We are having trouble with a site to site VPN as follows:
In this example we will use site A and site B. We have a Pix 515E at site A and a Cisco 1801 at site B with a site to site between the two. If we ping from site B to site A then the tunnel comes up and we can ping in either direction and traffic flows in both directions. If we try to ping from site A to site B to bring up the tunnel then the pings will fail. So, put another way we can only initiate the tunnel from site B.
TROUBLE SHOOTING SO FAR
We have checked the NAT and ACLs, all of which seem fine and seem comparable with other configs on working systems in the field.
Please find answers to questions so far and the config for the 1801.
We can ping from either a PC behind the 1801 or from the 1801 directly, either will bring up the tunnel. Alternatively if we ping from the Pix we can not initiate the tunnel. We have run debug on the 1801 but it shows nothing as it seems the traffic is not getting over the VPN to the 1801. Just to recap; our problem is that we can not initiate the tunnel from the Pix side, only from the 1801 side. Here is the sanitised config:
Current configuration : 6871 bytes
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
logging buffered 52000
enable secret XXXXXXXXXXXXXXXX
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.99.1 172.16.99.10
ip dhcp excluded-address 172.16.99.240 172.16.99.254
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :