• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 543
  • Last Modified:

IPSEC question (making us the initiator, not responder)

We have an issue with one of our IPSEC sites.  If I want a tunnel up, I cannot get it up from the IPSEC site. It has to be intiaited from the head end. Is there anyway to configure the VPN so that either side can bring up the tunnel? This is a Cisco IPSEC tunnel between two ASAs

crypto map mymap 37 match address ipsec
crypto map mymap 37 set peer <ip hidden>
crypto map mymap 37 set transform-set aes128
crypto map mymap interface outside

crypto isakmp enable outside
crypto isakmp policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
  • 2
1 Solution
If everything is setup correctly between two ASA's then either party should be able to initiate the tunnel.

Can you post the access-list 'ipsec'?  What about the access-list that's used on the other end?  In the past I've seen this happen sometimes when the subnets and subnet masks are not exactly the same on both ends.
WERAracerAuthor Commented:
the masks are definitely the same. I would get a QM FSM error if they were not. Maybe a bug? One side is a 515e, the other ASA5505. I opened a tac case
WERAracerAuthor Commented:
bug in 8.05!

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now