Solved: Re: ASA 5515 help - Page 2

coreillycisco · ‎12-02-2023

Moved cisco firewall to new location and now cannot connect to the VPN, Does anyone know how to fix this issue? In down state now. I still have to clean configs, but wanted to get this in place. So I moved the firewall from Atlanta Georgia to Jacksonville Florida into a Colo. I switched IP addresses and still cannot connect to VPN. I am new to this and not sure what I am doing.

Rob Ingram · ‎12-03-2023

@coreillycisco are you sure it's .226? Can you ping it from the ASA itself? I cannot ping that IP address but I can ping .227

Have you tried accessing the internet from the ASA? Ping something (i.e. 8.8.8.8), does it work? If not AnyConnect will not work, nor will anything else.

If AnyConnect was pre-configured to use a DNS hostname and that resolved to the old IP address (the one you changed) you will also need to update the DNS entry in the public DNS or use the IP address of the ASA (72.15.233.225) instead - you will get a certificate error though.

coreillycisco · ‎12-03-2023

Yeah i changed that in our DNS. I can ping .226, but .227 is: Reply from 72.15.233.227: Destination net unreachable.

>ping 72.15.233.227

Pinging 72.15.233.227 with 32 bytes of data:
Reply from 72.15.233.227: Destination net unreachable.
Reply from 72.15.233.227: Destination net unreachable.
Reply from 72.15.233.227: Destination net unreachable.
Reply from 72.15.233.227: Destination net unreachable.

Ping statistics for 72.15.233.227:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

>ping 72.15.233.226

Pinging 72.15.233.226 with 32 bytes of data:
Reply from 72.15.233.226: bytes=32 time=317ms TTL=240
Reply from 72.15.233.226: bytes=32 time=22ms TTL=240
Reply from 72.15.233.226: bytes=32 time=22ms TTL=240
Reply from 72.15.233.226: bytes=32 time=21ms TTL=240

Ping statistics for 72.15.233.226:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 21ms, Maximum = 317ms, Average = 95ms

coreillycisco · ‎12-03-2023

Oh sorry. Ping from ASA is timing out.

Rob Ingram · ‎12-03-2023

@coreillycisco I assume you pinged an IP address such as 8.8.8.8 and not a DNS name? If you cannot ping from the ASA to an IP address on the internet then routing is still not working. Run a ping and traceroute from the ASA to 8.8.8.8 and provide the output.

Confirm with your ISP what their router IP address is.

coreillycisco · ‎12-03-2023

Yes, I pinged 8.8.8.8. Here is the traceroute from the ASA:

coreillycisco · ‎12-03-2023

Here are syslogs. Looks like there is an IP Collision here.

Rob Ingram · ‎12-03-2023

@coreillycisco well there is another device with the same IP address as the ASA, probably the ISP router?

Like I previously suggested contact the ISP to determine the ISP router IP address and confirm it isn't .225.

Change the ASA IP address of the Flexential interface.

coreillycisco · ‎12-03-2023

Here is there reply:

Network:
Network: 72.15.233.224/29
Gateway: 72.15.233.225
Mask: 255.255.255.248
Usable: 72.15.233.228-230

Network Ports:
E10:1
E10:2

Rob Ingram · ‎12-03-2023

@coreillycisco reconfigure your interface Gi0/4 and set the new default route.

interface GigabitEthernet0/4
 nameif Flexential
 security-level 0
 ip address 72.15.233.228 255.255.255.248 

route Flexential 0 0 72.15.233.225

Remove you other default route via the incorrect next hop.

coreillycisco · ‎12-03-2023

Ok. That works. I can now reach the Internet. You are awesome. I can also reach Anyconnect, but DUO auth is not sending me a notification for that.