Can only start SA between two spokes from one of the spokes
I have an ASA as a hub for multiple VPN connections. In this case I have users coming into either IPSEC or SSL VPN's terminating on this ASA. They are able to reach anything except for one site. This site (other spoke) is configured on the ASA for dynamic IPSEC VPN. This remote site is an 1800 router on a DSL line.
If I ping from the VPN clients to the remote site internal network I get no response and the IPSEC SA does not start up for that subnet to subnet. If I ping from the remote site to an internal location it works fine and the IPSEC SA is up and active for that traffic. If I ping from the remote site to a VPN user it takes a second but then brings up the correct IPSEC SA for that traffic as well. Once that's active I can ping from the VPN client to the remote site.
What's going on here that I can't establish that IPSEC SA from the VPN clients and yet once the SA is active it works fine?
Re: Can only start SA between two spokes from one of the spokes
Federico, thanks! I'm guessing you got it right. I'm trying to have the SA start when traffic comes from the VPN client side, not the Dynamic remote side. Guess that won't work. Ok, thanks for the help!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...