Cannot get Cisco site2site VPN tunnel to come up after change of public IP address

Dear Experts,

I am having a problem implementing a change of public IP address in the VPN configuration of two routers.

The current configuration according to me should not be affected by me replacing the public IP. We did change ISP (AT&T) from COX in site A.

When I change to the new IP on the Cisco routers in site A and B it does not work. The tunnel only works with the old IP address from the previous ISP.

 The configuration has the new Public IP address.

Here is this output from "show crypto isakmp sa"

12.1xx.yy.121  74.xx.yy.114   MM_NO_STATE          0 ACTIVE

Instead of the needed "QM_IDLE           1023 ACTIVE" result.

I suspect it's either an access list issue or a routing issue.

I am attaching the significant part of the configuration for both routers your review.

Thank you for your time on this!

Regards!
SiteA
SiteB
marceloNYCMiddle-Tier AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rauenpcCommented:
access-list 105 permit ip 173.xx.yy.0 0.0.0.255 any
access-list 105 permit ip 98.xx.yy.0 0.0.0.255 any
access-list 105 permit esp 98.xx.yy.0 0.0.0.255 any
access-list 105 permit esp 173.xx.yy.0 0.0.0.255 any
access-list 105 permit gre 173.xx.yy.0 0.0.0.255 any
 
access-list 105 permit tcp any any established
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.0.31.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.0.0.255 any
access-list 105 deny   ip any any
 
access-list 105 permit ip 12.xx.yy.0 0.0.0.255 any
access-list 105 permit gre 12.xx.yy.0 0.0.0.255 any
access-list 105 permit esp 12.xx.yy.0 0.0.0.255 any

It looks like you tried to add the new IP to the ACL at the end, but due to an explicit deny the traffic will be blocked.

show access-list 105
this will get you a numbered list of commands in the acl
ip access-list extended 105
no [line number for the deny any any]
200 deny ip any any

This will remove the deny any and place it below the other lines. "200" assumes that the lowest line is less than 200.
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Thanks, I did as you said and still not getting the tunnel to come up.

173.xx.yy.18   74.xx.yy.114   QM_IDLE           1007 ACTIVE

12.xx.yy.231   74.xx.yy114   MM_NO_STATE          0 ACTIVE (deleted) <-- will check the other router
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marceloNYCMiddle-Tier AdministratorAuthor Commented:
I think I found the problem thanks to this command output:

Interface: Tunnel40
Session status: DOWN-NEGOTIATING
Peer: 12.xx.yy.231 port 500
  IKE SA: local 74.xx.yy.114/500 remote 12.xx.yy.231/500 Inactive
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map

Interface: FastEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: 12.xx.yy.227 port 9 <--- this is the NAT address of the ASA firewall
  IKE SA: local 74.xx.yy.114/500 remote 12.xx.yy.227/9 Inactive

what do you think?
0
marceloNYCMiddle-Tier AdministratorAuthor Commented:
Thanks, I got it fix...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.