Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

EZVPN - Dynamic IP

Hi

I have a an EZVPN Server with static IP  address and unfortunately, EZVPN Remote clients(network extension) that  will have dynamic IP addresseses.
Everything is working now.

EZVPN Server is on Site_A

EZVPN Remote Site (Dynamic IP ) is Site_B

show crypto isakmp output indicates IPSEC VPN Established.

(Step 1 )       :     when a host on Site_A pings a Host_Site_B there is no reply.

(Step 2 )       :     When a host on Site_B pings a host on Site_A it replies

I test Step 1 again and there is reply.

Only when Traffic initiated from Site_B to Site_A there is two way communication.

Can someone explain "Why traffic initiated from Site_A doesnt have a reponse"

Thanks

ST

2 REPLIES
Hall of Fame Super Gold

Re: EZVPN - Dynamic IP

ST

Whether a ping from site A will be successful depends on the answer to a question: is there an existing IPSec SA between site A and site B? If there is an existing IPSec SA then site A knows about site B, and in particular knows what IP address to use to reach site B, and the ping will be successful. But if there is no existing IPSec SA then site A does not know what IP address to use to get to site B. And site A, acting as the server, can not initiate the IPSec SA (if you look in the config of site A there is no configuration about site B or what address to use to initiate the negotiation). So it requires some traffic from site B (such as a ping) to initiate the negotiation with site A.

HTH

Rick

New Member

Re: EZVPN - Dynamic IP

Hi Rick,

The ouput of sh crypto isakmp sa indicates that they is an active IPSEC between Site_A and Site_B ( QM_Idle )

Can you also input if there are any watchout for Cisco Easy VPN with IPSec  Dynamic Virtual Tunnel Interface.

309
Views
0
Helpful
2
Replies
CreatePlease to create content