Solved: ASA 5515 help

coreillycisco · ‎12-02-2023

Moved cisco firewall to new location and now cannot connect to the VPN, Does anyone know how to fix this issue? In down state now. I still have to clean configs, but wanted to get this in place. So I moved the firewall from Atlanta Georgia to Jacksonville Florida into a Colo. I switched IP addresses and still cannot connect to VPN. I am new to this and not sure what I am doing.

Rob Ingram · ‎12-03-2023

@coreillycisco reconfigure your interface Gi0/4 and set the new default route.

interface GigabitEthernet0/4
 nameif Flexential
 security-level 0
 ip address 72.15.233.228 255.255.255.248 

route Flexential 0 0 72.15.233.225

Remove you other default route via the incorrect next hop.

View solution in original post

MHM Cisco World · ‎12-02-2023

Vpn s2s or anyconnect ?

Can you share config?

MHM

coreillycisco · ‎12-02-2023

Anyconnect. Here is the running config. Still messy but I will clean it up.

MHM Cisco World · ‎12-02-2023

You have vti and ipsec vpn' many command lines you have.

But let start from basic

Do you check reachability' since I think public IP of outside interface change?

Do you modify peer config to match your IP change?

Try clear crypto (for ipsec s2s vpn)

MHM

coreillycisco · ‎12-02-2023

I can ping the IP 72.15.233.225. I do not know where peer config is. I am using ASDM. How do I clear crypto with ASDM?

MHM Cisco World · ‎12-02-2023

In the ASDM

Go to Monitoring, then select VPN from the list of Interfaces
Then expand VPN statistics and click on Sessions.
Choose the type of tunnel you're looking for from the drop-down at the right (IPSEC Site-To-Site for example.)
Click on the tunnel you wish to reset and then click Logout in order to reset the tunnel.

coreillycisco · ‎12-02-2023

When doing so there are no sessions there. See attachment. Is this an issue?

coreillycisco · ‎12-03-2023

Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel.

Rob Ingram · ‎12-03-2023

@coreillycisco you do not appear to have a default route via your outside interface "Flexential" in your configuration and the error from your debugs below confirms it failed to find the next hop address:

6|Dec 03 2023|10:19:27|110003|Ifc||40.70.3.44|62465|Routing failed to locate next hop for udp from NP Identity Ifc:72.15.233.225/62465 to Flexential:40.70.3.44/62465

Create a default route, example:-

route Flexential 0 0 <next hop ip address>

coreillycisco · ‎12-03-2023

I am new to cisco and using what they have. They use ASDM. And I am not sure what next hop ip i need to be using. The ones I try say cannot be routed.

Rob Ingram · ‎12-03-2023

@coreillycisco you need to use the IP address of the upstream router (your ISP) as the next hop. The only usable IP addresses in the public network of the Flexential interface are - 72.15.233.225 - 72.15.233.230, so it's either .226, .227, .228, .229 or .230

coreillycisco · ‎12-03-2023

Would this be to my Internal subnet? Such as: route Flexential 0.0.0.0 0.0.0.0 10.1.3.1 1

Rob Ingram · ‎12-03-2023

@coreillycisco no, 10.1.3.1 1 isn't even in the same network as the Flexential interface (Gi0/4) .You need a default route to the internet via the Flexential interface - which is in the 72.15.233.225/28 network, therefore the next hop is either .226, .227, .228, .229 or .230.

coreillycisco · ‎12-03-2023

Ok, Yeah I see what you are saying. Been a long week. I will add that route.

coreillycisco · ‎12-03-2023

So I now have the route as: route Flexential 0.0.0.0 0.0.0.0 72.15.233.226 1

Is there somewhere else I have to change for anyconnect?