Showing results for 
Search instead for 
Did you mean: 

ezVPN works via one ISP but not another.

We have cisco IOS Routers at customer end sites and a ASA in our datacenter.  our ASA is using an external IP address which we advertise out two seperate ISP's (A-Primary, B-Secondary).  When we test failover we are finding that the ezVPN's cannot reconnect and it keeps failing with "received packet with no matching SA, dropping"

I have logged this with our ISP (B) which manages the connection that is causing this issue but they are advising that there is no filtering or blocking they do on our internet link.

Things to note are

  1. When we are only advertising out ISP (B) new connections do not work
    • However, we have an ADSL connection which is delivered by ISP (B) and that is the only one that works.  All other ADSL sites from other ISP do not work.
  2. If I test with a Cisco VPN Client installed on a PC it works fine.
  3. If I fail back and advertise out our primary ISP (A), new connections work again.
    • NB:During the changing of the BGP advertisements it does not break currently connected VPN's only new VPN Connections.
  • Our ISP (A) and ISP (B) connections terminate on the same router which is then connected to the ASA.
Cisco Employee

ezVPN works via one ISP but not another.


A topology would help. I am assuming you have static mappings for the ASA on thr router out the 2 different ISPs. Can you enable debugs on the ASA debug cry isa 127 and debug cry ips 127 and post them here when connection does not work. Also, a sanitized version of the configuration from the ASA will help.