Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

5505 vpnclient

I have a few people who we distributed ASA 5505's to and configured vpnclient on them that connect to another ASA at the main site.  The setup works fine, all their connectivity seems to work when they initiate it.  However, after a while if we need to connect to the users machine over the vpn tunnel sometimes some subnets won't be able to connect out to them unless the user first initiates a connection (like a ping) from their home machine to ours or if we restart the vpn session.  We can connect form other subnets that the client talks to more often (like from the subnet the dns server is on)...is there any solution to this?  Here is th vpnclient config:

vpnclient server *****

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup **** password *****

vpnclient username **** password *****

vpnclient enable

Thanks!

5 REPLIES
Cisco Employee

Re: 5505 vpnclient

Unfortunately that is the downside of easy vpn as the first connection needs to be initiated from the client's end first before head end can access the client's side.

To be able to initiate traffic from either end of the VPN, you would need to configure static site-to-site vpn tunnel.

New Member

Re: 5505 vpnclient

I thought in NEM the asa supported automatic tunnel initiation?  According to the doc:

"The ASA 5505 configured for NEM mode supports automatic tunnel initiation". 

Does that not mean what I think it does?

Cisco Employee

Re: 5505 vpnclient

It is easy vpn, so the connection will always need to be initiated from the client side. The hub side can't initiate the connection towards the remote/client side.

When it says, "The ASA 5505 configured for NEM mode supports automatic tunnel  initiation", that means the ASA 5505 client side can automatically initiate the tunnel without manual tunnel initiation from the ASA end. But does not mean that the hub can initiate a tunnel towards the ASA 5505 client end.

New Member

Re: 5505 vpnclient

I understand the hub can't initiate the connection, however I was under the impression that the ASA would automatically initiate the connection and maintain a constant connection...which would allow two way communication.  I guess that's not the case though.

New Member

Re: 5505 vpnclient

If you want to use easyVPN but to have tunnel up always, you can use IP SLA on client ASA, and that way to periodically initiate tunnel. It's not the best solution, but I will work.

249
Views
0
Helpful
5
Replies
CreatePlease to create content