changing the peer on a VPN on the ASA

Information to ask for
Old peer x.x.x.x
New peer y.y.y.y
Your firewall that they are peering with z.z.z.z
host that you can ping (or other tests) on the other side to verify connectivity

Find the crypto map number and tunnel group
sh run | i x.x.x.x

Get the pre-shared key from the old peer tunnel group
more system:running-config | b tunnel-group x.x.x.x
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 ikev1 pre-shared-key s3cr3tp@55w0rd

Make a new tunnel group  for the new peer
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
 ikev1 pre-shared-key s3cr3tp@55w0rd

View the settings on the crypto map
 sh run | i crypto map MYMAP 10
crypto map MYMAP 10 match address CUST_VPN_ACL
crypto map MYMAP 10 set peer x.x.x.x
crypto map MYMAP 10 set ikev1 transform-set MEDIUM
crypto map MYMAP 10 set security-association lifetime seconds 28800
crypto map MYMAP 10 set security-association lifetime kilobytes 4608000

Check the crypto map works on the new interface
If not you can assign it to the interface or make another crypto map
crypto map MYMAP interface Outside
crypto map MYMAP interface WAN

Check the crypto is enabled on the interface
sh run | i crypto ikev1
crypto ikev1 enable Outside
crypto ikev1 enable WAN

Update the route to go out the correct interface
sh run | i x.x.x.x
no route outside 10.40.0.0 255.255.0.0 2.2.2.2 1
route VPN 10.40.0.0 255.255.0.0 3.3.3.3 1

Remove the old peer and set the new peer

conf t
no crypto map MYMAP 10 set peer x.x.x.x
crypto map MYMAP 10 set peer y.y.y.y

Update the interface on the NAT
no nat (REMOTE-DMZ,Outside) source static MY_LAN MY_LAN destination static CUST_LAN CUST_LAN no-proxy-arp route-lookup
nat (REMOTE-DMZ,VPN) source static MY_LAN MY_LAN destination static CUST_LAN CUST_LAN no-proxy-arp route-lookup

Check for phase 1
We will see an entry is phase 1 has come up. State should be MM_ACTIVE.
sh crypto isakmp sa | b y.y.y.y

Check for phase 2
Run the command a few times. We should see encaps and decaps increasing. If we see that its looking good, ask the user to test. You might have to generate the traffic. So from your side of the VPN try to reach something on the other side that you should be able to get to.

ASA# sh crypto ipsec sa peer y.y.y.y | i pkts
      #pkts encaps: 29312, #pkts encrypt: 29312, #pkts digest: 29312
      #pkts decaps: 33273, #pkts decrypt: 33273, #pkts verify: 33273
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 29312, #pkts comp failed: 0, #pkts decomp failed: 0

ASA# sh crypto ipsec sa peer 137.191.231.82 | i pkts
      #pkts encaps: 29421, #pkts encrypt: 29421, #pkts digest: 29421
      #pkts decaps: 33382, #pkts decrypt: 33382, #pkts verify: 33382
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 29421, #pkts comp failed: 0, #pkts decomp failed: 0


If its still not working you need to troubleshoot the VPN maybe they have changed some settings on the new peer or have a new inside network etc. Follow VPN troubleshooting steps.