Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13158
Views
15
Helpful
2
Replies

ASA based S2S VPN , Tunnel is establishing only when interesting traffic hits at remote end

Go to solution
santoshvijapur
Level 1
Level 1

‎02-02-2010 11:09 PM

Dear All,

I need your help to solve the below mentioend problem .

VPN tunnel established between Two ASA device  .   Device A and Device B

1) If Interesting traffic initiates from device A lan . traffic hits ACL . Tunel is not coming up

2) If Interesting traffic initiates from Device B LAN . Tunnel will establish  all serivces works

3) After Tunnel establishmnet from Device B . we forced to tunnel down from both ends  . again Interesting traffic initiates from Device A  surpringly tunnel

will come up .   after 2 or 3 days  ( after life time expire  86400 seconds)  traffic initiated from Device A  , tunnel will not esatblish .

(this is backup link : Intersting will not be there all time .)

verified all parametrs , everthing looks fine . below are the debug logs attached  but no more informative from the logs . kindly suggest .

Feb 02 2010 13:23:17: %ASA-7-713236: IP = 81.145.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 496

Feb 02 2010 13:23:18: %ASA-6-713219: IP = 81.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 02 2010 13:23:18: %ASA-6-713219: IP = 81.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 02 2010 13:23:23: %ASA-6-713219: IP = 81.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 02 2010 13:23:25: %ASA-7-715065: IP = 81.x.x.x, IKE MM Initiator FSM error history (struct &0x1abb1e10)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Feb 02 2010 13:23:25: %ASA-7-713906: IP = 81.x.x.x, IKE SA MM:56f95c85 terminating:  flags 0x01000022, refcnt 0, tuncnt 0

Feb 02 2010 13:23:25: %ASA-7-713906: IP = 81.x.x.x, sending delete/delete with reason message

Feb 02 2010 13:23:25: %ASA-3-713902: IP = 81.x.x.x, Removing peer from peer table failed, no match!

Feb 02 2010 13:23:25: %ASA-4-713903: IP = 81.x.x.x, Error: Unable to remove PeerTblEntry


1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
alessandro.fachin
Level 1
Level 1

‎02-03-2010 02:35 AM

Hi, I have a similar problem long time ago. You can choose who set up the tunnel in your crypto map:

crypto map IPsec_map 1 set connection-type bidirectional

I hope this could help to solve your problem. Regards.

View solution in original post

2 Replies 2

Go to solution
alessandro.fachin
Level 1
Level 1

‎02-03-2010 02:35 AM

Hi, I have a similar problem long time ago. You can choose who set up the tunnel in your crypto map:

crypto map IPsec_map 1 set connection-type bidirectional

I hope this could help to solve your problem. Regards.

Go to solution
santoshvijapur
Level 1
Level 1
In response to alessandro.fachin

‎02-11-2010 02:17 AM

Thanks its working

0 Helpful
Customers Also Viewed These Support Documents