I think you have it the other way round. The site with the dynamic IP is the one that can initiate the VPN connection because the site with static IP won't be able to initiate the VPN connection to the dynamic site since it has a dynamic IP.
So if site 1 has dynamic IP, and site 2 has static IP, then it would work as follows:
1. ping from any site 2 host to site 1 fails
2. ping from site 1 to site 2 -- ok
3. ping from site 2 to site 1 now works.
That is the behaviour because the site with static IP won't be able to establish VPN to the dynamic IP site since the IP is "dynamic"
Correct, you won't be able to make the first connection from static to dynamic site, purely because the peer is dynamic, it won't know what IP address to reach the dynamic peer, and you have configure "originate-only" on the dynamic end, so it can only originate, not answer.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...