Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ASA 5520 and 5505 VPN Tunnel

I am in the process of cleaning up a poorly structured network. Right now there is a 5520 in our main office and a 5505 at a remote office. The IPSec VPN Tunnel is working quite well as it stands. However, I need to change the outside IP address of the 5520. When I do this the VPN tunnel breaks between the two offices.

Using the ASDM GUI I have made, what I thought, were the necessary changes. I tell the 5505 the new peer IP address. However, no traffic will pass between the two networks. If I change the IP address of the 5520 back to the original all works again.

One of the errors that I receive in the syslog on the 5520 is this: "no spi to identify phase 2 sa"

Does anyone know what steps are required to change the outside interface IP address and have the VPN tunnel run as normal after the change? Thanks for your time and help.


Re: Cisco ASA 5520 and 5505 VPN Tunnel

Do you also create a new VPN group in the 5505? You need to do that when the remote IP changes. You should have a group something like the following-

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

You will have to create a new group with the new IP.

CreatePlease to create content