Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
384
Views
0
Helpful
1
Replies

Cisco ASA 5520 and 5505 VPN Tunnel

grovetl82
Level 1
Level 1

‎08-11-2009 07:36 PM - edited ‎03-04-2019 05:42 AM

I am in the process of cleaning up a poorly structured network. Right now there is a 5520 in our main office and a 5505 at a remote office. The IPSec VPN Tunnel is working quite well as it stands. However, I need to change the outside IP address of the 5520. When I do this the VPN tunnel breaks between the two offices.

Using the ASDM GUI I have made, what I thought, were the necessary changes. I tell the 5505 the new peer IP address. However, no traffic will pass between the two networks. If I change the IP address of the 5520 back to the original all works again.

One of the errors that I receive in the syslog on the 5520 is this: "no spi to identify phase 2 sa"

Does anyone know what steps are required to change the outside interface IP address and have the VPN tunnel run as normal after the change? Thanks for your time and help.

Labels:
0 Helpful
1 Reply 1

Collin Clark
VIP Alumni
VIP Alumni

‎08-12-2009 05:40 AM

Do you also create a new VPN group in the 5505? You need to do that when the remote IP changes. You should have a group something like the following-

tunnel-group 12.13.14.15 type ipsec-l2l

tunnel-group 12.13.14.15 ipsec-attributes

pre-shared-key *

You will have to create a new group with the new IP.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card