Changed ISPs on ASA - having problems with VPNs, etc.
Posted on 2013-11-10
We have a Cisco ASA 5510 at our main facility. it's performing the following service:
- Gateway for the main facility to the internet
- Site to Site VPN tunnel to two other facilities (each one running an ASA 5505)
- Easy VPN setup to three remote facilities (easy one running an ASA 5505)
- Incoming Client VPNs
- NAT for internally hosted services (mail, etc)
We have a new ISP, and have to configure the ASA for the new ISP. We switched the connections, and configured the interface and default route on the 5510 for the new connection. Immediately traffic started flowing.
We then pointed the remote side of the site-to-sites at the new peer (new ISP at main facility), cleared crypto, and the tunnels re-established just fine.
We ran into a problem with the Easy VPNs though. We pointed the clients at the new IP, but the tunnel wouldn't re-establish. We restarted several of the endpoint ASA 5505s, but no avail.
Note that throughout this, we never restarted the ASA 5510. The reason was so we could reload it and go back to saved config if we had to.
I tried the NAT,and that didnt' seem to work either, but before i could troubleshoot more, we'd reached our maintenance window, and had to revert back to the old connection for now.
I'm curious if anyone has any suggestions. Obviously the public IP of the ASA must have been accessible for the site to sites to come back up, but yet although the Easy VPNs use the same IP, they wouldn't establish.
Anyone have any suggestions?
What troubleshooting points can i walk through? I wasn't sure what logging i could turn on to try to find out why it wasn't working.
Also any suggestions as to testing NAT, and why it wasn't working. I'm wondering if something may be blocking it on the ISP's equipment?