This happened on Wednesday night and while everything is now back up and running, I’m going to have to explain why it took so long to restore and I genuinely don’t have the answers. The network guy is on vacation, so I had to step in and help. I used to call myself a network person, but I left that role about 10 years ago. Anyway, here’s what I know.
-
We had a power surge which caused the firewall to go down, when power came back up none of the IPSec tunnels would reestablish. The debug gave me a “no proposal chosen” error. I examined the crypto statements and all the proposals were named correctly with AES256, 3DES, etc however they were all showing DES. I tried to change the proposal statements but it would not take. I got an error that said something along the lines of needing certificates. The IOS was asa921.ke version 9.2(1). This made me think that version of IOS didn’t have 3DES available, but it was working just fine several hours before this.
-
Replaced the firewall with another 5505, running asa843.ke and got the crypto maps configured correctly, but the routing -while configured- wouldn’t show in the route tables. We couldn’t ping and errors indicated no established route.
-
Instead of copy and pasting sections of the configurations we tried tftp using the ASDM. That worked; routes were there, crypto was there, the network came back up.
I have no idea why the VPNs were up and running before the outage if the IOS couldn’t support AES256 or needed certificates.
What’s different between copy/pasting text files v. tftp? Why would this method of moving the configuration work but copy/paste wouldn’t?
Any insight would be greatly appreciated!
No comments:
Post a Comment