Solved

Testing Site to Site VPN tunnel between two ASA's

Posted on 2014-10-30
14
19 Views
Last Modified: 2016-07-20
I've got a satellite office connecting to a main office, both are utilizing ASA5505's. I've built the tunnel several times but the results of show isakmp sa  and show ipsec sa always returns empty. I believe I will need to generate traffic between the two Networks for the tunnel to be created, but have no host workstations connected to ASA5505 at the satellite office. Can interesting traffic be generated between two ASA5505's to open a VPN tunnel without having a host on one side to generate the traffic?

http://serverfault.com/questions/70189/cisco-asa-manually-start-a-vpn-tunnel

I have attempted what I have found in this link to manually start the VPN tunnel, but I'm always returned with an error.
packet-tracer input inside tcp 192.168.101.254 1250 192.168.10.1 80      
(acl-drop) Flow is denied by configured rule.

Unsure of what I would need to add to access rules to allow this.

Major question is, is what I'm trying to do to generate interesting traffic legitimate?
0
Comment
Question by:paulrausch
  • 7
  • 3
  • 2
14 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 40413153
>>Can interesting traffic be generated between two ASA5505's to open a VPN tunnel without having a host on one side to generate the traffic?

Yes, assuming both ASA's have inside interface called 'inside'

then issue

management-access inside

Then you should be able to ping the inside interface of the ASA from the other side of the VPN tunnel.

PL
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413173
Went ahead and added management-access inside on both ends, but getting 0/5 on pings.
0
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 40413177
What do the logs show? Are the packets being denied or just not getting a response?
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413199
They're hitting the other ASA but they aren't coming back. Getting a couple warning messages

Group= (IPaddress of Router A) IP= (IPaddress of Router A), Removing peer from peer table failed, no match!
Group= (IPaddress of Router A, IP= (IPaddress of Router A), Unable to remove PeerTblEntry
IP=(IPaddress of Router A), Header invalid, missing SA payload! (next payload = 4)
0
 
LVL 17

Expert Comment

by:Spartan_1337
ID: 40413210
That just means the tunnel isn't coming up. When you attempted to generate traffic, did you see if the tunnel attempted to come up? Doesn't seem like you are getting past phase 1.
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413224
sample

I can't be positive but it looks like it's at least attempting it.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 57

Expert Comment

by:Pete Long
ID: 40413283
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413285
This is attempting to ping the satellite office from the main office. You can see it start attempting to bring the tunnel up.
The inside interface on the satellite office VPN is "line: down, link: down". Would this cause problems in attempting to ping between the two ASA's?

I ask because attempting to ping from the inside interface of the sat. office to the main office inside interface, it says error: inside interface is down.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40413658
As a minimum BOTH ASA's need both their interfaces up/up
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413692
I've gone ahead and gotten both Interfaces set to Up/up.
Still getting
Can't find a valid tunnel group, aborting.

Removing Peer from peer table failed, no match!

Head invalid, missing SA payload.
0
 
LVL 2

Author Comment

by:paulrausch
ID: 40413885
Just an Update,

Pings from Router A(satellite) to Router B, sent from inside interface to inside interface IP address, don't seem to ever reach the other device.

Pings from Router B, to Router A, sent in the same fashion, reach the other side but I get the header invalid missing SA payload message.

When attempting to ping either direction from internal addresses, no responses.
When attempting to ping from A to B, I get IP= ***.***.***.***, IKE Initiator: New Phase 1, Intf NP Identity, Ifc, IKE Peer (same ip address), local proxy address (IP subnet for router A), remote proxy address (IP subnet for router B), crypto map (outside_map)
0
 
LVL 2

Accepted Solution

by:
paulrausch earned 0 total points
ID: 40414478
Found the issue.

Removed all VPN related rules on both ASA's, updated ASDM and ASA firmware on the satellite location ASA. Looks like the option to allow VPN traffic to bypass access-lists was not on the older version of ASDM, and was possibly causing the entire issue.  Thanks everyone for their suggestions.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Let’s list some of the technologies that enable smooth teleworking. 
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now