?
Solved

Changed ISPs on ASA - having problems with VPNs, etc.

Posted on 2013-11-10
3
Medium Priority
?
315 Views
Last Modified: 2013-11-25
Hi
We have a Cisco ASA 5510 at our main facility.  it's performing the following service:

- Gateway for the main facility to the internet
- Site to Site VPN tunnel to two other facilities (each one running an ASA 5505)
- Easy VPN setup to three remote facilities (easy one running an ASA 5505)
- Incoming Client VPNs
- NAT for internally hosted services (mail, etc)

We have a new ISP, and have to configure the ASA for the new ISP.  We switched the connections, and configured the interface and default route on the 5510 for the new connection.  Immediately traffic started flowing.

We then pointed the remote side of the site-to-sites at the new peer (new ISP at main facility), cleared crypto, and the tunnels re-established just fine.

We ran into a problem with the Easy VPNs though.  We pointed the clients at the new IP, but the tunnel wouldn't re-establish.  We restarted several of the endpoint ASA 5505s, but no avail.

Note that throughout this, we never restarted the ASA 5510.  The reason was so we could reload it and go back to saved config if we had to.

I tried the NAT,and that didnt' seem to work either, but before i could troubleshoot more, we'd reached our maintenance window, and had to revert back to the old connection for now.

I'm curious if anyone has any suggestions.  Obviously the public IP of the ASA must have been accessible for the site to sites to come back up, but yet although the Easy VPNs use the same IP, they wouldn't establish.

Anyone have any suggestions?
What troubleshooting points can i walk through?  I wasn't sure what logging i could turn on to try to find out why it wasn't working.
Also any suggestions as to testing NAT, and why it wasn't working.  I'm wondering if something may be blocking it on the ISP's equipment?
0
Comment
Question by:Mystical_Ice
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 17

Accepted Solution

by:
TimotiSt earned 400 total points
ID: 39639560
Are the working VPNs using NAT-T, while the non-working ones don't? The ISP might block ESP/AH (which is plain dumb, but sometimes happens).
0
 
LVL 12

Assisted Solution

by:Henk van Achterberg
Henk van Achterberg earned 1600 total points
ID: 39646038
why don't you write the current config to disk0 and reload the ASA?

You can also prepare the changes of the new ISP in a config, put it on disk0.

When you are ready to switch just issue:

copy running-config disk0:/old.isp.config
copy disk0:/new.isp.config startup-config
reload

when it fails just revert:

copy disk0:/old.isp.config startup-config
reload

Are you sure the speed and duplex settings are correct for the new ISP? I have had issues before where the new ISP had 100/full fixed instead of auto.

You can enable logging to ASDM on informational level, this should give a good idea if remote easy vpn connections are coming in.
0
 

Author Comment

by:Mystical_Ice
ID: 39676077
Thanks all for the advice.  It turns out there was a firewall still turned on on the cable modem, which may have had something to do with it.

Tried it again and it worked fine
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question