troubleshooting Question
Change of public IP address for site 2 site VPN tunnels not successful
marceloNYC
asked on
asked on
Dear Experts,
I am not able to change to our new ISP public IP address for our site2site VPN tunnels. We change to AT&T from comcast. I need to discontinue the comcast usage of the public IP address.
Anyways, the tunnel from office A to office B and C are not working once I change the VPN configuration to use the new IP address. I don't think that the IP address is visible from the two remote offices that need the site2site VPN tunnel.
This is the tunnel status I am getting with the change of public IP from "show crypto isakmp sa": MM_NO_STATE
means that the VPN phase 1 (ISAKMP) is not even negotiated
Now I am working with the old ISP fine and I am getting:
Router Office A#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
173.xx.yy.18 216.xx.yy.67 QM_IDLE 2040 0 ACTIVE
74.xx.yy.114 173.xx.yy.18 QM_IDLE 2039 0 ACTIVE
I can ping the actual two remote VPN routers but that does not happen with the new IP address change.
#ping 74.xx.yy.114
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.xx.yy.114, timeout is 2 seconds:
!!!!!
#ping 216.xx.yy.67
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.xx.yy.67, timeout is 2 seconds:
!!!!!
This pings are successful when the tunnels are working with the soon to be gone ISP. When I change the configuration to the new ISP they time out. But if I ping with the new ISP 4.2.2.2 it works.
Here you have the relevant configuration from the router needing to change its public IP address:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key key address 216.xx.yy.67
crypto isakmp key key address 74.xx.yy.114
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set xxxxxxxxxxxxxxxxxxxxxx
!
crypto ipsec profile VPN-IS
set transform-set IS-Default
interface Tunnel60
description *** VPN TO office B ***
bandwidth 1440
ip address 10.255.255.17 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip summary-address eigrp xxxxxxxxxxxxxxxxxxxxxxx
load-interval 30
delay 1000
qos pre-classify
keepalive 10 3
tunnel source FastEthernet0
tunnel destination 216.xx.yy.67
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-IS shared
!
interface Tunnel50
description *** VPN TO office C ***
bandwidth 1440
ip address 10.255.255.9 255.255.255.252 <-- this dont ping itself when i make the changes to the new IP address, it does now with the old IP address
ip mtu 1400
ip tcp adjust-mss 1360
ip summary-address eigrp xxxxxxxxxxxxxxxxxx
ip summary-address eigrp xxxxxxxxxxxxxxxxxxxxx
load-interval 30
delay 1000
qos pre-classify
keepalive 10 3
tunnel source FastEthernet0
tunnel destination 74.xx.yy.114
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-IS shared
interface FastEthernet0
ip address 173.xxxxxxxxxxxxxx (I need to change this and it doesn't work when I do)
ip access-group Inet-Connection in
duplex auto
speed auto
no cdp enable
ip route 0.0.0.0 0.0.0.0 172.16.102.5 <-- internal firewall IP address to the internet all office depends on this entry to access the web
ip access-list extended Inet-Connection
permit ip host 74.xx.yy.114 any
permit ip host 216.xx.yy.66 any
permit ip host 216.xx.yy.67 any
In the other two routers in the remote offices, I have also done the corresponding change of public IP address. I think the problem is with this router once I make the changes. The two remote routers don't see this router for some strange reason.
Here is the Cisco switch relevant configuration that the VPN router has connecting to the web:
vlan 600
name Internet-VPN
!
vlan 601
name Internet-Access
interface FastEthernet0/1
description *** Internet Tuns
switchport access vlan 600
switchport mode access
duplex full
spanning-tree portfast
!
interface FastEthernet0/2
description *** External VPN router interface-01 f0 ***
switchport access vlan 600 <--- a VPN VLAN that works for old ISP
switchport mode access
spanning-tree portfast
interface FastEthernet0/4
description *** Internet Connection for Access
switchport access vlan 601 ASA firewall connected here outside interface
switchport mode access
duplex full
spanning-tree portfast
!
interface FastEthernet0/5
description *** Firewall-asa-01 e0/0 outside
switchport access vlan 601
switchport mode access
spanning-tree portfast
interface FastEthernet0/9
description ** TO ASA PORT 2**
switchport access vlan 252<--- internal network management VLAN
spanning-tree portfast
!
interface Vlan222 <--- internal network management VLAN
ip address 172.16.102.11 255.255.255.0
no ip route-cache
!
With this configuration is working using the old public IP address.
I thank you in advance for any helpful comment you may throw my way.
I am not able to change to our new ISP public IP address for our site2site VPN tunnels. We change to AT&T from comcast. I need to discontinue the comcast usage of the public IP address.
Anyways, the tunnel from office A to office B and C are not working once I change the VPN configuration to use the new IP address. I don't think that the IP address is visible from the two remote offices that need the site2site VPN tunnel.
This is the tunnel status I am getting with the change of public IP from "show crypto isakmp sa": MM_NO_STATE
means that the VPN phase 1 (ISAKMP) is not even negotiated
Now I am working with the old ISP fine and I am getting:
Router Office A#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
173.xx.yy.18 216.xx.yy.67 QM_IDLE 2040 0 ACTIVE
74.xx.yy.114 173.xx.yy.18 QM_IDLE 2039 0 ACTIVE
I can ping the actual two remote VPN routers but that does not happen with the new IP address change.
#ping 74.xx.yy.114
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.xx.yy.114, timeout is 2 seconds:
!!!!!
#ping 216.xx.yy.67
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.xx.yy.67, timeout is 2 seconds:
!!!!!
This pings are successful when the tunnels are working with the soon to be gone ISP. When I change the configuration to the new ISP they time out. But if I ping with the new ISP 4.2.2.2 it works.
Here you have the relevant configuration from the router needing to change its public IP address:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key key address 216.xx.yy.67
crypto isakmp key key address 74.xx.yy.114
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set xxxxxxxxxxxxxxxxxxxxxx
!
crypto ipsec profile VPN-IS
set transform-set IS-Default
interface Tunnel60
description *** VPN TO office B ***
bandwidth 1440
ip address 10.255.255.17 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
ip summary-address eigrp xxxxxxxxxxxxxxxxxxxxxxx
load-interval 30
delay 1000
qos pre-classify
keepalive 10 3
tunnel source FastEthernet0
tunnel destination 216.xx.yy.67
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-IS shared
!
interface Tunnel50
description *** VPN TO office C ***
bandwidth 1440
ip address 10.255.255.9 255.255.255.252 <-- this dont ping itself when i make the changes to the new IP address, it does now with the old IP address
ip mtu 1400
ip tcp adjust-mss 1360
ip summary-address eigrp xxxxxxxxxxxxxxxxxx
ip summary-address eigrp xxxxxxxxxxxxxxxxxxxxx
load-interval 30
delay 1000
qos pre-classify
keepalive 10 3
tunnel source FastEthernet0
tunnel destination 74.xx.yy.114
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-IS shared
interface FastEthernet0
ip address 173.xxxxxxxxxxxxxx (I need to change this and it doesn't work when I do)
ip access-group Inet-Connection in
duplex auto
speed auto
no cdp enable
ip route 0.0.0.0 0.0.0.0 172.16.102.5 <-- internal firewall IP address to the internet all office depends on this entry to access the web
ip access-list extended Inet-Connection
permit ip host 74.xx.yy.114 any
permit ip host 216.xx.yy.66 any
permit ip host 216.xx.yy.67 any
In the other two routers in the remote offices, I have also done the corresponding change of public IP address. I think the problem is with this router once I make the changes. The two remote routers don't see this router for some strange reason.
Here is the Cisco switch relevant configuration that the VPN router has connecting to the web:
vlan 600
name Internet-VPN
!
vlan 601
name Internet-Access
interface FastEthernet0/1
description *** Internet Tuns
switchport access vlan 600
switchport mode access
duplex full
spanning-tree portfast
!
interface FastEthernet0/2
description *** External VPN router interface-01 f0 ***
switchport access vlan 600 <--- a VPN VLAN that works for old ISP
switchport mode access
spanning-tree portfast
interface FastEthernet0/4
description *** Internet Connection for Access
switchport access vlan 601 ASA firewall connected here outside interface
switchport mode access
duplex full
spanning-tree portfast
!
interface FastEthernet0/5
description *** Firewall-asa-01 e0/0 outside
switchport access vlan 601
switchport mode access
spanning-tree portfast
interface FastEthernet0/9
description ** TO ASA PORT 2**
switchport access vlan 252<--- internal network management VLAN
spanning-tree portfast
!
interface Vlan222 <--- internal network management VLAN
ip address 172.16.102.11 255.255.255.0
no ip route-cache
!
With this configuration is working using the old public IP address.
I thank you in advance for any helpful comment you may throw my way.
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 19 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.
The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.