topic Re: ASA 5515 help in Network Security

ASA 5515 help

coreillycisco — Sat, 02 Dec 2023 23:51:11 GMT

Moved cisco firewall to new location and now cannot connect to the VPN, Does anyone know how to fix this issue? In down state now. I still have to clean configs, but wanted to get this in place. So I moved the firewall from Atlanta Georgia to Jacksonville Florida into a Colo. I switched IP addresses and still cannot connect to VPN. I am new to this and not sure what I am doing.

Re: ASA 5515 help

MHM Cisco World — Sat, 02 Dec 2023 23:53:41 GMT

Vpn s2s or anyconnect ?

Can you share config?

MHM

Re: ASA 5515 help

coreillycisco — Sat, 02 Dec 2023 23:59:01 GMT

Anyconnect. Here is the running config. Still messy but I will clean it up.

Re: ASA 5515 help

MHM Cisco World — Sun, 03 Dec 2023 01:08:38 GMT

You have vti and ipsec vpn' many command lines you have.

But let start from basic

Do you check reachability' since I think public IP of outside interface change?

Do you modify peer config to match your IP change?

Try clear crypto (for ipsec s2s vpn)

MHM

Re: ASA 5515 help

coreillycisco — Sun, 03 Dec 2023 01:17:16 GMT

I can ping the IP 72.15.233.225. I do not know where peer config is. I am using ASDM. How do I clear crypto with ASDM?

Re: ASA 5515 help

MHM Cisco World — Sun, 03 Dec 2023 01:31:55 GMT

In the ASDM

Go to Monitoring, then select VPN from the list of Interfaces
Then expand VPN statistics and click on Sessions.
Choose the type of tunnel you're looking for from the drop-down at the right (IPSEC Site-To-Site for example.)
Click on the tunnel you wish to reset and then click Logout in order to reset the tunnel.

Re: ASA 5515 help

coreillycisco — Sun, 03 Dec 2023 01:37:40 GMT

When doing so there are no sessions there. See attachment. Is this an issue?

Re: ASA 5515 help

coreillycisco — Sun, 03 Dec 2023 15:25:28 GMT

Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel.

Re: ASA 5515 help

Rob Ingram — Sun, 03 Dec 2023 15:31:25 GMT

@coreillycisco you do not appear to have a default route via your outside interface "Flexential" in your configuration and the error from your debugs below confirms it failed to find the next hop address:

6|Dec 03 2023|10:19:27|110003|Ifc||40.70.3.44|62465|Routing failed to locate next hop for udp from NP Identity Ifc:72.15.233.225/62465 to Flexential:40.70.3.44/62465

Create a default route, example:-

route Flexential 0 0 <next hop ip address>

Re: ASA 5515 help

coreillycisco — Sun, 03 Dec 2023 16:21:57 GMT

I am new to cisco and using what they have. They use ASDM. And I am not sure what next hop ip i need to be using. The ones I try say cannot be routed.

Re: ASA 5515 help

Rob Ingram — Sun, 03 Dec 2023 16:26:38 GMT

@coreillycisco you need to use the IP address of the upstream router (your ISP) as the next hop. The only usable IP addresses in the public network of the Flexential interface are - 72.15.233.225 - 72.15.233.230, so it's either .226, .227, .228, .229 or .230

Re: ASA 5515 help

coreillycisco — Sun, 03 Dec 2023 16:30:33 GMT

Would this be to my Internal subnet? Such as: route Flexential 0.0.0.0 0.0.0.0 10.1.3.1 1

Re: ASA 5515 help

Rob Ingram — Sun, 03 Dec 2023 16:34:14 GMT

@coreillycisco no, 10.1.3.1 1 isn't even in the same network as the Flexential interface (Gi0/4) .You need a default route to the internet via the Flexential interface - which is in the 72.15.233.225/28 network, therefore the next hop is either .226, .227, .228, .229 or .230.

Re: ASA 5515 help

coreillycisco — Sun, 03 Dec 2023 16:35:55 GMT

Ok, Yeah I see what you are saying. Been a long week. I will add that route.

Re: ASA 5515 help

coreillycisco — Sun, 03 Dec 2023 16:43:34 GMT

So I now have the route as: route Flexential 0.0.0.0 0.0.0.0 72.15.233.226 1

Is there somewhere else I have to change for anyconnect?

Re: ASA 5515 help

Rob Ingram — Sun, 03 Dec 2023 16:52:17 GMT

@coreillycisco are you sure it's .226? Can you ping it from the ASA itself? I cannot ping that IP address but I can ping .227

Have you tried accessing the internet from the ASA? Ping something (i.e. 8.8.8.8), does it work? If not AnyConnect will not work, nor will anything else.

If AnyConnect was pre-configured to use a DNS hostname and that resolved to the old IP address (the one you changed) you will also need to update the DNS entry in the public DNS or use the IP address of the ASA (72.15.233.225) instead - you will get a certificate error though.

Re: ASA 5515 help

coreillycisco — Sun, 03 Dec 2023 17:07:29 GMT

Yeah i changed that in our DNS. I can ping .226, but .227 is: Reply from 72.15.233.227: Destination net unreachable.

>ping 72.15.233.227

Pinging 72.15.233.227 with 32 bytes of data:
Reply from 72.15.233.227: Destination net unreachable.
Reply from 72.15.233.227: Destination net unreachable.
Reply from 72.15.233.227: Destination net unreachable.
Reply from 72.15.233.227: Destination net unreachable.

Ping statistics for 72.15.233.227:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

>ping 72.15.233.226

Pinging 72.15.233.226 with 32 bytes of data:
Reply from 72.15.233.226: bytes=32 time=317ms TTL=240
Reply from 72.15.233.226: bytes=32 time=22ms TTL=240
Reply from 72.15.233.226: bytes=32 time=22ms TTL=240
Reply from 72.15.233.226: bytes=32 time=21ms TTL=240

Ping statistics for 72.15.233.226:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 21ms, Maximum = 317ms, Average = 95ms

Re: ASA 5515 help

coreillycisco — Sun, 03 Dec 2023 17:10:35 GMT

Oh sorry. Ping from ASA is timing out.

Re: ASA 5515 help

Rob Ingram — Sun, 03 Dec 2023 17:17:37 GMT

@coreillycisco I assume you pinged an IP address such as 8.8.8.8 and not a DNS name? If you cannot ping from the ASA to an IP address on the internet then routing is still not working. Run a ping and traceroute from the ASA to 8.8.8.8 and provide the output.

Confirm with your ISP what their router IP address is.

Re: ASA 5515 help

coreillycisco — Sun, 03 Dec 2023 17:38:17 GMT

Yes, I pinged 8.8.8.8. Here is the traceroute from the ASA: