Solved

Outside interface drops 90% of packets after adding third interface

Posted on 2011-09-06
3
309 Views
Last Modified: 2012-05-12
I've got a 5505 ASA that I'm trying to add a second outside port to. Currently it has an inside, and outside port like most ASA setups. I'm trying to 'dual home' the ASA so our VPN users can be moved to the new port's IP and then the first port can be disconnected. I tried adding the port straight in, but it had two issues.

1) I could not ping the gateway of the device connected to that new port.
2) The outside port that worked 100% just before starts losing 80-90% of all packets. It basically becomes unusable.

I removed the second port and everything went back to normal.

Any ideas? I need to get the VPN users moved over the next week before that second T1's contract is up.
0
Comment
Question by:jmpsandiego
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 36493110
You're running into routing and state issues.  You won't be able to use both outside ports at the same time, the redundant interface feature on the ASA is an active / standby type of arrangement.  You'll need to do a cutover.  My suggestion would be to shut the second outside interface for now.  Whenever you can schedule a maintenance window, do some testing by enabling the new and disabling the original interfaces, to make sure your configuration works.  Do that as many times as you need to work out the details, then schedule the cutover.  Just keep one or the other outside interfaces shut down.
0
 

Author Comment

by:jmpsandiego
ID: 36493186
That's the problem. We don't have the resources to do that kind of a cutover. Each of these remote routers has to be managed via the LAN ports, which nothing but IP phones and printers are connected to. Unfortunately when they were sent out by the previous tech, they didn't bother to enable admin access over the WAN. It's a really annoying and confusing setup.

Any way to get around this? Or am I really just stuck with it being this way?

I tried to copy the VPN settings from one ASA to another and I attempted to put the 2nd ASA on the new connection but it wanted nothing to do with that. I couldn't get the VPN to connect on the newer ASA.
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 36499831
The cutover shouldn't be that big of a deal for internal users, but agreed, it's probably a bigger deal for VPN connections.  Having the second ASA makes things a bit easier in some ways but more difficult in others.  Any way you slice it, though, it's still likely to involve some amount of down time for each of the VPN connections.  

When you say the second ASA wanted nothing to do with that, are you saying the VPN connections wouldn't connect?  It's not as simple as copying the configuration over to the other ASA, but depending on the number of tunnels, it shouldn't be an enormously big deal either.  How many VPN tunnels are we talking about?  For a 5505 at the head end, I hope not very many.  

Here's one trick that might help:  If you simply "show run" on the ASA, the VPN pre-shared keys are obscured, as in:

tunnel-group VPN_Group ipsec-attributes
 pre-shared-key *****

If you instead type "more system:running-config" the display includes those obscured PSKs in clear text.  As in:

tunnel-group VPN_Group ipsec-attributes
 pre-shared-key abcde12345

Very handy if you're not sure what PSK was used for a VPN tunnel.

If you keep things on the existing ASA, you should only need to change the peer statements on the remote peers; the config on the head-end ASA should stay the same (except for where the crypto map is applied), as will the ACLs, ISAKMP, transforms, etc. on both ends.  You will have to change the global statement (outside of the NAT configuration) to the new interface.  Your static default will change to the new ISP address, and DNS will likely change.  But I can't think of a whole lot more than that. Save an archive of all your existing configurations so you can reload and reboot if necessary.  But once you've started the migration, basically there's really no partial effort -- you're in it for the whole deal.  Let everyone know when you're going to make the change, preferably late at night.  You can pre-stage your VPN configurations in text files to just copy and paste (include your "no" statements at the beginning in the proper order).  Hate to say it, but this is where experience is key, and this is why consultants that can help with this kind of thing earn their money.  Good luck, and hope this helps.  
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now