02-20-2009 06:22 AM - edited 02-21-2020 03:18 AM
We have a site to site vpn established, however to initiate the tunnel the remote endpoint has to ping our local endpoint for the tunnel to negotiate. However, I can not initiate the tunnel if it drops by pinging the remote end from the local end. Any suggestions? Would be much easier after a drop if I could re-initiate the tunnel here localy
thanks
02-20-2009 12:07 PM
Is this tunnel created with cisco devices? Can you post configs of both sides?
02-20-2009 01:16 PM
Mark
There are several things that I can think of that might result in the tunnel initiating from one end but not from the other. Do any of these apply to your situation:
- does your device have a dynamic crypto map entry? This allows connection from a peer whose address is learned dynamically (DHCP). And an implication of this is that the tunnel can only be initiated by the dynamic peer.
- does your peer VPN translate traffic so that their inside addresses are translated using the outside interface address? Depending on how the translation is configured it may only build a translation when they send traffic. If you try to initiate the tunnel there is no translation for the traffic.
- is it possible that there is a mismatch in the access lists which identify traffic for the VPN. Is it possible that their ping to you matches the access list but that your ping to them does not match your access list?
HTH
Rick
02-20-2009 06:12 PM
"vpn initialization from one endpoint only"
This is a well KNOWN issue if you have
site-2-site VPN between Cisco and other
VPN vendors such as Checkpoint and/or
Juniper devices. The issue has to do with
encryption domain mis-match.
Checkpoint likes to "supernet" all the
network together and it is the default
setting where as Cisco does not do that.
The problem you described sound very
much like an encryption mis-match.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide