Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1049
Views
0
Helpful
5
Replies

one side initiation - VPN Tunnel

a7mad_cisco
Level 1
Level 1

‎01-25-2010 04:53 AM

Dear All,


i am facing an issue continously when configuring a VPN Connection with any client. what is happening is the tunnel is a one sided initiation means that i have to send some packets from my side so the other side will be able to connect to my servers. otherwise my client will keep trying to hit my servers but he will be only transmitting bytes but nothing recieved from my side.


it happens with certain connections not all.


i am using Cisco ASA 5540


i have checked everything keep alive, SA Life Time, and other things without any success.


awaiting your Feedback.

Labels:
0 Helpful
5 Replies 5

pompeychimes
Level 4
Level 4

‎01-28-2010 10:02 AM

This type of problem is typically caused by routing and/or nat issues. First, ensure your encryption domain definitions (ACLs) match. Second, unless the client uses its VPN device as its DFG, have them make sure they have routes in place for your address space. Finally, have the client make sure they are NATing correctly.

James

0 Helpful

a7mad_cisco
Level 1
Level 1
In response to pompeychimes

‎01-28-2010 02:25 PM

hey there ...

first of all thanks for the response it really expands my troubleshooting process ...

regarding the natting ... both sides are using public IPs so i dont think natting is used at both sides.

in ASA do i have to configure the ACL in both directions ... or is one way enough ?

i will definetly have the client check the routes at their side ...

thanks again ..

0 Helpful

pompeychimes
Level 4
Level 4
In response to a7mad_cisco

‎01-29-2010 01:52 AM

Your ACL should like something like this...

ip access-list ENCRYPT_THIS

permit ip your network his network

The clients ACL should look like this...

ip access-list ENCRYPT_THIS

permit ip his network your network

James

0 Helpful

pudawat
Level 1
Level 1

‎01-28-2010 04:24 PM

Hi Ahmed,

Is this firewall in production network.Check whether NAT-T is enabled on the firewall?

Try adding the commands "crypto isakmp nat-t 20" on both ends and revert.

Regards,

Pradhuman

0 Helpful

a7mad_cisco
Level 1
Level 1
In response to pudawat

‎02-14-2010 08:46 PM

heey guys ....


i have checked all your suggestions nothing seems to work ...


i think it might be a problem of integrating different platforms cause the other side is using another VPN device (Check Point)


thanks all for your help ...

0 Helpful
Customers Also Viewed These Support Documents