Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
0
Helpful
2
Replies

VPN no longer connecting

jfarrer
Level 1
Level 1

‎03-21-2005 11:25 AM - edited ‎02-21-2020 01:40 PM

We have recently changed our ISP, and have been assigned a new IP address range on the outside of our network. I have a Cisco 3030 concentrator that has 3 connections (public, private and external). I have configured the external port with the new ip address and left the old one up to support moving VPN connections one at a time. I started with my VPN client connection from home and it is working fine. The first LAN-to-LAN connection I moved didn't work. I set up a route to my remote peer pointing at my new ISP gateway and changed the interface in the LAN-to-LAN setup. The remote site only changed the peer address, no other options. It looks like it makes it through PHASE 1, but quits after that. We have removed our changes and it still doesn't want to come up. I don't see anything in the logs that shows why it failed, just a timeout. I have included the log/debugs. Does anyone have any ideas?

Thanks,

Jack Farrer

Labels:
Preview file
4 KB
0 Helpful
2 Replies 2

dan.shalinsky
Level 1
Level 1

‎03-22-2005 08:49 AM

Hi Jack:

A few thoughts come to mind. I'm not too familiar with the debug you attached, but it looks inconclusive to me that phase 1 is negotiating. In my experience, you need to check both ends to confirm if either phase is working. It may appear to be fine on one end, but then once you check the other, it's obvious that something's wrong.

First, make sure that you can get to the new IP space. Even if you can't ping it, make sure that a traceroute gets close.

Another thought, perhaps the new IP space is getting filtered by a firewall somewhere. If you're getting timeouts, my guess is something along these lines.

Good luck.

~Dan

0 Helpful

jfarrer
Level 1
Level 1
In response to dan.shalinsky

‎03-22-2005 11:18 AM

I managed to get access to the remote concentrator and found my problem. The remote concentrator had PFS set for Group 2, while my end was disabled. Once I set up my end (under the L2L SA) for PFS group 2, the tunnel came up. Unfortunately, I received no traffic back from the remote when using the IP address of my External interface. If I switched it back to the Public interface, all works well. I guess the question now is, can I use the External interface as a second Public interface until I get all of my VPNs move to my new address space.

0 Helpful
Customers Also Viewed These Support Documents