Solved

Cisco ASA 5520: Issues removing EZVPN from the device

Posted on 2016-08-17
16
16 Views
Last Modified: 2016-08-23
Until today I had a remote location connected back to the main company firewall (ASA 5520) by an EZVPN point to point VPN. We got our new fiber connection in. I want to use this faster connection so I disconnected the EZPVN client, advertised the route off of that location's switch through EIGRP, then tried to clean all EZPVN remnants off the main firewall. I cleared the nat statements, the split tunnel access list and the remote network object. Unfortunately there's a static route stuck in my ASA and it's not letting the rest of my network connect into the new location.

When I do a show route on the main company switch it has the right route. If I show route on my firewall it's still showing the old EZVPN route to the remote location. How do I clear this out?

There's no static route I've explicitly put in, this is the route from the EZVPN still hanging around.
0
Comment
Question by:travisryan
  • 10
  • 4
  • 2
16 Comments
 
LVL 6

Expert Comment

by:jmac44
ID: 41760311
On the firewall try - clear crypto ipsec sa peer
I think this link may help as well. https://supportforums.cisco.com/document/9936/how-clear-isakmp-and-ipsec-sas-pix-firewalls-and-routers
0
 

Author Comment

by:travisryan
ID: 41760315
Additional information, it looks like there's two routes for the remote network in my main switch. I just don't know how to clear it.

MainSwitch#sh ip route
D        [remote location network]/24 [90/3328] via [correct route IP], 01:07:33, [correct VLAN}

MainSwitch#sh ip eigrp topology
EIGRP-IPv4 Topology Table for AS(101)/ID(firewall IP)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P [remote location network]/24, 1 successors, FD is 3328
        via [correct route IP] (3328/3072), [correct VLAN}
        via [firewall IP] (3072/2816), [firewall connection VLAN]

Firewall# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is [outside IP] to network 0.0.0.0

S    [remote location network] [1/0] via [outside IP}, outside

Firewall# sh eigrp topology

EIGRP-IPv4 Topology Table for AS(101)/ID(xxxx)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 0.0.0.0 0.0.0.0, 1 successors, FD is 2816
        via Rstatic (2816/0)

P [remote location network], 1 successors, FD is 2816
        via Rstatic (2816/0)
0
 

Author Comment

by:travisryan
ID: 41760318
jmac, is that command going to kill my other EZVPN vpns? I have several more that are still in use. If I run that command and the other tunnels go down will they come back up?
0
 
LVL 6

Expert Comment

by:jmac44
ID: 41760322
The way I understand it the SA's are cached and rebuild during the next session. I have been trouble shooting an EZVPN issue with a new 4331 and have ran both clear ipsec sa and clear isakmp sa with no adverse affect. That said I wouldn't do it while other were connected.
0
 

Author Comment

by:travisryan
ID: 41760324
jmac, I tried to clear by peer and that didn't work, it still shows those peers as connected.
0
 
LVL 6

Expert Comment

by:jmac44
ID: 41760341
Have you tried dong a relaod?
0
 

Author Comment

by:travisryan
ID: 41760345
I've tried clearing by peers, clearing eigrp neighbors and rebooting the ASA. Nothing changed.
0
 

Author Comment

by:travisryan
ID: 41760346
Except now I lost my two other EZVPN tunnels.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:travisryan
ID: 41760351
I do have a "redistribute static" in my EIGRP config on the firewall but I need that in there for other things, I really just need to clear the static for the non-existent VPN tunnel out.
0
 

Author Comment

by:travisryan
ID: 41760357
The only thing left in the main firewall was the EZVPN client username and password. I've cleared that out yet when I run 'sh crypto isakmp sa' it shows the remote location still connected.
0
 
LVL 6

Expert Comment

by:jmac44
ID: 41760360
I think your going to have to follow this step by step in order to get it cleared out. Check this out http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution05
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41760962
P [remote location network], 1 successors, FD is 2816
        via Rstatic (2816/0)

This route is redistributed from static entry. Since you didn't explicitly put it in, it is most likely a part of the larger network you did put in.

You can try to filter out that network from being advertised.

access-list EIGRP_OUT standard deny <your network here>
access-list EIGRP_OUT standard permit any

router eigrp 1
no auto
distribute-list EIGRP_OUT out interface inside
0
 

Accepted Solution

by:
travisryan earned 0 total points
ID: 41761028
A few minutes after I pulled the username from both FWs the tunnel errored out, the route dropped, and the EIGRP route took over.
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41761062
In order for EIGRP to advertise the route, it has to be in the routing table.
Do you use the same username/password for the other EZVPN tunnels?
0
 

Author Comment

by:travisryan
ID: 41761269
The username/password combos are different per tunnel. The tunnels I did not need to delete are back up and running.
0
 

Author Closing Comment

by:travisryan
ID: 41766628
Found the solution to my own problem.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

4 Experts available now in Live!

Get 1:1 Help Now