troubleshooting Question

Change of public IP address for site 2 site VPN tunnels not successful

Avatar of marceloNYC
marceloNYCFlag for United States of America asked on
RoutersVPNCisco
19 Comments1 Solution488 ViewsLast Modified:
Dear Experts,

I am not able to change to our new ISP public IP address for our site2site VPN tunnels. We change to AT&T from comcast. I need to discontinue the comcast usage of the public IP address.

Anyways, the tunnel from office A to office B and C are not working once I change the VPN configuration to use the new IP address. I don't think that the IP address is visible from the two remote offices that need the site2site VPN tunnel.

This is the tunnel status I am getting with the change of public IP from  "show crypto isakmp sa": MM_NO_STATE

means that the VPN phase 1 (ISAKMP) is not even negotiated

Now I am working with the old ISP fine and I am getting:

Router Office A#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
173.xx.yy.18   216.xx.yy.67  QM_IDLE           2040    0 ACTIVE
74.xx.yy.114   173.xx.yy.18   QM_IDLE           2039    0 ACTIVE

I can ping the actual two remote VPN routers but that does not happen with the new IP address change.  

#ping 74.xx.yy.114

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.xx.yy.114, timeout is 2 seconds:
!!!!!

#ping 216.xx.yy.67

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.xx.yy.67, timeout is 2 seconds:
!!!!!

This pings are successful when the tunnels are working with the soon to be gone ISP. When I change the configuration to the new ISP they time out. But if I ping with the new ISP 4.2.2.2 it works.

Here you have the relevant configuration from the router needing to change its public IP address:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key key address 216.xx.yy.67
crypto isakmp key key address 74.xx.yy.114
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set xxxxxxxxxxxxxxxxxxxxxx
!
crypto ipsec profile VPN-IS
 set transform-set IS-Default

interface Tunnel60
 description *** VPN TO office B ***
 bandwidth 1440
 ip address 10.255.255.17 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip summary-address eigrp xxxxxxxxxxxxxxxxxxxxxxx
 load-interval 30
 delay 1000
 qos pre-classify
 keepalive 10 3
 tunnel source FastEthernet0
 tunnel destination 216.xx.yy.67
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-IS shared
!
interface Tunnel50
 description *** VPN TO office C ***
 bandwidth 1440
 ip address 10.255.255.9 255.255.255.252  <-- this dont ping itself when i make the changes to the new IP address, it does now with the old IP address
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip summary-address eigrp xxxxxxxxxxxxxxxxxx
 ip summary-address eigrp xxxxxxxxxxxxxxxxxxxxx
 load-interval 30
 delay 1000
 qos pre-classify
 keepalive 10 3
 tunnel source FastEthernet0
 tunnel destination 74.xx.yy.114
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-IS shared

interface FastEthernet0
 ip address 173.xxxxxxxxxxxxxx (I need to change this and it doesn't work when I do)
 ip access-group Inet-Connection in
 duplex auto
 speed auto
 no cdp enable

ip route 0.0.0.0 0.0.0.0 172.16.102.5  <-- internal firewall IP address to the internet all office depends on this entry to access the web


ip access-list extended Inet-Connection
 
 permit ip host 74.xx.yy.114 any
 permit ip host 216.xx.yy.66 any
 permit ip host 216.xx.yy.67 any

In the other two routers in the remote offices, I have also done the corresponding change of public IP address. I think the problem is with this router once I make the changes. The two remote routers don't see this router for some strange reason.

Here is the Cisco switch relevant configuration that the VPN router has connecting to the web:

vlan 600
 name Internet-VPN
!
vlan 601
 name Internet-Access
interface FastEthernet0/1
 description *** Internet Tuns
 switchport access vlan 600
 switchport mode access
 duplex full
 spanning-tree portfast
!
interface FastEthernet0/2
 description *** External VPN router interface-01 f0 ***
 switchport access vlan 600 <--- a VPN VLAN that works for old ISP
 switchport mode access
 spanning-tree portfast


interface FastEthernet0/4
 description *** Internet Connection for Access
 switchport access vlan 601 ASA firewall connected here outside interface
 switchport mode access
 duplex full
 spanning-tree portfast
!
interface FastEthernet0/5
 description *** Firewall-asa-01 e0/0 outside
 switchport access vlan 601
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/9
 description ** TO ASA PORT 2**
 switchport access vlan 252<--- internal network management VLAN
 spanning-tree portfast
!
interface Vlan222  <--- internal network management VLAN
 ip address 172.16.102.11 255.255.255.0
 no ip route-cache
!
With this configuration is working using the old public IP address.

I thank you in advance for any helpful comment you may throw my way.
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 19 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 19 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros