Solved

Cisco ASA 5520: Issues removing EZVPN from the device

Posted on 2016-08-17
16
24 Views
Last Modified: 2016-08-23
Until today I had a remote location connected back to the main company firewall (ASA 5520) by an EZVPN point to point VPN. We got our new fiber connection in. I want to use this faster connection so I disconnected the EZPVN client, advertised the route off of that location's switch through EIGRP, then tried to clean all EZPVN remnants off the main firewall. I cleared the nat statements, the split tunnel access list and the remote network object. Unfortunately there's a static route stuck in my ASA and it's not letting the rest of my network connect into the new location.

When I do a show route on the main company switch it has the right route. If I show route on my firewall it's still showing the old EZVPN route to the remote location. How do I clear this out?

There's no static route I've explicitly put in, this is the route from the EZVPN still hanging around.
0
Comment
Question by:travisryan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 4
  • 2
16 Comments
 
LVL 9

Expert Comment

by:Justin Moore
ID: 41760311
On the firewall try - clear crypto ipsec sa peer
I think this link may help as well. https://supportforums.cisco.com/document/9936/how-clear-isakmp-and-ipsec-sas-pix-firewalls-and-routers
0
 

Author Comment

by:travisryan
ID: 41760315
Additional information, it looks like there's two routes for the remote network in my main switch. I just don't know how to clear it.

MainSwitch#sh ip route
D        [remote location network]/24 [90/3328] via [correct route IP], 01:07:33, [correct VLAN}

MainSwitch#sh ip eigrp topology
EIGRP-IPv4 Topology Table for AS(101)/ID(firewall IP)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P [remote location network]/24, 1 successors, FD is 3328
        via [correct route IP] (3328/3072), [correct VLAN}
        via [firewall IP] (3072/2816), [firewall connection VLAN]

Firewall# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is [outside IP] to network 0.0.0.0

S    [remote location network] [1/0] via [outside IP}, outside

Firewall# sh eigrp topology

EIGRP-IPv4 Topology Table for AS(101)/ID(xxxx)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 0.0.0.0 0.0.0.0, 1 successors, FD is 2816
        via Rstatic (2816/0)

P [remote location network], 1 successors, FD is 2816
        via Rstatic (2816/0)
0
 

Author Comment

by:travisryan
ID: 41760318
jmac, is that command going to kill my other EZVPN vpns? I have several more that are still in use. If I run that command and the other tunnels go down will they come back up?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Expert Comment

by:Justin Moore
ID: 41760322
The way I understand it the SA's are cached and rebuild during the next session. I have been trouble shooting an EZVPN issue with a new 4331 and have ran both clear ipsec sa and clear isakmp sa with no adverse affect. That said I wouldn't do it while other were connected.
0
 

Author Comment

by:travisryan
ID: 41760324
jmac, I tried to clear by peer and that didn't work, it still shows those peers as connected.
0
 
LVL 9

Expert Comment

by:Justin Moore
ID: 41760341
Have you tried dong a relaod?
0
 

Author Comment

by:travisryan
ID: 41760345
I've tried clearing by peers, clearing eigrp neighbors and rebooting the ASA. Nothing changed.
0
 

Author Comment

by:travisryan
ID: 41760346
Except now I lost my two other EZVPN tunnels.
0
 

Author Comment

by:travisryan
ID: 41760351
I do have a "redistribute static" in my EIGRP config on the firewall but I need that in there for other things, I really just need to clear the static for the non-existent VPN tunnel out.
0
 

Author Comment

by:travisryan
ID: 41760357
The only thing left in the main firewall was the EZVPN client username and password. I've cleared that out yet when I run 'sh crypto isakmp sa' it shows the remote location still connected.
0
 
LVL 9

Expert Comment

by:Justin Moore
ID: 41760360
I think your going to have to follow this step by step in order to get it cleared out. Check this out http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution05
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41760962
P [remote location network], 1 successors, FD is 2816
        via Rstatic (2816/0)

This route is redistributed from static entry. Since you didn't explicitly put it in, it is most likely a part of the larger network you did put in.

You can try to filter out that network from being advertised.

access-list EIGRP_OUT standard deny <your network here>
access-list EIGRP_OUT standard permit any

router eigrp 1
no auto
distribute-list EIGRP_OUT out interface inside
0
 

Accepted Solution

by:
travisryan earned 0 total points
ID: 41761028
A few minutes after I pulled the username from both FWs the tunnel errored out, the route dropped, and the EIGRP route took over.
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41761062
In order for EIGRP to advertise the route, it has to be in the routing table.
Do you use the same username/password for the other EZVPN tunnels?
0
 

Author Comment

by:travisryan
ID: 41761269
The username/password combos are different per tunnel. The tunnels I did not need to delete are back up and running.
0
 

Author Closing Comment

by:travisryan
ID: 41766628
Found the solution to my own problem.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question