Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 49
  • Last Modified:

Cisco ASA 5520: Issues removing EZVPN from the device

Until today I had a remote location connected back to the main company firewall (ASA 5520) by an EZVPN point to point VPN. We got our new fiber connection in. I want to use this faster connection so I disconnected the EZPVN client, advertised the route off of that location's switch through EIGRP, then tried to clean all EZPVN remnants off the main firewall. I cleared the nat statements, the split tunnel access list and the remote network object. Unfortunately there's a static route stuck in my ASA and it's not letting the rest of my network connect into the new location.

When I do a show route on the main company switch it has the right route. If I show route on my firewall it's still showing the old EZVPN route to the remote location. How do I clear this out?

There's no static route I've explicitly put in, this is the route from the EZVPN still hanging around.
0
travisryan
Asked:
travisryan
  • 10
  • 4
  • 2
1 Solution
 
jmac44Commented:
On the firewall try - clear crypto ipsec sa peer
I think this link may help as well. https://supportforums.cisco.com/document/9936/how-clear-isakmp-and-ipsec-sas-pix-firewalls-and-routers
0
 
travisryanAuthor Commented:
Additional information, it looks like there's two routes for the remote network in my main switch. I just don't know how to clear it.

MainSwitch#sh ip route
D        [remote location network]/24 [90/3328] via [correct route IP], 01:07:33, [correct VLAN}

MainSwitch#sh ip eigrp topology
EIGRP-IPv4 Topology Table for AS(101)/ID(firewall IP)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P [remote location network]/24, 1 successors, FD is 3328
        via [correct route IP] (3328/3072), [correct VLAN}
        via [firewall IP] (3072/2816), [firewall connection VLAN]

Firewall# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is [outside IP] to network 0.0.0.0

S    [remote location network] [1/0] via [outside IP}, outside

Firewall# sh eigrp topology

EIGRP-IPv4 Topology Table for AS(101)/ID(xxxx)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 0.0.0.0 0.0.0.0, 1 successors, FD is 2816
        via Rstatic (2816/0)

P [remote location network], 1 successors, FD is 2816
        via Rstatic (2816/0)
0
 
travisryanAuthor Commented:
jmac, is that command going to kill my other EZVPN vpns? I have several more that are still in use. If I run that command and the other tunnels go down will they come back up?
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
jmac44Commented:
The way I understand it the SA's are cached and rebuild during the next session. I have been trouble shooting an EZVPN issue with a new 4331 and have ran both clear ipsec sa and clear isakmp sa with no adverse affect. That said I wouldn't do it while other were connected.
0
 
travisryanAuthor Commented:
jmac, I tried to clear by peer and that didn't work, it still shows those peers as connected.
0
 
jmac44Commented:
Have you tried dong a relaod?
0
 
travisryanAuthor Commented:
I've tried clearing by peers, clearing eigrp neighbors and rebooting the ASA. Nothing changed.
0
 
travisryanAuthor Commented:
Except now I lost my two other EZVPN tunnels.
0
 
travisryanAuthor Commented:
I do have a "redistribute static" in my EIGRP config on the firewall but I need that in there for other things, I really just need to clear the static for the non-existent VPN tunnel out.
0
 
travisryanAuthor Commented:
The only thing left in the main firewall was the EZVPN client username and password. I've cleared that out yet when I run 'sh crypto isakmp sa' it shows the remote location still connected.
0
 
jmac44Commented:
I think your going to have to follow this step by step in order to get it cleared out. Check this out http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution05
0
 
SIM50Commented:
P [remote location network], 1 successors, FD is 2816
        via Rstatic (2816/0)

This route is redistributed from static entry. Since you didn't explicitly put it in, it is most likely a part of the larger network you did put in.

You can try to filter out that network from being advertised.

access-list EIGRP_OUT standard deny <your network here>
access-list EIGRP_OUT standard permit any

router eigrp 1
no auto
distribute-list EIGRP_OUT out interface inside
0
 
travisryanAuthor Commented:
A few minutes after I pulled the username from both FWs the tunnel errored out, the route dropped, and the EIGRP route took over.
0
 
SIM50Commented:
In order for EIGRP to advertise the route, it has to be in the routing table.
Do you use the same username/password for the other EZVPN tunnels?
0
 
travisryanAuthor Commented:
The username/password combos are different per tunnel. The tunnels I did not need to delete are back up and running.
0
 
travisryanAuthor Commented:
Found the solution to my own problem.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 10
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now