Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
4
Replies

Tried Upgrading 5505 8.3.2 -> 9.2.4(18) Lost VPN - reverted back to 8.3.2 still no VPN

stownsend
Level 2
Level 2

‎01-24-2017 11:03 PM

I wanted to Upgrade my 5505 from  8.3.2 to 9.2.4(18) so I could get access to the EEM.  After the Upgrade I Lost my VPN to the HQ Office. 

the upgrade log didn't have anything in it, and comparing the config files before and after there were not really any changes. here is the upgrade_startup_errors log file

INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201701242240.log'
Reading from flash...
!!
INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file 'flash:8_3_2_0_startup_cfg.sav'
*** Output from config line 4, "ASA Version 8.3(2) "
WARNING: interface Vlan2 security level is 0.
*** Output from config line 135, "logging host outside vsv..."

I know enough to be dangerous, though all of my normal debug commands didn't seem to produce any VPN debugging output.  I did the 'term mon' and could see other output, but nothing from the VPN Debugging:

debug crypto ipsec
debug crypto isakmp
debug crypt engine

After some time of troubleshooting I then backed out the firmware and ASDM and then copied back in the config from the 8.3.2 firmware. 

Still no VPN Connection coming up. 

I've checked the SAs at the HQ Site and its not holding on to anything, nothing on the Log on the HQ End. 

Not sure where to go from here. )-:

Thanks!

  Scott<-

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-24-2017 11:13 PM

If nothing has appeared with VPN debugging, then the VPN is not activating.

Either no "interesting traffic" is being matched, or VPNs are not enabled globally.

ps. I'll take a punt that the config wasn't saved prior to starting the upgrade, and the first reboot lost something critical ...

0 Helpful

stownsend
Level 2
Level 2
In response to Philip D'Ath

‎01-24-2017 11:34 PM

Thanks for the reply. 

I think that something happen after I reverted the firmware and rebooted. before I reverted the firmware I did a 'copy TFTP start' of the saved config (yes I'm good enough to be sure I saved it prior to upgrade;-)   I didn't think that when the system came back up that it lost some of its marbles.   I did the 'copy TFTP start' again with the same config and then rebooted and I'm back on-line with the 8.3.2

Now to get the 9.2.4 working again.  9.2.4(18) is back in and now looking at the NAT here are the Differences.  

working 8.3.2 NAT

nat (inside,outside) source dynamic any interface
nat (inside,outside) source static NETWORK_LOCAL NETWORK_LOCAL
nat (inside,any) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE description No not NAT traffic to/from Remote Networks
nat (outside,any) source static NETWORK_REMOTE NETWORK_REMOTE

converted 9.2.4 NAT

nat (inside,outside) source dynamic any interface 
nat (inside,outside) source static NETWORK_LOCAL NETWORK_LOCAL no-proxy-arp route-lookup
nat (inside,any) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE no-proxy-arp description No not NAT traffic to/from Remote Networks
nat (outside,any) source static NETWORK_REMOTE NETWORK_REMOTE no-proxy-arp

 

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to stownsend

‎01-24-2017 11:54 PM

Does it start working if you remove the four NAT lines? If so, it is definitely a NAT issue - otherwise it is something else.

What are you trying to achieve with this?

nat (outside,any) source static NETWORK_REMOTE NETWORK_REMOTE no-proxy-arp
0 Helpful

stownsend
Level 2
Level 2
In response to Philip D'Ath

‎01-25-2017 12:09 AM

I replaced all of the NAT statements with the following 2 NAT statements:

nat (inside,outside) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE no-proxy-arp route-lookup description No not NAT traffic to/from Remote Networks
nat (inside,outside) source dynamic any interface

I'm Back in Business.   My original Goal here was to update the firmware so I could use EEM to setup a Ping to another Remote ASA to keep a tunnel up. 

Its been a while, though the NAT command here:

nat (outside,any) source static NETWORK_REMOTE NETWORK_REMOTE no-proxy-arp

I believe was to help me hairpin off the HQ ASA from one remote site to another. 

Thank you again for your assistance...

0 Helpful
Customers Also Viewed These Support Documents