Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
710
Views
0
Helpful
7
Replies

Tunnel not working until remote peer initiate some traffic

leandro.candido
Level 1
Level 1

‎04-30-2009 10:18 AM - edited ‎02-21-2020 03:26 AM

Hi all,

I have configured a vpn that just working it, when we initiate the traffic. If remote to try initiate any connection, will be unble to make it.

Do you know why should is heppening this?

Just this peer is able to initiate the traffic

access-list outside_cryptomap_1 extended permit ip 1.2.3.0 255.255.255.0 4.5.6.0 255.255.255.0

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES esp-3des esp-none

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_cryptomap_1

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer X.X.X.X

crypto map outside_map 1 set transform-set ESP-3DES

0 Helpful
7 Replies 7

Farrukh Haroon
VIP Alumni
VIP Alumni

‎05-02-2009 06:17 AM

Do you have a 'dynamic' crypto map setup at one side? In that case only the side with the static crypto map can initiate the connection.

Regards

Farrukh

0 Helpful

leandro.candido
Level 1
Level 1

‎05-03-2009 05:54 PM

I haven't. There is no dynamic crypto at other side.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to leandro.candido

‎05-03-2009 11:37 PM

Please post more details about the setup.

What are the VPN terminating devices, IOS?

Are you using NAT-T?

What is the routing configuration?

Regards

Farrukh

0 Helpful

leandro.candido
Level 1
Level 1
In response to Farrukh Haroon

‎05-04-2009 07:06 AM

The vpn terminating device is IOS.

I dont have the information if the vpn terminating is using nat-t, the only information about vpn terminating that I have are this:

crypto isakmp policy 4

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key

crypto ipsec transform-set ZZZZZ esp-3des

crypto map XXX 11 ipsec-isakmp

set peer Y.Y.Y.Y

set transform-set ZZZZZ

match address AAAAA

ip access-list extended AAAAA

About the routing, I have a branch office that arrives via L2L until vpn and the traffic is forward to tunnel. In concern to the routing is okay.

Thank you

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to leandro.candido

‎05-09-2009 12:49 AM

Sorry I was away, please let me know if this issue is still open.

Regards

Farrukh

0 Helpful

leandro.candido
Level 1
Level 1
In response to Farrukh Haroon

‎05-09-2009 07:19 AM

yes. Is open yet.

0 Helpful

hunnetvl01
Level 1
Level 1
In response to leandro.candido

‎05-19-2009 02:51 AM

do a sh crypto isakmp sa

deb isakmp 255 and post the output

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card