Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
0
Helpful
6
Replies

why vpn tunnel failed after changing ISP? ASA 5500

paulnigel
Level 1
Level 1

‎01-23-2007 12:18 AM

Hi Forum,

I just changed my ISP, and therefore i am chaging my ASA outside interfaces IP address, and all the remote sites are pointing to this new IP address.

when I tried to compare my old config with the new one, i can only find that the outside IP was changed, no others. I rebooted all the remote sites ASA but the tunnel just can't seem to come up?

What could have happened?

Thank you,

py

Labels:
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎01-23-2007 04:45 AM

Hi

Obvious things to check

1) Your new ISP is not doing any filtering which breaks your IPSEC tunnels.

2) The new IP subnet your ISP has allocated has been advertised properly. Can you ping the outside interface of your ASA device from one of the remote sites.

Are you using pre-shared keys ?

Jon

0 Helpful

b.julin
Level 3
Level 3

‎01-23-2007 06:24 AM

What Jon said, and of course, do a "show running-config all | include XX.XX.XX" substituting the first part of the old IP that used to be on the interface to see if you missed someplace in the configuration where it was applied. If it was, odds are those statements (access lists, ip-based usernames, etc) need to be changed.

0 Helpful

paulnigel
Level 1
Level 1
In response to b.julin

‎01-23-2007 07:03 PM

Hi Jon, Julin,

Thank you very much.

You folks are right. one of the line - isakmp enable outside is missing. I can see the tunnel now. however, I can see incoming packets being encapsulated but not outgoing traffic, What could be the cause normally?

local ident (addr/mask/prot/port): (192.168.123.0/255.255.255.240/0/0)

remote ident (addr/mask/prot/port): (192.168.62.0/255.255.255.240/0/0)

current_peer: 229.93.7.1

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 641, #pkts decrypt: 641, #pkts verify: 641

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to paulnigel

‎01-24-2007 01:06 AM

Hi Paul

Could you send config of headend ASA and one of the remote devices for a tunnel that is not working. (Please remove/modify any sensitive info before posting)

Jon

0 Helpful

paulnigel
Level 1
Level 1
In response to Jon Marshall

‎02-02-2007 01:45 AM

Hi Jon,

Very sorry for the delay, going for some course just back.

we have this design:

routerA(GRE) <> (site A)ASA <> (site B)ASA <> routerB(GRE)

switchA(GRE) <> (site A)ASA <> (site B)ASA <> switchB(GRE)

both going from site A to site B, attached are the configuration files.

I can see traffic from site B, but site A has no traffic going out, when I manually route some traffic across the GRE tunnel, i can see the traffic on the ASA, because i am using EIGRP to detect the GRE tunnel, Is that something wrong with my routing?

Thank you,

paul

27391-forum 1.1.1.1.pixfirewall.cfg
0 Helpful

paulnigel
Level 1
Level 1
In response to paulnigel

‎02-13-2007 09:50 PM

Hi Forum,

Have I done something wrong on the configuration? Tried to go through, but really feel lost.

Thank you,

0 Helpful
Customers Also Viewed These Support Documents