VPN site to site initial connection problem

Hi,

I have a strange problem. I have a PIX 515 at central office and a PIX
506e at the remote office.

We have VPN site to site working.

When the VPN times out the VPN tunnel comes down.

The strange things is:

when i try to send a ping from the central office to the remote office
the ping fails, however, a vpn is created (show crytpo isakmp sa).

If i ping from the remote office to the central office the ping works.
After the this i am able to ping from the central office to the remote
office.

I want to be able to start the connection from the central office. What
is the problem?

Thanks

Charolette

Hi,

Firstly,If the PIX IOS versions are different on the peers ,this
could be one of the issue.

Secondly, In the Site to Site VPN Tunnel, if individual hosts are added
instead of the Network address(10.0.0.0/, we have to ping from either
ends at the same time to bring up the VPN Tunnel.


Please check the same and reply

Regards
Sunil


Charolette wrote:
> Hi,
>
> I have a strange problem. I have a PIX 515 at central office and a PIX
> 506e at the remote office.
>
> We have VPN site to site working.
>
> When the VPN times out the VPN tunnel comes down.
>
> The strange things is:
>
> when i try to send a ping from the central office to the remote office
> the ping fails, however, a vpn is created (show crytpo isakmp sa).
>
> If i ping from the remote office to the central office the ping works.
> After the this i am able to ping from the central office to the remote
> office.
>
> I want to be able to start the connection from the central office. What
> is the problem?
>
> Thanks

Sorry for my ignorance, i am not sure what you mean in the second
point. I would assume that site-to-site VPN between Cisco PIX's should
be able to work seemlessly. Anyway, when hosts are added to either end
of the network, they are able to use the same VPN tunnel. As long as a
device from the remote office sends a ping packet, this will allow the
head office to come through the VPN tunnel.

Thanks

wrote:
> Hi,
>
> Firstly,If the PIX IOS versions are different on the peers ,this
> could be one of the issue.
>
> Secondly, In the Site to Site VPN Tunnel, if individual hosts are added
> instead of the Network address(10.0.0.0/, we have to ping from either
> ends at the same time to bring up the VPN Tunnel.
>
>
> Please check the same and reply
>
> Regards
> Sunil
>
>
> Charolette wrote:
> > Hi,
> >
> > I have a strange problem. I have a PIX 515 at central office and a PIX
> > 506e at the remote office.
> >
> > We have VPN site to site working.
> >
> > When the VPN times out the VPN tunnel comes down.
> >
> > The strange things is:
> >
> > when i try to send a ping from the central office to the remote office
> > the ping fails, however, a vpn is created (show crytpo isakmp sa).
> >
> > If i ping from the remote office to the central office the ping works.
> > After the this i am able to ping from the central office to the remote
> > office.
> >
> > I want to be able to start the connection from the central office. What
> > is the problem?
> >
> > Thanks

Is the remote office using a dynamic or static IP Address? If it is
dynamic then you must initiate the VPN connection from the remote
office as the central office has no way of knowing the IP Address.

Also, try adding "isakmp keepalive 30 5" to the remote office PIX, as
far as I know this command should keep the VPN tunnel alive.

James

Charolette wrote:
> Sorry for my ignorance, i am not sure what you mean in the second
> point. I would assume that site-to-site VPN between Cisco PIX's should
> be able to work seemlessly. Anyway, when hosts are added to either end
> of the network, they are able to use the same VPN tunnel. As long as a
> device from the remote office sends a ping packet, this will allow the
> head office to come through the VPN tunnel.
>
> Thanks
>
> wrote:
> > Hi,
> >
> > Firstly,If the PIX IOS versions are different on the peers ,this
> > could be one of the issue.
> >
> > Secondly, In the Site to Site VPN Tunnel, if individual hosts are added
> > instead of the Network address(10.0.0.0/, we have to ping from either
> > ends at the same time to bring up the VPN Tunnel.
> >
> >
> > Please check the same and reply
> >
> > Regards
> > Sunil
> >
> >
> > Charolette wrote:
> > > Hi,
> > >
> > > I have a strange problem. I have a PIX 515 at central office and a PIX
> > > 506e at the remote office.
> > >
> > > We have VPN site to site working.
> > >
> > > When the VPN times out the VPN tunnel comes down.
> > >
> > > The strange things is:
> > >
> > > when i try to send a ping from the central office to the remote office
> > > the ping fails, however, a vpn is created (show crytpo isakmp sa).
> > >
> > > If i ping from the remote office to the central office the ping works.
> > > After the this i am able to ping from the central office to the remote
> > > office.
> > >
> > > I want to be able to start the connection from the central office. What
> > > is the problem?
> > >
> > > Thanks

Hi,

I am not sure what you mean about whether it is static or dynamic. But
both ends have their own private address. The head office is using a
10.0.0.0 network and the remote office is using a 192.168.0.0 network.

Thanks

James wrote:
> Is the remote office using a dynamic or static IP Address? If it is
> dynamic then you must initiate the VPN connection from the remote
> office as the central office has no way of knowing the IP Address.
>
> Also, try adding "isakmp keepalive 30 5" to the remote office PIX, as
> far as I know this command should keep the VPN tunnel alive.
>
> James
>
> Charolette wrote:
> > Sorry for my ignorance, i am not sure what you mean in the second
> > point. I would assume that site-to-site VPN between Cisco PIX's should
> > be able to work seemlessly. Anyway, when hosts are added to either end
> > of the network, they are able to use the same VPN tunnel. As long as a
> > device from the remote office sends a ping packet, this will allow the
> > head office to come through the VPN tunnel.
> >
> > Thanks
> >
> > wrote:
> > > Hi,
> > >
> > > Firstly,If the PIX IOS versions are different on the peers ,this
> > > could be one of the issue.
> > >
> > > Secondly, In the Site to Site VPN Tunnel, if individual hosts are added
> > > instead of the Network address(10.0.0.0/, we have to ping from either
> > > ends at the same time to bring up the VPN Tunnel.
> > >
> > >
> > > Please check the same and reply
> > >
> > > Regards
> > > Sunil
> > >
> > >
> > > Charolette wrote:
> > > > Hi,
> > > >
> > > > I have a strange problem. I have a PIX 515 at central office and a PIX
> > > > 506e at the remote office.
> > > >
> > > > We have VPN site to site working.
> > > >
> > > > When the VPN times out the VPN tunnel comes down.
> > > >
> > > > The strange things is:
> > > >
> > > > when i try to send a ping from the central office to the remote office
> > > > the ping fails, however, a vpn is created (show crytpo isakmp sa).
> > > >
> > > > If i ping from the remote office to the central office the ping works.
> > > > After the this i am able to ping from the central office to the remote
> > > > office.
> > > >
> > > > I want to be able to start the connection from the central office. What
> > > > is the problem?
> > > >
> > > > Thanks

Charolette wrote:
> Hi,
>
> I am not sure what you mean about whether it is static or dynamic. But
> both ends have their own private address. The head office is using a
> 10.0.0.0 network and the remote office is using a 192.168.0.0 network.

The outside interface address of the remote office PIX - is it a static
address or assigned by the ISP using DHCP?

It is static

James wrote:
> Charolette wrote:
> > Hi,
> >
> > I am not sure what you mean about whether it is static or dynamic. But
> > both ends have their own private address. The head office is using a
> > 10.0.0.0 network and the remote office is using a 192.168.0.0 network.
>
> The outside interface address of the remote office PIX - is it a static
> address or assigned by the ISP using DHCP?