[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 695
  • Last Modified:

Cisco ASA L2L VPNs down after ISP Change

Hello
We just changed ISPs and thus have new IPS.  We have a new WAN IP and then a block of IPS (CIDR).   After this change our two site to site VPN tunnels stopped working.  We changed the IP of the remote site to the new WAN interface IP (on the two remote routers) but the connections still won't work.  All of the devices are Cisco ASA apliances.  Are we missing something in regards to ACL or routing ?    Usually changing the remote site VPN on the remote routers brings things right back up.

Thanks for your help.

0
corpdsinc
Asked:
corpdsinc
  • 4
  • 2
  • 2
2 Solutions
 
lrmooreCommented:
Do you have any route statements left over pointing to the old ISP gateway?
0
 
corpdsincAuthor Commented:
Nope, all of the static routes point to the new WAN IP.... now that I think about it...the WAN INT Ip is a /28 ..  Do you think that fact that the 0.0.0.0 0.0.0.0 static route is set to the WAN INT IP instead of the WAN INT gateway could be the problem?
0
 
predragpetrovicCommented:
Hi,

can you send debug outputs... i think that the remote ends did not update the peer IP addresses.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
lrmooreCommented:
>Do you think that fact that the 0.0.0.0 0.0.0.0 static route is set to the WAN INT IP instead of the WAN INT gateway could be the problem?
Absolutely! It must point to the next hop, never to your own interface ip!
0
 
corpdsincAuthor Commented:
Ok..my bad.  I forgot that i did change the default routes  for the WAN INT default gateway yesterday..I was excited about that being the fix...but no luck.  Any other ideas?  

Pedraq:  I have verified that that peer IPs are correct.  In fact, I recreated the VPN on one of the remote sites via the wizzard creating new tunnel group and Peer IP etc.  

0
 
predragpetrovicCommented:
ok,

could you do the following on your ASA device:

debug crypto ipsec
debug crypto isakmp
terminal monitor

and try to send traffic from one site to another (traffic which matches the crypto maps), send the debugs.
0
 
corpdsincAuthor Commented:
I was unable to do th debug.  But using ASDM monitoring I see that the lan2lan tunnel is established.  At the remote side it is passing two way traffic.  HOWEVER, at the main site (where the public IP was changed) it is receiving data but not transmitting (0 TX bytes 970 RX bytes)
0
 
corpdsincAuthor Commented:
I now have both VPN connected now...but still not passing traffic.  I have included a JPG of the ASDM monitor showing one way traffic. ASDM
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now