Outside interface drops 90% of packets after adding third interface

Posted on 2011-09-06
Last Modified: 2012-05-12
I've got a 5505 ASA that I'm trying to add a second outside port to. Currently it has an inside, and outside port like most ASA setups. I'm trying to 'dual home' the ASA so our VPN users can be moved to the new port's IP and then the first port can be disconnected. I tried adding the port straight in, but it had two issues.

1) I could not ping the gateway of the device connected to that new port.
2) The outside port that worked 100% just before starts losing 80-90% of all packets. It basically becomes unusable.

I removed the second port and everything went back to normal.

Any ideas? I need to get the VPN users moved over the next week before that second T1's contract is up.
Question by:jmpsandiego
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 18

Accepted Solution

jmeggers earned 500 total points
ID: 36493110
You're running into routing and state issues.  You won't be able to use both outside ports at the same time, the redundant interface feature on the ASA is an active / standby type of arrangement.  You'll need to do a cutover.  My suggestion would be to shut the second outside interface for now.  Whenever you can schedule a maintenance window, do some testing by enabling the new and disabling the original interfaces, to make sure your configuration works.  Do that as many times as you need to work out the details, then schedule the cutover.  Just keep one or the other outside interfaces shut down.

Author Comment

ID: 36493186
That's the problem. We don't have the resources to do that kind of a cutover. Each of these remote routers has to be managed via the LAN ports, which nothing but IP phones and printers are connected to. Unfortunately when they were sent out by the previous tech, they didn't bother to enable admin access over the WAN. It's a really annoying and confusing setup.

Any way to get around this? Or am I really just stuck with it being this way?

I tried to copy the VPN settings from one ASA to another and I attempted to put the 2nd ASA on the new connection but it wanted nothing to do with that. I couldn't get the VPN to connect on the newer ASA.
LVL 18

Expert Comment

ID: 36499831
The cutover shouldn't be that big of a deal for internal users, but agreed, it's probably a bigger deal for VPN connections.  Having the second ASA makes things a bit easier in some ways but more difficult in others.  Any way you slice it, though, it's still likely to involve some amount of down time for each of the VPN connections.  

When you say the second ASA wanted nothing to do with that, are you saying the VPN connections wouldn't connect?  It's not as simple as copying the configuration over to the other ASA, but depending on the number of tunnels, it shouldn't be an enormously big deal either.  How many VPN tunnels are we talking about?  For a 5505 at the head end, I hope not very many.  

Here's one trick that might help:  If you simply "show run" on the ASA, the VPN pre-shared keys are obscured, as in:

tunnel-group VPN_Group ipsec-attributes
 pre-shared-key *****

If you instead type "more system:running-config" the display includes those obscured PSKs in clear text.  As in:

tunnel-group VPN_Group ipsec-attributes
 pre-shared-key abcde12345

Very handy if you're not sure what PSK was used for a VPN tunnel.

If you keep things on the existing ASA, you should only need to change the peer statements on the remote peers; the config on the head-end ASA should stay the same (except for where the crypto map is applied), as will the ACLs, ISAKMP, transforms, etc. on both ends.  You will have to change the global statement (outside of the NAT configuration) to the new interface.  Your static default will change to the new ISP address, and DNS will likely change.  But I can't think of a whole lot more than that. Save an archive of all your existing configurations so you can reload and reboot if necessary.  But once you've started the migration, basically there's really no partial effort -- you're in it for the whole deal.  Let everyone know when you're going to make the change, preferably late at night.  You can pre-stage your VPN configurations in text files to just copy and paste (include your "no" statements at the beginning in the proper order).  Hate to say it, but this is where experience is key, and this is why consultants that can help with this kind of thing earn their money.  Good luck, and hope this helps.  

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question