start > Cisco > ASA > 8.2 > Changing A Remote Gateway IP

Changing A Remote Gateway IP

Created by dave. Last edited by dave, 10 years and 138 days ago. Viewed 3,418 times. #1

[edit] [rdf]

labels

attachments

(2013-12-05)

Problem

You have an ASA running 8.2(something). You have a l2l VPN with a remote peer. That remote peer is changing its IP address.

Solution

Here's what I did:

create a new name object for the new peer IP
create a new tunnel-group definition with the new IP, duplicating the information in the definition for the old IP
at switchover time, change the crypto map $MAP $NUMBER peer statement to the new peer object name

And then it didn't work. Digging around a lot in the logging eventually yielded IKE Peer address not configured for destination 0.0.0.0 , and digging around on that

eventually yielded:

This message appears when the IKE peer address is not configured for a L2L tunnel. This error can be resolved by changing the sequence number of crypto map, then removing and reapplying the crypto map.

What that meant for me in practice was:

conf t
no crypto map outside_map 1 match address outside_1_cryptomap
no crypto map outside_map 1 set peer REMOTEPEER
no crypto map outside_map 1 set transform-set ESP-3DES-SHA
no crypto map outside_map interface outside
exit
conf t
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer REMOTEPEER
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
exit

...ie literally removing the crypto map and re-applying it. After that, the site-to-site came up properly.

no comments | post comment

see also:
snipsnap-index	Cisco	15.0(2r)E...	Juniper
snipsnap-index	dave	Netscreen	dave
Thor: The Dark ...	15.0(2)SE4...	snipsnap-search	Passwo...
user environment churn	Linux/uid hell	User+Environment+Churn	I Want Root Acc...
uid+hell	Cisco	12.2(55)SE2...	Interface Group

Changing A Remote Gateway IP

Problem

Solution

Virtual Dave Megaplex:

Useful: