Cisco ASA - manually start a VPN tunnel

Question

Using a cisco ASA is it possible manually bring up a lan to lan VPN tunnel & SA from the device, rather than having one of the systems that is part of the VPN initiate traffic to start the VPN?

I'd like to avoid having to trigger a ping on one of the systems in a VPN to start the VPN, to make troubleshooting a bit quicker.

Tim Valis · Answer 1 · 2011-08-11T16:00:01.590

5

In Cisco ASA7.0 or greater OS, you can establish the tunnel by simulating interesting traffic with the packet-tracer command. Here's an example - substitute IP addresses from your networks:

packet-tracer input inside tcp 10.100.0.50 1250 10.200.0.100 80
      Source Interface^     | Src IP^  Src Port    |          |
                    Protocol^                Dst IP^  Dst Port^

You can use the output of the command to help diagnose any issues as to why traffic didn't successfully pass as well, but the command itself will actually stimulate the VPN and establish both the ISAKMP and IPSec sa's.

edited Aug 11 '11 at 16:00

answered Aug 11 '11 at 15:54

Tim Valis

51
1
2

I'm pretty sure that only simulates the traffic to see if it *would* go through and shows you the process a packet would go through on its way. It doesn't actually spoof the source to generate real traffic though would bring up a tunnel. – theglossy1 Oct 02 '17 at 21:17

score 2 · Accepted Answer · answered Oct 01 '09 at 03:35

2

You have to present "interesting traffic" to the ASA. There's no command that would bring up the tunnel without traffic.

answered Oct 01 '09 at 03:35

Max Alginin

3,284
15
11

score 1 · Answer 3 · answered Oct 01 '09 at 14:43

1

I second the advice of ynguldyn.

On the ISR series router you can test the VPN by having the router generate traffic for you, but there is no such option on the ASA platform.

answered Oct 01 '09 at 14:43

Tom Bell

43
1
5

score 0 · Answer 4 · answered Sep 03 '13 at 16:15

Using 8.4+ we just added a Meinberg Windows NTP server for network time on the receiving end of the tunnel and added this to the remote ASA config:

ntp server xxx.xxx.xxx.xxx source inside prefer

(where xxx.xxx.xxx.xxx is the ip address of the ntp server) - that keeps our tunnels up indefinitely due to NTP generating the interesting traffic right on the remote ASA 5505

score 0 · Answer 5 · edited Oct 28 '14 at 01:10

ping inside "ip address at the other end of the tunnel" Inside interface will have to be in the encryption domain.

This requires that the management-interface command is set to the inside interface - like "management-interface inside".

Let's say you have a bunch of interface mappings in your VPN tunnel to the other end. To test each of them do the following - if you want to test as an example from the dmz interface management-interface dmz ping dmz a.b.c.d where a.b.c.d is on the other end of the tunnel end-point.

Tested on an ASA v.8.3 to ASA 8.2.

By the way, if you have multiple network mappings in the same crypto acl, don't use set reverse-route on the crypto map entry. This may cause issues with the way the ASA uses the crypto ACL to create new tunnel mappings.

Cisco ASA - manually start a VPN tunnel

5 Answers5