- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-22-2014 09:14 AM
On the network tab/ipsec tunnels reading the console from left to right which status refers to the ike phase 1 and which refers to the ipsec phase 2 - with regard to the status green/red bubbles
07-22-2014 09:26 AM
Hi Infortech,
IPsec is configured in passive mode, please disable it. Follow bellow instructions. Let me know if that works.
Network > Network Profiles > IKE Gateway.
07-22-2014 09:26 AM
Hello Infotech,
I hope, you have configured the PA to work in Passive mode. But, above mentioned CLI command will initiate the tunnel as an Initiator ( not as responder). It would be better to initiate the tunnel from CISCO and then monitor the ikemgr.logs.
Thanks
07-22-2014 09:28 AM
HI Info tech,
First one on the left hand side is IPsec, second one is IKE. You can read first line it has tagging for IKE & Tunnel. That helps to verify requested information.
Regards,
Hardik Shah
07-22-2014 09:31 AM
Yes it is configured in passive mode for testing, I can take it out of passive mode and try again. What difference will it make if its in passive mode?
07-22-2014 09:32 AM
Yes I put it in passive mode because everything else I have tried to this point has not resolved the issue and it appeared to be failing as the initiator so I was going to let the ASA on the other end initiate
07-22-2014 09:33 AM
If tunnel is in passive mode than only way to bring it up is to do testing from other end.
Basically it doesnt initiate tunnel, but only accepts tunnel invite. Very passive !!!
07-22-2014 09:34 AM
Everything I have looked up says you cannot initiate the tunnel from the cisco asa 5505 side, unless I am not reading the correct information
07-22-2014 09:34 AM
In other words it can accept inbound call, but can not make outbound call
07-22-2014 09:35 AM
HI Infotech,
Is there a reason why ASA can not initiate VPN tunnel ?
Regards,
Hardik Shah
07-22-2014 09:36 AM
Yes I set it that way because the PA was failing as the initiator and I wanted to see if the cisco was the initiator the tunnel would stay up
07-22-2014 09:38 AM
I don't know if the cisco can or cannot initiate the tunnel I just don't know a way to manually force it to try to initate the tunnel.
07-22-2014 09:38 AM
Hello Infotech,
If you try to send traffic through that tunnel (from CISCOside), it will automatically initiate the tunnel and Cisco will become initiator.
Thanks
07-22-2014 09:40 AM
So do a ping test? Is there a particular way to do that from the cisco side?
07-22-2014 09:41 AM
Yes, a ping test will work. ( make sure that a valid route available in cisco to force that traffic to go inside the tunnel)
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!