Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

why vpn tunnel failed after changing ISP? ASA 5500

Hi Forum,

I just changed my ISP, and therefore i am chaging my ASA outside interfaces IP address, and all the remote sites are pointing to this new IP address.

when I tried to compare my old config with the new one, i can only find that the outside IP was changed, no others. I rebooted all the remote sites ASA but the tunnel just can't seem to come up?

What could have happened?

Thank you,

py

6 REPLIES
Hall of Fame Super Blue

Re: why vpn tunnel failed after changing ISP? ASA 5500

Hi

Obvious things to check

1) Your new ISP is not doing any filtering which breaks your IPSEC tunnels.

2) The new IP subnet your ISP has allocated has been advertised properly. Can you ping the outside interface of your ASA device from one of the remote sites.

Are you using pre-shared keys ?

Jon

New Member

Re: why vpn tunnel failed after changing ISP? ASA 5500

What Jon said, and of course, do a "show running-config all | include XX.XX.XX" substituting the first part of the old IP that used to be on the interface to see if you missed someplace in the configuration where it was applied. If it was, odds are those statements (access lists, ip-based usernames, etc) need to be changed.

New Member

Re: why vpn tunnel failed after changing ISP? ASA 5500

Hi Jon, Julin,

Thank you very much.

You folks are right. one of the line - isakmp enable outside is missing. I can see the tunnel now. however, I can see incoming packets being encapsulated but not outgoing traffic, What could be the cause normally?

local ident (addr/mask/prot/port): (192.168.123.0/255.255.255.240/0/0)

remote ident (addr/mask/prot/port): (192.168.62.0/255.255.255.240/0/0)

current_peer: 229.93.7.1

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 641, #pkts decrypt: 641, #pkts verify: 641

Hall of Fame Super Blue

Re: why vpn tunnel failed after changing ISP? ASA 5500

Hi Paul

Could you send config of headend ASA and one of the remote devices for a tunnel that is not working. (Please remove/modify any sensitive info before posting)

Jon

New Member

Re: why vpn tunnel failed after changing ISP? ASA 5500

Hi Jon,

Very sorry for the delay, going for some course just back.

we have this design:

routerA(GRE) <> (site A)ASA <> (site B)ASA <> routerB(GRE)

switchA(GRE) <> (site A)ASA <> (site B)ASA <> switchB(GRE)

both going from site A to site B, attached are the configuration files.

I can see traffic from site B, but site A has no traffic going out, when I manually route some traffic across the GRE tunnel, i can see the traffic on the ASA, because i am using EIGRP to detect the GRE tunnel, Is that something wrong with my routing?

Thank you,

paul

New Member

Re: why vpn tunnel failed after changing ISP? ASA 5500

Hi Forum,

Have I done something wrong on the configuration? Tried to go through, but really feel lost.

Thank you,

292
Views
0
Helpful
6
Replies