Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC VPN on ASA 7.2(4) works only in initiator mode .

HI

i have multimesh ipsec vpn over pix ,asa and 2811 routers between various sites ,for a new site with Asa 7.2.4

but suprisingly when i initiate traffic from asa side tunnel is up and host between the sites can ping each other.

When the  session is end or isakmp sa is cleared and a initiate from other sites are attempted VPN tunnel is up bt cannot ping from any remote site.

anyone faced this before ? nat traversal ,sysopt all of them are enable, pfs is disabled

4 REPLIES

Re: IPSEC VPN on ASA 7.2(4) works only in initiator mode .

I've seen that you can only initiate a tunnel from one side on some cases:

1. When having the initiator-only command

2. When doing PAT through the VPN tunnel

3. When having IPsec redundancy

Maybe you have one of the above scenarios?

Federico.

New Member

Re: IPSEC VPN on ASA 7.2(4) works only in initiator mode .

Hi,

you say that if you ping from a remote site the tunnel comes up but the ping fails. Can you confirm that the IPsec tunnel is really up i.e. you have bi-directional IPsec SAs? If so can you see the ping packets being encrypted at the remote site device?

New Member

Re: IPSEC VPN on ASA 7.2(4) works only in initiator mode .

Hey ,

can you confirm if the NAT exemption has been configured properly for both ends? Also check the crypto acls on both ends. It should be one of these issues. As i understand, when the tunnel is initiated from the router end, the tunnel comes up but you are unable to ping anything? In case the nat exempt acl and crypto acl are configured correctly, please check for the "ip nat inside source" statement on the router. there should be only one patting statement for the crypto map interface. In case there are multiple statements, then remove the one that is not having the nat exempt acl in it.

New Member

Re: IPSEC VPN on ASA 7.2(4) works only in initiator mode .

Thanks a Ton guys for your replies ,i have finally made it work

My mistake i had created the dynamic ipsec-isakmp on the same cryptomap with a sequence no 1 ,it just left me it should come least order with the static

it works fine now

thanks again

1093
Views
0
Helpful
4
Replies