?
Solved

Testing Site to Site VPN tunnel between two ASA's

Posted on 2014-10-30
14
Medium Priority
?
45 Views
Last Modified: 2016-07-20
I've got a satellite office connecting to a main office, both are utilizing ASA5505's. I've built the tunnel several times but the results of show isakmp sa  and show ipsec sa always returns empty. I believe I will need to generate traffic between the two Networks for the tunnel to be created, but have no host workstations connected to ASA5505 at the satellite office. Can interesting traffic be generated between two ASA5505's to open a VPN tunnel without having a host on one side to generate the traffic?

http://serverfault.com/questions/70189/cisco-asa-manually-start-a-vpn-tunnel

I have attempted what I have found in this link to manually start the VPN tunnel, but I'm always returned with an error.
packet-tracer input inside tcp 192.168.101.254 1250 192.168.10.1 80      
(acl-drop) Flow is denied by configured rule.

Unsure of what I would need to add to access rules to allow this.

Major question is, is what I'm trying to do to generate interesting traffic legitimate?
0
Comment
Question by:paulrausch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
14 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 40413153
>>Can interesting traffic be generated between two ASA5505's to open a VPN tunnel without having a host on one side to generate the traffic?

Yes, assuming both ASA's have inside interface called 'inside'

then issue

management-access inside

Then you should be able to ping the inside interface of the ASA from the other side of the VPN tunnel.

PL
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413173
Went ahead and added management-access inside on both ends, but getting 0/5 on pings.
0
 
LVL 17

Expert Comment

by:James H
ID: 40413177
What do the logs show? Are the packets being denied or just not getting a response?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:paulrausch
ID: 40413199
They're hitting the other ASA but they aren't coming back. Getting a couple warning messages

Group= (IPaddress of Router A) IP= (IPaddress of Router A), Removing peer from peer table failed, no match!
Group= (IPaddress of Router A, IP= (IPaddress of Router A), Unable to remove PeerTblEntry
IP=(IPaddress of Router A), Header invalid, missing SA payload! (next payload = 4)
0
 
LVL 17

Expert Comment

by:James H
ID: 40413210
That just means the tunnel isn't coming up. When you attempted to generate traffic, did you see if the tunnel attempted to come up? Doesn't seem like you are getting past phase 1.
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413224
sample

I can't be positive but it looks like it's at least attempting it.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40413283
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413285
This is attempting to ping the satellite office from the main office. You can see it start attempting to bring the tunnel up.
The inside interface on the satellite office VPN is "line: down, link: down". Would this cause problems in attempting to ping between the two ASA's?

I ask because attempting to ping from the inside interface of the sat. office to the main office inside interface, it says error: inside interface is down.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40413658
As a minimum BOTH ASA's need both their interfaces up/up
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413692
I've gone ahead and gotten both Interfaces set to Up/up.
Still getting
Can't find a valid tunnel group, aborting.

Removing Peer from peer table failed, no match!

Head invalid, missing SA payload.
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413885
Just an Update,

Pings from Router A(satellite) to Router B, sent from inside interface to inside interface IP address, don't seem to ever reach the other device.

Pings from Router B, to Router A, sent in the same fashion, reach the other side but I get the header invalid missing SA payload message.

When attempting to ping either direction from internal addresses, no responses.
When attempting to ping from A to B, I get IP= ***.***.***.***, IKE Initiator: New Phase 1, Intf NP Identity, Ifc, IKE Peer (same ip address), local proxy address (IP subnet for router A), remote proxy address (IP subnet for router B), crypto map (outside_map)
0
 
LVL 2

Accepted Solution

by:
paulrausch earned 0 total points
ID: 40414478
Found the issue.

Removed all VPN related rules on both ASA's, updated ASDM and ASA firmware on the satellite location ASA. Looks like the option to allow VPN traffic to bypass access-lists was not on the older version of ASDM, and was possibly causing the entire issue.  Thanks everyone for their suggestions.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question