10-31-2011 01:56 PM - edited 03-11-2019 02:44 PM
We use an ASA 5510 as the head end for our WAN which consists of around 30 branch offices, running Cisco 2825 routers with ipsec tunnels back to the data center.
I took a backup of my "in service" ASA5510 (IOS Version 8.0(2) ) and restored it onto my "backup" ASA5510 (IOS Version 8.2(2). Everything seemed to look fine, but when I took the ASA to the data center and tried to put it into service, the tunnels would not come up.
For the record, I shut down the "in service" ASA and moved all of the cabling over to the "backup" ASA, which I had running, in the hopes of keeping the downtime to a minimum (and I double checked that everything was in the right port).
After about 15 minutes, I gave up and plugged everything back into the "in service" ASA and all my tunnels came back up.
Is there something basic that I missed here? Did the IOS version change break it?
In the 8.2(2) version on my "backup" I see a reference to "peer-id-validate req" when i do a "show run all" -- is this default behavior or did something change in 8.2 ?
Did moving the configuration onto different hardware break it?
I have compared the configs (as best I could) and nothing is jumping out other than the "peer-validate" mentioned above.
Any guidance is appreciated.
Thanks,
Brian
Solved! Go to Solution.
11-01-2011 10:44 AM
Yup, try that, if it doesnt work, paste the debug crypto isakmp 255.
Mike
10-31-2011 03:08 PM
Hey Brian,
Ugly issue here. Are you using Pre-share keys or digital certificates? Would be a good idea to open a tac case nad have a window to troubleshoot this problem, maybe gathering some debugs of ISAKMP to check in which phase 1 the problem is located at.
Mike
11-01-2011 08:26 AM
I am using Pre-Shared keys. Is there a possibility that I will need to re-enter the keys (i.e. did they come over as "astrisks (*****)"?)
Thanks
Brian
11-01-2011 10:44 AM
Yup, try that, if it doesnt work, paste the debug crypto isakmp 255.
Mike
11-01-2011 09:48 PM
That was the problem, the pre-Shared keys which where in the backup were stored as an asterisk (*). This seems like it should have been something that was thought about. You take a backup of a device but if you restore it, it does not work, since the Pre-Shared keys get lost in translation!
Thanks for the input Mike.
Brian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide