Link to home
Create AccountLog in
Avatar of marceloNYC
marceloNYCFlag for United States of America

asked on

Change of public IP address for site 2 site VPN tunnels not successful

Dear Experts,

I am not able to change to our new ISP public IP address for our site2site VPN tunnels. We change to AT&T from comcast. I need to discontinue the comcast usage of the public IP address.

Anyways, the tunnel from office A to office B and C are not working once I change the VPN configuration to use the new IP address. I don't think that the IP address is visible from the two remote offices that need the site2site VPN tunnel.

This is the tunnel status I am getting with the change of public IP from  "show crypto isakmp sa": MM_NO_STATE

means that the VPN phase 1 (ISAKMP) is not even negotiated

Now I am working with the old ISP fine and I am getting:

Router Office A#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
173.xx.yy.18   216.xx.yy.67  QM_IDLE           2040    0 ACTIVE
74.xx.yy.114   173.xx.yy.18   QM_IDLE           2039    0 ACTIVE

I can ping the actual two remote VPN routers but that does not happen with the new IP address change.  

#ping 74.xx.yy.114

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.xx.yy.114, timeout is 2 seconds:
!!!!!

#ping 216.xx.yy.67

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.xx.yy.67, timeout is 2 seconds:
!!!!!

This pings are successful when the tunnels are working with the soon to be gone ISP. When I change the configuration to the new ISP they time out. But if I ping with the new ISP 4.2.2.2 it works.

Here you have the relevant configuration from the router needing to change its public IP address:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key key address 216.xx.yy.67
crypto isakmp key key address 74.xx.yy.114
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set xxxxxxxxxxxxxxxxxxxxxx
!
crypto ipsec profile VPN-IS
 set transform-set IS-Default

interface Tunnel60
 description *** VPN TO office B ***
 bandwidth 1440
 ip address 10.255.255.17 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip summary-address eigrp xxxxxxxxxxxxxxxxxxxxxxx
 load-interval 30
 delay 1000
 qos pre-classify
 keepalive 10 3
 tunnel source FastEthernet0
 tunnel destination 216.xx.yy.67
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-IS shared
!
interface Tunnel50
 description *** VPN TO office C ***
 bandwidth 1440
 ip address 10.255.255.9 255.255.255.252  <-- this dont ping itself when i make the changes to the new IP address, it does now with the old IP address
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip summary-address eigrp xxxxxxxxxxxxxxxxxx
 ip summary-address eigrp xxxxxxxxxxxxxxxxxxxxx
 load-interval 30
 delay 1000
 qos pre-classify
 keepalive 10 3
 tunnel source FastEthernet0
 tunnel destination 74.xx.yy.114
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-IS shared

interface FastEthernet0
 ip address 173.xxxxxxxxxxxxxx (I need to change this and it doesn't work when I do)
 ip access-group Inet-Connection in
 duplex auto
 speed auto
 no cdp enable

ip route 0.0.0.0 0.0.0.0 172.16.102.5  <-- internal firewall IP address to the internet all office depends on this entry to access the web


ip access-list extended Inet-Connection
 
 permit ip host 74.xx.yy.114 any
 permit ip host 216.xx.yy.66 any
 permit ip host 216.xx.yy.67 any

In the other two routers in the remote offices, I have also done the corresponding change of public IP address. I think the problem is with this router once I make the changes. The two remote routers don't see this router for some strange reason.

Here is the Cisco switch relevant configuration that the VPN router has connecting to the web:

vlan 600
 name Internet-VPN
!
vlan 601
 name Internet-Access
interface FastEthernet0/1
 description *** Internet Tuns
 switchport access vlan 600
 switchport mode access
 duplex full
 spanning-tree portfast
!
interface FastEthernet0/2
 description *** External VPN router interface-01 f0 ***
 switchport access vlan 600 <--- a VPN VLAN that works for old ISP
 switchport mode access
 spanning-tree portfast


interface FastEthernet0/4
 description *** Internet Connection for Access
 switchport access vlan 601 ASA firewall connected here outside interface
 switchport mode access
 duplex full
 spanning-tree portfast
!
interface FastEthernet0/5
 description *** Firewall-asa-01 e0/0 outside
 switchport access vlan 601
 switchport mode access
 spanning-tree portfast

interface FastEthernet0/9
 description ** TO ASA PORT 2**
 switchport access vlan 252<--- internal network management VLAN
 spanning-tree portfast
!
interface Vlan222  <--- internal network management VLAN
 ip address 172.16.102.11 255.255.255.0
 no ip route-cache
!
With this configuration is working using the old public IP address.

I thank you in advance for any helpful comment you may throw my way.
Avatar of asavener
asavener
Flag of United States of America image

I'm having a hard time understanding what's going on.

Is the ISP changing at site A?

Site B?

Site C?

Are you running both ISPs temporarily while you validate?

What is the Internet-facing firewall at Site A?
Avatar of marceloNYC

ASKER

Sure, I am not surprise you didn't understand. Sorry for that...


Yes, the ISP has already changed in Site A.


Site B & C are the same

I am running both ISP until I can get the VPN tunnel to work with the new ISP (AT&T).  I need to cut off the old ISP, the two tunnels from site B & C need to work with the new ISP.

I basically need to discontinue the tunnels hitting the IP address from the old ISP and make the new public IP address work with the two remote sites B & C.

When I make the changes of IP in the VPN router in site A there is  no way lifting the tunnels. I do make the corresponding changes in site B & C.

As to for the firewall the traffic for this VPN router in site A passes through the firewall.
Are both ISP connections handled on the firewall at Site A?

Chances are, the problem's on that guy.
I changed the firewall to work with the new ISP and is working great taking us to the internet.

I am going to change the IP address now to try to lift the tunnels again and will give you some info. I need a few.
Lets concentrate only between site A & B assuming once fix site C will work the same for now.

VPN Router A #

interface FastEthernet0
 ip address 173.xx.yy.18 255.255.255.2xx<-- Old ISP the one I need to replace


This is a traceroute from VPN router A to site B. It is working the tunnel using the old ISP address.

VPN Router A #traceroute 216.xx.yy.67 <-- Actual VPN tunnel address

Type escape sequence to abort.
Tracing the route to 216-xx.yy-67.static.logixcom.net (216.xx.yy.67)

  1  *  *  *
  2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *  *  *
  8  *  *  *
  9  *  *  *
 10  *  *  *
 11  *  *  *
 12 216-xx.yy.67.static.logixcom.net (216.xx.yy.67) 28 msec *  28 msec


VPN Router A #traceroute 216.xx.yy.65 <-- gateway address of site B

Type escape sequence to abort.

Tracing the route to 216-xx.yy-65.static.logixcom.net (216.xx.yy.65)

  1 12.xx.yy.113 4 msec 4 msec 0 msec <-- our gateway with AT&T the new ISP

  2 12.118.167.37 148 msec 0 msec 4 msec
  3 cr2.hs1tx.ip.att.net (12.122.103.74) [MPLS: Label 19460 Exp 1] 8 msec 12 msec 12 msec
  4 cr1.dlstx.ip.att.net (12.122.28.157) [MPLS: Labels 0/17299 Exp 1] 12 msec 12 msec 12 msec
  5 gar22.dlstx.ip.att.net (12.122.85.65) 4 msec 8 msec 4 msec
  6 12.249.185.6 4 msec 16 msec 8 msec
  7 sat1-ar3-xe-0-0-0-0.us.twtelecom.net (66.192.244.166) 16 msec 16 msec 16 msec
  8 66-162-211-74.static.twtelecom.net (66.162.211.74) 16 msec 16 msec 16 msec
  9 216.215.79.11 16 msec 16 msec 16 msec
 10 216-xx.yy-65.static.logixcom.net (216.xx.yy.65) 24 msec 20 msec 20 msec
VPN Router A #



Now I made the changes in the remote sites and in Site A with the new IP address as follows:

Router site A change of IP to new ISP
 
interface FastEthernet0
 ip address 12.xx.yy.121 255.255.255.2xx

 VPN router A #traceroute 216.xx.yy.65<-- site B gateway

Type escape sequence to abort.
Tracing the route to 216-yy.xx-65.static.logixcom.net (216.xx.yy3.65)

  ****1 12.xx.yy.113 4 msec 0 msec 0 msec <-- our gateway with AT&T the new ISP******

  2 12.118.167.37 4 msec 0 msec 4 msec
  3 cr2.hs1tx.ip.att.net (12.122.103.74) [MPLS: Label 19460 Exp 1] 12 msec 12 msec 24 ms                                                                                                                                                    
  4 cr1.dlstx.ip.att.net (12.122.28.157) [MPLS: Labels 0/17299 Exp 1] 20 msec 32 msec 8                                                                                                                                                    
  5 gar22.dlstx.ip.att.net (12.122.85.65) 8 msec 8 msec 8 msec
  6 12.249.185.6 8 msec 8 msec 8 msec
  7 sat1-ar3-xe-0-0-0-0.us.twtelecom.net (66.192.244.166) 16 msec 36 msec 32 msec
  8 66-162-211-74.static.twtelecom.net (66.162.211.74) 20 msec 16 msec 16 msec
  9 216.215.79.11 40 msec 48 msec 16 msec
 10 216-yy.xx-65.static.logixcom.net (216.xx.yy.65) 36 msec 24 msec 28 msec
 !
!




VPN router A #ping  216.xx.yy.67 <-- actual IP for tunnel to work with site B

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.xx.yy.67, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
 

VPN router A#ping  216.xx.yy.65 <-- gateway for site B

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.xx.yy.65, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/81/112 ms


 VPN router A#ping 4.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms


So you see with the change of IP address I am getting to the internet. The tunnels do not come up with the new or change of AT&T public IP address.
OK.  Can I get the full config of the router at B?

I suspect it's either an access list issue or a routing issue.
Awesome!

Here goes relevant router B config:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key key address 12.xx.yy.121 (new IP)
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set xx-Default esp-aes 256 esp-sha-hmac
!
crypto ipsec profile xx
!
crypto ipsec profile VPN-xx
 set transform-set xx-Default

crypto ipsec profile VPN-xx
!
!
!
!
!
interface Loopback22
 ip address 10.255.0.14 255.255.255.255
!

interface Tunnel60
 description *** VPN TO Site A ***
 bandwidth 1440
 ip address 10.255.255.18 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 ip summary-address eigrp xxxxxxxxxxxxxxxxxx
 load-interval 30
 delay 1000
 qos pre-classify
 keepalive 10 3
tunnel source FastEthernet0/0
 tunnel destination 12.xx.yy.121
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-xx
!
interface FastEthernet0/0
 ip address 216.xx.yy.67 255.255.255.2xx
 ip access-group Inet-Connection in
 duplex auto
 speed auto


ip route 0.0.0.0 0.0.0.0 172.16.19.1 <-- asa firewall for site B

ip route 12.xx.yy.121 255.255.255.255 216.xx.yy.65 <--- New IP that needs to work
 
ip route 173.xx.yy.18 255.255.255.255 216.xx.yy.65<--- Old IP that has to go

ip access-list extended Inet-Connection
 
permit ip host 173.xx.yy.18 any (old to go IP)
 
 
 permit ip host 12.xx.yy.121 any (new IP entry)

traceroute and ping to site A gateway:

VPN router B# traceroute 12.xx.yy.113

Type escape sequence to abort.
Tracing the route to 12.xx.yy.113

  1 216.xx.yy.65 0 msec 0 msec 0 msec
  2 10.61.0.41 8 msec 16 msec 8 msec
  3 216.215.79.33 8 msec 8 msec 8 msec
  4 66.162.211.73 68 msec 8 msec 8 msec
  5 66.192.241.70 16 msec 12 msec 12 msec
  6 12.249.185.5 16 msec 16 msec 16 msec
  7 12.122.85.66 [MPLS: Label 16807 Exp 1] 24 msec 24 msec 24 msec
  8 12.122.28.158 [MPLS: Labels 0/17496 Exp 1] 24 msec 24 msec 24 msec
  9 12.122.103.73 20 msec 20 msec 24 msec
 10  *  *  *
 11  *  *  *
 12  *  *  *
 13  *  *  *
 14  *  *  *
 15  *  *  *
 16  *  *  *
 17  *  *  *
 18  *  *  *
 19  *  *  *
 20  *  *  *
 21  *  *  *
 22  *  *  *
 23  *  *  *
 24  *  *  *
 25  *  *  *
 26  *  *  *
 27  *  *  *
 28  *  *  *
 29  *  *  *
 30  *  *  *

VPN router B#ping  12.xx.yy.113

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.xx.yy.113, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms


VPN router B#sh crypto isakmp sa
dst             src             state          conn-id slot status
12.xx.yy.121  216.xx.yy.67  MM_NO_STATE          0    0 ACTIVE

VPN router B#ping 4.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/17/24 ms
I was hoping it will only take an easy change of public IP address on the router VPN configurations but  it doesn't look that way. I think I need to recreate the tunnels and perhaps a new certificate. That I will like to confirm.
Well, when you change IP addresses that affect VPN tunnels, then you need to carry that thru and change it where ever it is used. Also, don't forget to provide the proper routes for the new IP address in any intermediary routers/firewalls. Otherwise, the traffic can not find its way. The other aspects of the VPN tunnel do not need to change. Just the IP address termination points.
Can you enable isakmp debugging on each end, and post the output here?

debug crypto isakmp

debug crypto isakmp error
I don't see your answer to  asavener question posted on 2013-07-12 at 08:53:30ID: 39321250.

This may be interesting:

Your config has the following default route;

"ip route 0.0.0.0 0.0.0.0 172.16.102.5  <-- internal firewall IP address to the internet all office depends on this entry to access the web"

I don't see any static routes.

Does this VPN traffic go thru your firewall also? If yes, have you checked the routing and ACLs on the internal firewall to make sure the new address is allowed? If not, how and where are you routing the traffic?
SOLUTION
Avatar of bbwonders
bbwonders
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Sorry fellows, I had to take care of a few other things. I will try again tomorrow afternoon after 5 PM central time. I took note for now. Thank you!
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
yes sir! I do have the corresponding static routes are as follows:

 ip route 0.0.0.0 0.0.0.0 172.16.102.5 <-- firewall IP that is working with OLD network without any rules declared in it.

ip route 10.0.0.0 255.0.0.0 Null0
ip route 74.xx.yy114 255.255.255.255 173.11.153.22 <-- old IP
ip route 74.xx.yy.114 255.255.255.255 12.183.216.113 <-- New IP

ip route 216.xx.yy.67 255.255.255.255 173.11.153.22<-- old IP
ip route 216.xx.yy.67 255.255.255.255 12.183.216.113<-- New IP
you need to remove the statics for the old address and test again please.
Will do!
Do I need to mess with the certificate itself? What changes do I need to make aside from the IP address for the tunnels to work? Do I need totally recreate the encryption settings?
Thank you for your help!