Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Only ASA can bring up tunnel

Cisco router to ASA. Interesting traffic from router will not bring up tunnel. Packet tracker from ASA will bring up tunnel. Basic Phase 1 and Phase 2 configurations match. Router needs to be the side that brings up tunnel. Here is syslog from ASA when router tries. “May 14 01:02:16 odc-gw %ASA-7-710006: ESP request discarded from 6x.x.x.x to outside:2x.x.x.x.” When ASA tries Phase 2 completes and router can then access ASA’s network. ASA portions of config supplied if requested.

Everyone's tags (2)
Cisco Employee

Re: Only ASA can bring up tunnel

Can you please confirm whether both peer addresses are static, or the ASA external ip address is dynamic hence you can only  bring up the tunnel from the ASA end?

If both peer addresses are static ip address, and you have configured static crypto map on both ASA and router end, there is no reason why tunnel can not be brought up from the router end.

Do you have zone base FW configured on the router that might be blocking the traffic to initiate the connection? Can you share the router config instead?

New Member

Re: Only ASA can bring up tunnel

Excellent and timely response, thank you. I have sent an email off to the router side of the LAN-to-LAN tunnel. I believe I did hear him comment on his “high availability” and multiple ISP’s.