We did a network upgrade about a month ago and everything was working fine. We have a local office where everything is housed and a remote location that communicates with an ASA5505 there and one back in the main office. The remote location had some power issues and the device and Internet was down for a while and when it came back up the two offices are not able to connect anymore. I checked the config files and nothing has changed. Any help would be greatly appreciated.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Cisco ASA 5505
- Thread starter kmunroe03
- Start date
VinceWhirlwind
Technical User
Check the date/time on the two ASAs.
Are they updating from an NTP server? If their times have diverged too much, the VPN won't be able to setup.
Are they updating from an NTP server? If their times have diverged too much, the VPN won't be able to setup.
- Thread starter
- #3
Good morning thanks for the feedback. The time and date were drastically off on one of the devices. I have to send it back to the remote location to test to see if it will connect now. I had a question though. With the ASA even though the tunnel was nto created would that stop the end users at the remote site from gaining Internet access? Internet is coming into the building because they have a static IP address and I got a laptop and gave it the static IP address and it was able to surf the web, but when I connect the ASA none of the clients that are hooked up too are able to get out to the Internet but they are getting a static IP address from the ASA.
VinceWhirlwind
Technical User
Can't say I could say for sure without seeing the details, but generally the internet feed is "raw" and the ASA's purpose is to setup an encrypted tunnel over that live "raw" connection to enable communication between your two sites, using the live internet connection. So the tunnel being down should interrupt the connection between sites, but it shouldn't affect internet access, unless your users at the remote site had to access the internet via the HQ proxy server or something.
- Thread starter
- #5
WHere is the VPN failing? What do you see with sh cry isa sa | incl x.x.x.x (x.x.x.x being the peer addy)? If you see MM failing, then there you go. If it is active and no deletes, then try sh cry ips sa | beg x.x.x.x (first address/net in your source interesting traffic)...
I would also set ip an ip sla for icmp-echo
ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
I would also set ip an ip sla for icmp-echo
ip access-list extended IP-Options-and-Powerball
deny ip any any winning-powerball-ticket
permit ip any any option any-options
!
class-map ACL-Options-and-Powerball
match access-group name IP-Options-and-Powerball
!
policy-map CoPP-POLICY
class ACL-Options-and-Powerball
drop
!
control-plane
service-policy input CoPP-POLICY
- Thread starter
- #8
Thanks for all the help and answers guys. We got the problem solved. It was our ISP, they provided us with a static IP address but the router that they gave us was still giving out DHCP addresses, so the ASA was getting a DHCP address when it was connected to the router. Once we got into the router and disabled DHCP the tunnel came back up and now everything is working fine.
- Status
Similar threads
- Locked
- Question