10-02-2012 03:12 AM
I upgraded the ram and ios image on a cisco 5520 asa firewall and pushed a new firewall policy to the device via the Cisco Security Manager. But now a remote VPN i had has lost the IPSEC tunnel it had onto the firewall. The config is still in place and i can ping all the devices but when i got to the switch on the internal network where the GRE tunnel terminates it says ospf is in INIT state.
Sw#Sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.225.253.110 0 INIT/ - 00:00:36 10.218.94.41 Tunnel100
How do i bring the tunnel back up.
Kevin
10-02-2012 03:16 AM
Hello Kevin,
Where is the other end of the tunnel and are you able to ping from tunnel source to tunnel destination
regards
harish
10-02-2012 03:48 AM
Harish,
Yes i can ping the tunnel from the VPN router called rtr-NewrVPN01 which sits outside our network (outside the ASA)
rtr-NewrVPN01#ping 10.218.93.3
Source address or interface: 10.218.40.110
Success rate is 100 percent (5/5), round-trip min/avg/max = 72/114/220 ms
I have attached part of the config of the VPN router below
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key A-shar3D-sekret address 217.x.x.x
crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
crypto map p21vpn 20 ipsec-isakmp
set peer 217.x.x.x
set transform-set 3desmd5
match address 160
interface Loopback1
ip address 10.218.40.110 255.255.255.255
interface Tunnel10
description ** Newry vpn **
bandwidth 10
ip address 10.218.94.41 255.255.255.252
ip mtu 1400
ip ospf cost 40000
tunnel source Loopback1
tunnel destination 10.218.93.3
interface Dialer0
description $FW_OUTSIDE$
ip address 81.x.x.x 255.255.255.254
ip access-group Internet-in in
crypto map p21vpn
router ospf 1
network 10.218.40.110 0.0.0.0 area 0
network 10.218.94.40 0.0.0.3 area 0
10-02-2012 04:23 AM
hello Kevin,
are you able to ping 10.218.94.42 from the VPN router ? it would be great to get the configuration of your asa
regards
Harish.
10-02-2012 06:16 AM
10-02-2012 06:25 AM
Hello Kevin,
Yes that Means the tunnel is down. By the way I have checked the ASA , and I could not found the ACL 'outside_9_cryptomap' in the configuration which uses for intresting traffic
regards
Harishh.
10-02-2012 08:58 AM
Harish,
My mistake -its actually in the live config ok but i just didnt paste it.
access-list outside_9_cryptomap extended permit ip host 10.218.93.3 host 10.218.40.110
crypto map vpnmap 9 match address outside_9_cryptomap
crypto map vpnmap 9 set peer 81.x.x.x
crypto map vpnmap 9 set ikev1 transform-set ESP-3DES-MD5
regards,
Kevin
10-02-2012 01:09 PM
Hello Kevin
from ASA can you do the following and get me the output
packet-tracer input inside icmp 10.218.93.3 8 0 10.218.40.110
Harish.
10-03-2012 07:00 AM
Harish,
Its asking me for a code and an ID under packet tracer - any ideas what they are?
Also from what i can see QM_IDLE means that phase 1 is up, so what do i need to troubleshoot?
rtr-NewrVPN01#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
217.x.x.x 81.x.x.x QM_IDLE 2002 0 ACTIVE
10-03-2012 07:15 AM
I did a compare of two configs for the firewall from both before and after the ios image was upgraded. Only after it was upgraded did the vpn stop working. The work isakmp has now been replaced with ikev1 in the configs.
crypto isakmp enable outside crypto ikev1 enable outside 9610
crypto isakmp enable inside crypto ikev1 enable inside 9611
crypto isakmp policy 10 crypto ikev1 policy 10
crypto isakmp policy 80 crypto ikev1 policy 80
asa image went from ASA Version 8.0(5) to ASA Version 8.4(4)1
10-04-2012 01:46 PM
Harish,
If the IPSEC tunnel is up, should i be checking the GRE tunnel. I do a sh ip ospf nei on one side and get nothing. On the other side i do a sh ip ospf nei and it says INIT state for the tunnel. Any ideas how to correct this?
much appreciated
Kevin
10-10-2012 01:00 PM
Harish,
Finally got the answer on how to bring the GRE tunnel back in again.
show local-host [ip of your gre tunnel]
clear local-host [ip of your gre tunnel]
do this on the asa device. Worked a treat.
Cheers, Kevin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide