Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
568
Views
5
Helpful
5
Replies

ASA P2P VPN Issue

Go to solution
John Apricena
Level 1
Level 1

‎08-24-2015 12:55 PM - edited ‎03-11-2019 11:29 PM

Hello Support,

 

Out of the blue today, our P2P VPN between two internet sites started having issues. Users at Site A began complaining about being unable to access a live data application hosted at Side B of the VPN. The page loads via http at Site A, but the software requires data to be loaded inside of the webpage and this just stays at loading data, and sometimes even errors out.

I confirmed this is a VPN issue because Site A can reach the public IP address of this server at Site B and the data loads fine, but the private IP stalls out. When I have run ping tests to multiple hosts behind the VPN from both ends, I have about a 15-20% ping drop. I can \\ to servers but anything that needs a reliable connection is either extremely slow or times out completely. The VPNs show up and no errors coming across. MTU speeds are the same and Site B has multiple VPNs that are functioning fine. This is the only VPN on Site A. I have bounced the VPN a few times and even rebooted the firewall at Site A.

Site A has an ASA 5510 running 7.2(4)

Site B has an ASA 5550 running 8.2(3)

I opened a ticket with both service providers on each end and both confirmed there to be no issue performing traces. Does anyone have any idea how this could have started happening? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to John Apricena

‎08-24-2015 02:37 PM

Just because you havent experience the bug earlier doesn't mean there isn't one.

But as you can see you have lost around 500 packets that have Not been decrypted at site A.  Are you 100% sure that the ISP has provided correct information that there is no routing issues on their end?  Is this over Internet or over a WAN?

Could you do a packet capture on site A inside interface and site B inside interface and compare the two when you initiate traffic to the server.

I have had similar issues recently and in each case it was either the ISP having a routing issue or there was an issue with the server that was being accessed.  Not saying this is the case for you.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marius Gunnerud
VIP
VIP

‎08-24-2015 02:14 PM

does the output of show crypto ipsec sa on both sites have corresponding encrypted and decrypted values for this tunnel?

if you open the logging monitor in ASDM, do you see any drops in traffic when you are trying to connect to the server (at both sites)?

Have you tried reloading the ASA at Site A?

Have you considered an ASA version upgrade?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Go to solution
John Apricena
Level 1
Level 1
In response to Marius Gunnerud

‎08-24-2015 02:29 PM

Thanks for the reply Marius!

 

Site A - #pkts encaps: 4424, #pkts encrypt: 4424, #pkts digest: 4424
      #pkts decaps: 11009, #pkts decrypt: 11009, #pkts verify: 11009

Site B - #pkts encaps: 11553, #pkts encrypt: 11553, #pkts digest: 11553
      #pkts decaps: 4424, #pkts decrypt: 4424, #pkts verify: 4424

 

No drops show in the ASDM

We have reloaded the ASA at Site A and also rebuilt the VPN from both sites.

An ASA upgrade is not out of the question especially if you feel there may be a bug causing this issue. Though, again this issue just randomly started happening this morning.

 

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to John Apricena

‎08-24-2015 02:37 PM

Just because you havent experience the bug earlier doesn't mean there isn't one.

But as you can see you have lost around 500 packets that have Not been decrypted at site A.  Are you 100% sure that the ISP has provided correct information that there is no routing issues on their end?  Is this over Internet or over a WAN?

Could you do a packet capture on site A inside interface and site B inside interface and compare the two when you initiate traffic to the server.

I have had similar issues recently and in each case it was either the ISP having a routing issue or there was an issue with the server that was being accessed.  Not saying this is the case for you.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
John Apricena
Level 1
Level 1
In response to Marius Gunnerud

‎08-24-2015 02:43 PM

Hi Marius,

 

Understood regarding the IOS.

My initial assumptions were Site A's ISP as well, but their tech side didn't agree and stated multiple times that they see no latency on their equipment. Again, Site B's host public IP (as a test) when accessed from Site A works with no issues at all even taking the same path through traces. The private IPs though are the ones in question over the VPN.

With packet captures, I've been unable to replicate the issues seen through the ping drops or application slowness.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to John Apricena

‎08-24-2015 03:22 PM

I suggest opening a case with TAC.  If you are unable to open a case with TAC I suggest trying a software upgrade.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card