Solved

Testing Site to Site VPN tunnel between two ASA's

Posted on 2014-10-30
14
26 Views
Last Modified: 2016-07-20
I've got a satellite office connecting to a main office, both are utilizing ASA5505's. I've built the tunnel several times but the results of show isakmp sa  and show ipsec sa always returns empty. I believe I will need to generate traffic between the two Networks for the tunnel to be created, but have no host workstations connected to ASA5505 at the satellite office. Can interesting traffic be generated between two ASA5505's to open a VPN tunnel without having a host on one side to generate the traffic?

http://serverfault.com/questions/70189/cisco-asa-manually-start-a-vpn-tunnel

I have attempted what I have found in this link to manually start the VPN tunnel, but I'm always returned with an error.
packet-tracer input inside tcp 192.168.101.254 1250 192.168.10.1 80      
(acl-drop) Flow is denied by configured rule.

Unsure of what I would need to add to access rules to allow this.

Major question is, is what I'm trying to do to generate interesting traffic legitimate?
0
Comment
Question by:paulrausch
  • 7
  • 3
  • 2
14 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 40413153
>>Can interesting traffic be generated between two ASA5505's to open a VPN tunnel without having a host on one side to generate the traffic?

Yes, assuming both ASA's have inside interface called 'inside'

then issue

management-access inside

Then you should be able to ping the inside interface of the ASA from the other side of the VPN tunnel.

PL
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413173
Went ahead and added management-access inside on both ends, but getting 0/5 on pings.
0
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 40413177
What do the logs show? Are the packets being denied or just not getting a response?
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 2

Author Comment

by:paulrausch
ID: 40413199
They're hitting the other ASA but they aren't coming back. Getting a couple warning messages

Group= (IPaddress of Router A) IP= (IPaddress of Router A), Removing peer from peer table failed, no match!
Group= (IPaddress of Router A, IP= (IPaddress of Router A), Unable to remove PeerTblEntry
IP=(IPaddress of Router A), Header invalid, missing SA payload! (next payload = 4)
0
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 40413210
That just means the tunnel isn't coming up. When you attempted to generate traffic, did you see if the tunnel attempted to come up? Doesn't seem like you are getting past phase 1.
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413224
sample

I can't be positive but it looks like it's at least attempting it.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40413283
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413285
This is attempting to ping the satellite office from the main office. You can see it start attempting to bring the tunnel up.
The inside interface on the satellite office VPN is "line: down, link: down". Would this cause problems in attempting to ping between the two ASA's?

I ask because attempting to ping from the inside interface of the sat. office to the main office inside interface, it says error: inside interface is down.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40413658
As a minimum BOTH ASA's need both their interfaces up/up
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413692
I've gone ahead and gotten both Interfaces set to Up/up.
Still getting
Can't find a valid tunnel group, aborting.

Removing Peer from peer table failed, no match!

Head invalid, missing SA payload.
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413885
Just an Update,

Pings from Router A(satellite) to Router B, sent from inside interface to inside interface IP address, don't seem to ever reach the other device.

Pings from Router B, to Router A, sent in the same fashion, reach the other side but I get the header invalid missing SA payload message.

When attempting to ping either direction from internal addresses, no responses.
When attempting to ping from A to B, I get IP= ***.***.***.***, IKE Initiator: New Phase 1, Intf NP Identity, Ifc, IKE Peer (same ip address), local proxy address (IP subnet for router A), remote proxy address (IP subnet for router B), crypto map (outside_map)
0
 
LVL 2

Accepted Solution

by:
paulrausch earned 0 total points
ID: 40414478
Found the issue.

Removed all VPN related rules on both ASA's, updated ASDM and ASA firmware on the satellite location ASA. Looks like the option to allow VPN traffic to bypass access-lists was not on the older version of ASDM, and was possibly causing the entire issue.  Thanks everyone for their suggestions.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question