. 24.x.x.x

and nothing else.

From the remote end, I was unable to connect to a PC at the central site. From the central site I was able to ping a PC at the remote site. Then, the PC at the remote site was able to ping, etc. the central site.

Gold

Re: One way initialization of VPN

just a quick question.

according to the central pix config, there are two lan-lan vpns. just wondering if there is any issue with the other one as well or just the one between these two.

New Member

Re: One way initialization of VPN

The other remote is not online as yet.

Gold

Re: One way initialization of VPN

just couldn't see any error.

after you implemented the "sakmp identity address", have you try to re-apply all the isakmp and crypto settings.

e.g. on the central site,

no crypto map outside_map interface outside

no isakmp enable outside

crypto map outside_map interface outside

isakmp enable outside

and do the same on the remote pix as well.

New Member

Re: One way initialization of VPN

Restarted both PIXes. I have a scheduled batch file that periodically pings from a host at the central site to a host at the remote site. This keeps the VPN up. I will see what happens when the 2nd remote site is brought online.

Thanks for your suggestions.

173
Views
0
Helpful
11
Replies
CreatePlease to create content