01-23-2007 12:18 AM
Hi Forum,
I just changed my ISP, and therefore i am chaging my ASA outside interfaces IP address, and all the remote sites are pointing to this new IP address.
when I tried to compare my old config with the new one, i can only find that the outside IP was changed, no others. I rebooted all the remote sites ASA but the tunnel just can't seem to come up?
What could have happened?
Thank you,
py
01-23-2007 04:45 AM
Hi
Obvious things to check
1) Your new ISP is not doing any filtering which breaks your IPSEC tunnels.
2) The new IP subnet your ISP has allocated has been advertised properly. Can you ping the outside interface of your ASA device from one of the remote sites.
Are you using pre-shared keys ?
Jon
01-23-2007 06:24 AM
What Jon said, and of course, do a "show running-config all | include XX.XX.XX" substituting the first part of the old IP that used to be on the interface to see if you missed someplace in the configuration where it was applied. If it was, odds are those statements (access lists, ip-based usernames, etc) need to be changed.
01-23-2007 07:03 PM
Hi Jon, Julin,
Thank you very much.
You folks are right. one of the line - isakmp enable outside is missing. I can see the tunnel now. however, I can see incoming packets being encapsulated but not outgoing traffic, What could be the cause normally?
local ident (addr/mask/prot/port): (192.168.123.0/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (192.168.62.0/255.255.255.240/0/0)
current_peer: 229.93.7.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 641, #pkts decrypt: 641, #pkts verify: 641
01-24-2007 01:06 AM
Hi Paul
Could you send config of headend ASA and one of the remote devices for a tunnel that is not working. (Please remove/modify any sensitive info before posting)
Jon
02-02-2007 01:45 AM
Hi Jon,
Very sorry for the delay, going for some course just back.
we have this design:
routerA(GRE) <> (site A)ASA <> (site B)ASA <> routerB(GRE)
switchA(GRE) <> (site A)ASA <> (site B)ASA <> switchB(GRE)
both going from site A to site B, attached are the configuration files.
I can see traffic from site B, but site A has no traffic going out, when I manually route some traffic across the GRE tunnel, i can see the traffic on the ASA, because i am using EIGRP to detect the GRE tunnel, Is that something wrong with my routing?
Thank you,
paul
02-13-2007 09:50 PM
Hi Forum,
Have I done something wrong on the configuration? Tried to go through, but really feel lost.
Thank you,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide