Cisco ASA L2L VPNs down after ISP Change

We just changed ISPs and thus have new IPS.  We have a new WAN IP and then a block of IPS (CIDR).   After this change our two site to site VPN tunnels stopped working.  We changed the IP of the remote site to the new WAN interface IP (on the two remote routers) but the connections still won't work.  All of the devices are Cisco ASA apliances.  Are we missing something in regards to ACL or routing ?    Usually changing the remote site VPN on the remote routers brings things right back up.

Thanks for your help.

Who is Participating?

Improve company productivity with a Business Account.Sign Up

lrmooreConnect With a Mentor Commented:
Do you have any route statements left over pointing to the old ISP gateway?
corpdsincAuthor Commented:
Nope, all of the static routes point to the new WAN IP.... now that I think about it...the WAN INT Ip is a /28 ..  Do you think that fact that the static route is set to the WAN INT IP instead of the WAN INT gateway could be the problem?
predragpetrovicConnect With a Mentor Commented:

can you send debug outputs... i think that the remote ends did not update the peer IP addresses.
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

>Do you think that fact that the static route is set to the WAN INT IP instead of the WAN INT gateway could be the problem?
Absolutely! It must point to the next hop, never to your own interface ip!
corpdsincAuthor Commented: bad.  I forgot that i did change the default routes  for the WAN INT default gateway yesterday..I was excited about that being the fix...but no luck.  Any other ideas?  

Pedraq:  I have verified that that peer IPs are correct.  In fact, I recreated the VPN on one of the remote sites via the wizzard creating new tunnel group and Peer IP etc.  


could you do the following on your ASA device:

debug crypto ipsec
debug crypto isakmp
terminal monitor

and try to send traffic from one site to another (traffic which matches the crypto maps), send the debugs.
corpdsincAuthor Commented:
I was unable to do th debug.  But using ASDM monitoring I see that the lan2lan tunnel is established.  At the remote side it is passing two way traffic.  HOWEVER, at the main site (where the public IP was changed) it is receiving data but not transmitting (0 TX bytes 970 RX bytes)
corpdsincAuthor Commented:
I now have both VPN connected now...but still not passing traffic.  I have included a JPG of the ASDM monitor showing one way traffic. ASDM
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.