Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Connection oddity

I am running a PIX515E, OS 6.3(4) UR at our central office and have multiple PIX501s in our field offices running 6.3(4).

Each remote site has a VPN Tunnel to the central site.

The configuration for each remote PIX is the same other than WAN/LAN IP Addressing, hostname, and PSK.

The VPN Tunnels are established quite quickly and rarely give me any problems.

At the central site, we have 6 VLANs that need to be accessible to the remote clients, and of course, support personnel at the central site need to be able to access the machines on the remote networks.

The oddity that I'm running into is that if I reboot a remote device and/or clear the security associations, support personnel at the central site don't seem to be able to initiate communications to the remote site.

If a computer at the remote site pings a host on the network that the support personnels' workstations are on, afterwards the support personnel can contact the remote clients on demand.

What I need to enable is that the support personnel can initiate communications from the central site to the remote sites at any time without needing a client machine at the remote site to establish a connection to the central site first.

Has anyone seen this type of behavior before and can it be fixed?

Thank you.

Cisco Employee

Re: VPN Connection oddity


Based upon your comments, looks like you have Dynamic to static IPSEC configuration. Where, the pix 515E has a static ip address and the Pix 501's are getting Dynamic ip addresses from the provider.

If the above statement is correct, then what you are running into is the limitation on dynamic to static configuration.

In case if you are doing EzVPN and running into the issue, do let me know what Mode you are using, Client Mode or Network Extension mode.

I hope it helps.



** Please rate all helpful posts **

New Member

Re: VPN Connection oddity

Both ends are static IPs

I figured it out lte yesterday.

In an effort to simplify the access-lists for the VPNs at the central site,I replaced the multiple access-list VPN_SOMEPLACE permit ip AAA.BBB.CCC.DDD WWW.XXX.YYY.ZZZZ statements with a single:

access-list VPN_SOMEPLACE permit ip any WWW.XXX.YYY.ZZZ


That allowed the remote sites to establish connectivity to the central site but the central site couldn't establish connectivity to the remote sites.

As soon as I placed access-list statements with specific networks higher than the any statements, nodes in the central site could establish connectivity.

CreatePlease login to create content