Solved

Testing Site to Site VPN tunnel between two ASA's

Posted on 2014-10-30
14
22 Views
Last Modified: 2016-07-20
I've got a satellite office connecting to a main office, both are utilizing ASA5505's. I've built the tunnel several times but the results of show isakmp sa  and show ipsec sa always returns empty. I believe I will need to generate traffic between the two Networks for the tunnel to be created, but have no host workstations connected to ASA5505 at the satellite office. Can interesting traffic be generated between two ASA5505's to open a VPN tunnel without having a host on one side to generate the traffic?

http://serverfault.com/questions/70189/cisco-asa-manually-start-a-vpn-tunnel

I have attempted what I have found in this link to manually start the VPN tunnel, but I'm always returned with an error.
packet-tracer input inside tcp 192.168.101.254 1250 192.168.10.1 80      
(acl-drop) Flow is denied by configured rule.

Unsure of what I would need to add to access rules to allow this.

Major question is, is what I'm trying to do to generate interesting traffic legitimate?
0
Comment
Question by:paulrausch
  • 7
  • 3
  • 2
14 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 40413153
>>Can interesting traffic be generated between two ASA5505's to open a VPN tunnel without having a host on one side to generate the traffic?

Yes, assuming both ASA's have inside interface called 'inside'

then issue

management-access inside

Then you should be able to ping the inside interface of the ASA from the other side of the VPN tunnel.

PL
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413173
Went ahead and added management-access inside on both ends, but getting 0/5 on pings.
0
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 40413177
What do the logs show? Are the packets being denied or just not getting a response?
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413199
They're hitting the other ASA but they aren't coming back. Getting a couple warning messages

Group= (IPaddress of Router A) IP= (IPaddress of Router A), Removing peer from peer table failed, no match!
Group= (IPaddress of Router A, IP= (IPaddress of Router A), Unable to remove PeerTblEntry
IP=(IPaddress of Router A), Header invalid, missing SA payload! (next payload = 4)
0
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 40413210
That just means the tunnel isn't coming up. When you attempted to generate traffic, did you see if the tunnel attempted to come up? Doesn't seem like you are getting past phase 1.
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413224
sample

I can't be positive but it looks like it's at least attempting it.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 57

Expert Comment

by:Pete Long
ID: 40413283
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413285
This is attempting to ping the satellite office from the main office. You can see it start attempting to bring the tunnel up.
The inside interface on the satellite office VPN is "line: down, link: down". Would this cause problems in attempting to ping between the two ASA's?

I ask because attempting to ping from the inside interface of the sat. office to the main office inside interface, it says error: inside interface is down.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40413658
As a minimum BOTH ASA's need both their interfaces up/up
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413692
I've gone ahead and gotten both Interfaces set to Up/up.
Still getting
Can't find a valid tunnel group, aborting.

Removing Peer from peer table failed, no match!

Head invalid, missing SA payload.
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413885
Just an Update,

Pings from Router A(satellite) to Router B, sent from inside interface to inside interface IP address, don't seem to ever reach the other device.

Pings from Router B, to Router A, sent in the same fashion, reach the other side but I get the header invalid missing SA payload message.

When attempting to ping either direction from internal addresses, no responses.
When attempting to ping from A to B, I get IP= ***.***.***.***, IKE Initiator: New Phase 1, Intf NP Identity, Ifc, IKE Peer (same ip address), local proxy address (IP subnet for router A), remote proxy address (IP subnet for router B), crypto map (outside_map)
0
 
LVL 2

Accepted Solution

by:
paulrausch earned 0 total points
ID: 40414478
Found the issue.

Removed all VPN related rules on both ASA's, updated ASDM and ASA firmware on the satellite location ASA. Looks like the option to allow VPN traffic to bypass access-lists was not on the older version of ASDM, and was possibly causing the entire issue.  Thanks everyone for their suggestions.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now