I upgraded the ram and ios image on a cisco 5520 asa firewall and pushed a new firewall policy to the device via the Cisco Security Manager. But now a remote VPN i had has lost the IPSEC tunnel it had onto the firewall. The config is still in place and i can ping all the devices but when i got to the switch on the internal network where the GRE tunnel terminates it says ospf is in INIT state.
Sw#Sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.225.253.110 0 INIT/ - 00:00:36 10.218.94.41 Tunnel100
How do i bring the tunnel back up.
Yes i can ping the tunnel from the VPN router called rtr-NewrVPN01 which sits outside our network (outside the ASA)
Source address or interface: 10.218.40.110
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/114/220 ms
I have attached part of the config of the VPN router below
crypto isakmp policy 10
crypto isakmp key A-shar3D-sekret address 217.x.x.x
crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
crypto map p21vpn 20 ipsec-isakmp
set peer 217.x.x.x
set transform-set 3desmd5
match address 160
ip address 10.218.40.110 255.255.255.255
description ** Newry vpn **
ip address 10.218.94.41 255.255.255.252
ip mtu 1400
ip ospf cost 40000
tunnel source Loopback1
tunnel destination 10.218.93.3
ip address 81.x.x.x 255.255.255.254
ip access-group Internet-in in
crypto map p21vpn
router ospf 1
network 10.218.40.110 0.0.0.0 area 0
network 10.218.94.40 0.0.0.3 area 0
Yes that Means the tunnel is down. By the way I have checked the ASA , and I could not found the ACL 'outside_9_cryptomap' in the configuration which uses for intresting traffic
My mistake -its actually in the live config ok but i just didnt paste it.
access-list outside_9_cryptomap extended permit ip host 10.218.93.3 host 10.218.40.110
crypto map vpnmap 9 match address outside_9_cryptomap
crypto map vpnmap 9 set peer 81.x.x.x
crypto map vpnmap 9 set ikev1 transform-set ESP-3DES-MD5
Its asking me for a code and an ID under packet tracer - any ideas what they are?
Also from what i can see QM_IDLE means that phase 1 is up, so what do i need to troubleshoot?
rtr-NewrVPN01#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
217.x.x.x 81.x.x.x QM_IDLE 2002 0 ACTIVE
I did a compare of two configs for the firewall from both before and after the ios image was upgraded. Only after it was upgraded did the vpn stop working. The work isakmp has now been replaced with ikev1 in the configs.
crypto isakmp enable outside crypto ikev1 enable outside 9610
crypto isakmp enable inside crypto ikev1 enable inside 9611
crypto isakmp policy 10 crypto ikev1 policy 10
crypto isakmp policy 80 crypto ikev1 policy 80
asa image went from ASA Version 8.0(5) to ASA Version 8.4(4)1
If the IPSEC tunnel is up, should i be checking the GRE tunnel. I do a sh ip ospf nei on one side and get nothing. On the other side i do a sh ip ospf nei and it says INIT state for the tunnel. Any ideas how to correct this?
Finally got the answer on how to bring the GRE tunnel back in again.
show local-host [ip of your gre tunnel]
clear local-host [ip of your gre tunnel]
do this on the asa device. Worked a treat.