Solved

Cisco ASA 5520: Issues removing EZVPN from the device

Posted on 2016-08-17
16
14 Views
Last Modified: 2016-08-23
Until today I had a remote location connected back to the main company firewall (ASA 5520) by an EZVPN point to point VPN. We got our new fiber connection in. I want to use this faster connection so I disconnected the EZPVN client, advertised the route off of that location's switch through EIGRP, then tried to clean all EZPVN remnants off the main firewall. I cleared the nat statements, the split tunnel access list and the remote network object. Unfortunately there's a static route stuck in my ASA and it's not letting the rest of my network connect into the new location.

When I do a show route on the main company switch it has the right route. If I show route on my firewall it's still showing the old EZVPN route to the remote location. How do I clear this out?

There's no static route I've explicitly put in, this is the route from the EZVPN still hanging around.
0
Comment
Question by:travisryan
  • 10
  • 4
  • 2
16 Comments
 
LVL 4

Expert Comment

by:jmac44
ID: 41760311
On the firewall try - clear crypto ipsec sa peer
I think this link may help as well. https://supportforums.cisco.com/document/9936/how-clear-isakmp-and-ipsec-sas-pix-firewalls-and-routers
0
 

Author Comment

by:travisryan
ID: 41760315
Additional information, it looks like there's two routes for the remote network in my main switch. I just don't know how to clear it.

MainSwitch#sh ip route
D        [remote location network]/24 [90/3328] via [correct route IP], 01:07:33, [correct VLAN}

MainSwitch#sh ip eigrp topology
EIGRP-IPv4 Topology Table for AS(101)/ID(firewall IP)
Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P [remote location network]/24, 1 successors, FD is 3328
        via [correct route IP] (3328/3072), [correct VLAN}
        via [firewall IP] (3072/2816), [firewall connection VLAN]

Firewall# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is [outside IP] to network 0.0.0.0

S    [remote location network] [1/0] via [outside IP}, outside

Firewall# sh eigrp topology

EIGRP-IPv4 Topology Table for AS(101)/ID(xxxx)

Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply,
       r - reply Status, s - sia Status

P 0.0.0.0 0.0.0.0, 1 successors, FD is 2816
        via Rstatic (2816/0)

P [remote location network], 1 successors, FD is 2816
        via Rstatic (2816/0)
0
 

Author Comment

by:travisryan
ID: 41760318
jmac, is that command going to kill my other EZVPN vpns? I have several more that are still in use. If I run that command and the other tunnels go down will they come back up?
0
 
LVL 4

Expert Comment

by:jmac44
ID: 41760322
The way I understand it the SA's are cached and rebuild during the next session. I have been trouble shooting an EZVPN issue with a new 4331 and have ran both clear ipsec sa and clear isakmp sa with no adverse affect. That said I wouldn't do it while other were connected.
0
 

Author Comment

by:travisryan
ID: 41760324
jmac, I tried to clear by peer and that didn't work, it still shows those peers as connected.
0
 
LVL 4

Expert Comment

by:jmac44
ID: 41760341
Have you tried dong a relaod?
0
 

Author Comment

by:travisryan
ID: 41760345
I've tried clearing by peers, clearing eigrp neighbors and rebooting the ASA. Nothing changed.
0
 

Author Comment

by:travisryan
ID: 41760346
Except now I lost my two other EZVPN tunnels.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:travisryan
ID: 41760351
I do have a "redistribute static" in my EIGRP config on the firewall but I need that in there for other things, I really just need to clear the static for the non-existent VPN tunnel out.
0
 

Author Comment

by:travisryan
ID: 41760357
The only thing left in the main firewall was the EZVPN client username and password. I've cleared that out yet when I run 'sh crypto isakmp sa' it shows the remote location still connected.
0
 
LVL 4

Expert Comment

by:jmac44
ID: 41760360
I think your going to have to follow this step by step in order to get it cleared out. Check this out http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution05
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41760962
P [remote location network], 1 successors, FD is 2816
        via Rstatic (2816/0)

This route is redistributed from static entry. Since you didn't explicitly put it in, it is most likely a part of the larger network you did put in.

You can try to filter out that network from being advertised.

access-list EIGRP_OUT standard deny <your network here>
access-list EIGRP_OUT standard permit any

router eigrp 1
no auto
distribute-list EIGRP_OUT out interface inside
0
 

Accepted Solution

by:
travisryan earned 0 total points
ID: 41761028
A few minutes after I pulled the username from both FWs the tunnel errored out, the route dropped, and the EIGRP route took over.
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41761062
In order for EIGRP to advertise the route, it has to be in the routing table.
Do you use the same username/password for the other EZVPN tunnels?
0
 

Author Comment

by:travisryan
ID: 41761269
The username/password combos are different per tunnel. The tunnels I did not need to delete are back up and running.
0
 

Author Closing Comment

by:travisryan
ID: 41766628
Found the solution to my own problem.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now