Testing Site to Site VPN tunnel between two ASA's

I've got a satellite office connecting to a main office, both are utilizing ASA5505's. I've built the tunnel several times but the results of show isakmp sa  and show ipsec sa always returns empty. I believe I will need to generate traffic between the two Networks for the tunnel to be created, but have no host workstations connected to ASA5505 at the satellite office. Can interesting traffic be generated between two ASA5505's to open a VPN tunnel without having a host on one side to generate the traffic?


I have attempted what I have found in this link to manually start the VPN tunnel, but I'm always returned with an error.
packet-tracer input inside tcp 1250 80      
(acl-drop) Flow is denied by configured rule.

Unsure of what I would need to add to access rules to allow this.

Major question is, is what I'm trying to do to generate interesting traffic legitimate?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
>>Can interesting traffic be generated between two ASA5505's to open a VPN tunnel without having a host on one side to generate the traffic?

Yes, assuming both ASA's have inside interface called 'inside'

then issue

management-access inside

Then you should be able to ping the inside interface of the ASA from the other side of the VPN tunnel.

paulrauschAuthor Commented:
Went ahead and added management-access inside on both ends, but getting 0/5 on pings.
James HIT DirectorCommented:
What do the logs show? Are the packets being denied or just not getting a response?
Cyber security certifications or degree?

Cyber security is in demand—big-time. So what do you need to build a career in this lucrative field? Is a degree a must-have, or are industry-leading certifications more sought-after? Is it possible to break into cybersecurity without a bachelor’s or master’s degree in the field?

paulrauschAuthor Commented:
They're hitting the other ASA but they aren't coming back. Getting a couple warning messages

Group= (IPaddress of Router A) IP= (IPaddress of Router A), Removing peer from peer table failed, no match!
Group= (IPaddress of Router A, IP= (IPaddress of Router A), Unable to remove PeerTblEntry
IP=(IPaddress of Router A), Header invalid, missing SA payload! (next payload = 4)
James HIT DirectorCommented:
That just means the tunnel isn't coming up. When you attempted to generate traffic, did you see if the tunnel attempted to come up? Doesn't seem like you are getting past phase 1.
paulrauschAuthor Commented:

I can't be positive but it looks like it's at least attempting it.
Pete LongTechnical ConsultantCommented:
paulrauschAuthor Commented:
This is attempting to ping the satellite office from the main office. You can see it start attempting to bring the tunnel up.
The inside interface on the satellite office VPN is "line: down, link: down". Would this cause problems in attempting to ping between the two ASA's?

I ask because attempting to ping from the inside interface of the sat. office to the main office inside interface, it says error: inside interface is down.
Pete LongTechnical ConsultantCommented:
As a minimum BOTH ASA's need both their interfaces up/up
paulrauschAuthor Commented:
I've gone ahead and gotten both Interfaces set to Up/up.
Still getting
Can't find a valid tunnel group, aborting.

Removing Peer from peer table failed, no match!

Head invalid, missing SA payload.
paulrauschAuthor Commented:
Just an Update,

Pings from Router A(satellite) to Router B, sent from inside interface to inside interface IP address, don't seem to ever reach the other device.

Pings from Router B, to Router A, sent in the same fashion, reach the other side but I get the header invalid missing SA payload message.

When attempting to ping either direction from internal addresses, no responses.
When attempting to ping from A to B, I get IP= ***.***.***.***, IKE Initiator: New Phase 1, Intf NP Identity, Ifc, IKE Peer (same ip address), local proxy address (IP subnet for router A), remote proxy address (IP subnet for router B), crypto map (outside_map)
paulrauschAuthor Commented:
Found the issue.

Removed all VPN related rules on both ASA's, updated ASDM and ASA firmware on the satellite location ASA. Looks like the option to allow VPN traffic to bypass access-lists was not on the older version of ASDM, and was possibly causing the entire issue.  Thanks everyone for their suggestions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.