We have a site to site vpn established, however to initiate the tunnel the remote endpoint has to ping our local endpoint for the tunnel to negotiate. However, I can not initiate the tunnel if it drops by pinging the remote end from the local end. Any suggestions? Would be much easier after a drop if I could re-initiate the tunnel here localy
There are several things that I can think of that might result in the tunnel initiating from one end but not from the other. Do any of these apply to your situation:
- does your device have a dynamic crypto map entry? This allows connection from a peer whose address is learned dynamically (DHCP). And an implication of this is that the tunnel can only be initiated by the dynamic peer.
- does your peer VPN translate traffic so that their inside addresses are translated using the outside interface address? Depending on how the translation is configured it may only build a translation when they send traffic. If you try to initiate the tunnel there is no translation for the traffic.
- is it possible that there is a mismatch in the access lists which identify traffic for the VPN. Is it possible that their ping to you matches the access list but that your ping to them does not match your access list?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...