Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Only remote site can bring up IPsec tunnels

Hello,

We have a VPN from our ASA to a SonicWall in a remote country.  The SonicWall is managed be a 3rd party.  It seems only the remote site can bring the IPsec tunnels up.  I can see the VPN is up but with 0 Tx and 0 Rx, if I ping the remote subnet from the ASA side the transmit goes up, but to the Rx.  If they ping our subnet the subnets seems to spring to life.

Is there a setting they need to look at for initiating the tunnel, or any commands I can run my end to see what is happening?

4 REPLIES

Re: Only remote site can bring up IPsec tunnels

Hi,

There's a setting on the ASA to make the ASA either respond only or initiate only (make sure the ASA is not set to respond only). Respond only means that the tunnel cannot be set up from the ASA side.

Also, make sure its a Site-to-Site tunnel, because if it's set to Dynamic (because the SonicWall has a dynamic public IP, then the tunnel can be initiated only from the SonicWall side as well).

Federico.

New Member

Re: Only remote site can bring up IPsec tunnels

It is a site-to-site VPN with static public IP addresses.

The only initiator setting I can find is something called monitor keep alives, any idea whathe setting is on CLI or in the ASDM?

Re: Only remote site can bring up IPsec tunnels

FW-ASA(config)# crypto map mymap 10 set connection-type ?

configure mode commands/options:
  answer-only     Answer only
  bidirectional   Bidirectional
  originate-only  Originate only

Federico.

New Member

Re: Only remote site can bring up IPsec tunnels

Hi, seems bidirectional is already set.

What I have noticed is if the VPN is down and I ping the remote VPN subnet phase 1 and 2 of the tunnel come up just fine, but I can't ping anything.  It is not until theremote office ping back to my subnet the pinging starts to work, what could this be?

627
Views
0
Helpful
4
Replies
CreatePlease login to create content