Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
781
Views
0
Helpful
2
Replies

Cisco ASA IPSec Tunnel Problem.

Pravin Phadte
Level 5
Level 5

‎03-06-2009 04:36 AM - edited ‎03-11-2019 08:01 AM

Hi All,

This is a strange problem I have come across cisco ASA. Let me know if any one has experienced or is this known issue.

A tunnel configuration is set for site to site and is working fine for many days.

Case 1.

I disconnected the cisco asa from the network. Then I connected a linksys and configured it with the remote peer ip address. The tunnel was not up.

So I changed back to asa and still the tunnel was not up.

Note no configs changes done on cisco asa.

After troubleshooting and given up. I called isp and told them I would like to have a new static ip address.

I configured the new static ip address on interface and as peer yes tunnel-group same changes on remote end. It worked fine.

Case 2.

ISP had to change the ISP router connected to the ASA. Once the change was done the tunnel is down. No configuration changes were made again on asa.

Since I had spare static ip address I changed the ip address as above and it worked fine. Tunnel up.

Both the case is from different ISP.

One of the symptoms' I have noted is that the from the remote end asa we are unable to ping the peer public ip address.

IOS Software Version 8.0(4)

Any one could help or advise on this

Thanks

Labels:
0 Helpful
2 Replies 2

eddie.mitchell
Level 3
Level 3

‎03-06-2009 04:51 AM

In both cases, when you re-attached the ASA to the network, were you able to ping out to the Internet from the ASA? It may have been an arp-cache updating issue. Did you also try clearing the IPSec sa's on the ASA to force a re-negotiation of the tunnel?

'clear crypto ipsec sa peer x.x.x.x'

If all else failed, I also would have just done a reload on the ASA and the upstream network device to be sure.

Best Regards,

0 Helpful

Pravin Phadte
Level 5
Level 5
In response to eddie.mitchell

‎03-06-2009 05:05 AM

- Yes Ping to internet was fine.

- Internet was working without any problems. only tunnel down.

- clear crypto isakmp sa

-clear crypto ip sa peer X.x.x.x

reloaded the asa, ISP router, ISP modem.

Reconfigueed the inetface again.

Shut no shut

Cleared crypto from remote site as well.

Recreted tunnel also from both sites.

Infact from any remote server i was able to ping the problem cisco asa ip address.

Also the default geatway ip address of the problem asa is reachable only the int ip is not.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card