Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1817
Views
0
Helpful
1
Replies

Site-to-Site VPN connection broken after adding a new outside interface

MaxVan
Level 1
Level 1

‎05-08-2019 02:24 AM - edited ‎02-21-2020 09:06 AM

Hello all,

I've an ASA5506 previously configured with one outside interface. This interface is used for both internet for employees and Site-to-Site VPN for external companies...

The ISP is renewing its equipment and added a new modem/circuit before removing the old one.

I configured then a new external interface to be able to migrate all VPN connections one by one, but I am facing an issue.

 

My idea was to keep the 2 interfaces active and first migrate internet access to the new line and then migrate the S2S VPNs one by one, then once validated remove the old connection.

So I created a new route for the 0.0.0.0 traffic to go through the new interface but with a lower Metric "2", then I changed the "outside" Metric to "3" in order to redirect the internet traffic to the new interface.

-route outside 0.0.0.0 0.0.0.0 <publicIP_1> 1 (->3)
-route newISP 0.0.0.0 0.0.0.0 <publicIP_2> 2

 

... and it worked fine! excepted that all the VPN connected companies lost access to our internal network (oups!). I reverted back the route metric asap and didn't have time to investigate/troubleshoot the problem. Of course, now I am a bit afraid with going any further with new changes.

 

Do you have idea what I could have done wrong?

 

Thanks a lot in advance for your help!

 

 

 

 

0 Helpful
1 Reply 1

GRANT3779
Spotlight
Spotlight

‎05-08-2019 05:40 AM

Hi,

 

How are your VPNs configured? Policy Based / Route Based?

 

Did you add static routes for each of the remote VPN endpoints and point them out your "old" Internet pipe?

 

From the info you have provided all Internet traffic will be going out the new Interface, including the routing of the remote VPN Public IPs. There may not be any crypto binding on this new interface etc.

 

ACLs, NATS are other areas you may want to look at also as part of the wider picture.

 

If you could share the config it might help in advising further.

 

Just some thoughts based on the info so far.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card