Session is being torn down. Reason: Peer address changed
Greetings all. I'm a bit stumped on an issue that I am having. I have a Juniper SRX240 at a remote site with dual ISP connections. These connections are only active one at a time (the backup is a cellular provider that we keep offline until our primary connection fails). The datacenter has an ASA that has only a single static IP on the outside interface. I've managed to get to a point where I can stand up the IPSEC tunnel from the SRX from both ISP's when each is active. That required me to create a crypto map entry with both peers in it:
crypto map outside_map 13 match address outside_cryptomap_1 crypto map outside_map 13 set peer 220.127.116.11 18.104.22.168 crypto map outside_map 13 set transform-set ESP-AES-256-SHA
I then created two tunnel-group entries. One for each IP on the SRX. So far so good. I can see Phase 1 and 2 complete in the logs on the ASA:
Group = 22.214.171.124, IP = 126.96.36.199, PHASE 1 COMPLETED Group = 188.8.131.52, IP = 184.108.40.206, PHASE 2 COMPLETED (msgid=017b858a)
But then a few moments later, I lose it:
Group = 220.127.116.11, Username = 18.104.22.168, IP = 22.214.171.124, Session disconnected. Session Type: IPsec, Duration: 0h:01m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Address Changed Group = 126.96.36.199, IP = 188.8.131.52, Session is being torn down. Reason: Peer Address Changed
I'm, really stumped. I'm sorta struggling with this ASA config because it isn't my strong suite (Juniper guy here). So maybe there is a better way to do this? I can't find a lot online about the Peer Address Changed error. I get what the words mean... but it rebuilds a new tunnel, why wouldn't it track the change in IP and the new tunnel?
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 184.108.40.206Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 220.127.116.11R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...