08-24-2015 12:55 PM - edited 03-11-2019 11:29 PM
Hello Support,
Out of the blue today, our P2P VPN between two internet sites started having issues. Users at Site A began complaining about being unable to access a live data application hosted at Side B of the VPN. The page loads via http at Site A, but the software requires data to be loaded inside of the webpage and this just stays at loading data, and sometimes even errors out.
I confirmed this is a VPN issue because Site A can reach the public IP address of this server at Site B and the data loads fine, but the private IP stalls out. When I have run ping tests to multiple hosts behind the VPN from both ends, I have about a 15-20% ping drop. I can \\ to servers but anything that needs a reliable connection is either extremely slow or times out completely. The VPNs show up and no errors coming across. MTU speeds are the same and Site B has multiple VPNs that are functioning fine. This is the only VPN on Site A. I have bounced the VPN a few times and even rebooted the firewall at Site A.
Site A has an ASA 5510 running 7.2(4)
Site B has an ASA 5550 running 8.2(3)
I opened a ticket with both service providers on each end and both confirmed there to be no issue performing traces. Does anyone have any idea how this could have started happening?
Solved! Go to Solution.
08-24-2015 02:37 PM
Just because you havent experience the bug earlier doesn't mean there isn't one.
But as you can see you have lost around 500 packets that have Not been decrypted at site A. Are you 100% sure that the ISP has provided correct information that there is no routing issues on their end? Is this over Internet or over a WAN?
Could you do a packet capture on site A inside interface and site B inside interface and compare the two when you initiate traffic to the server.
I have had similar issues recently and in each case it was either the ISP having a routing issue or there was an issue with the server that was being accessed. Not saying this is the case for you.
--
Please remember to select a correct answer and rate helpful posts
08-24-2015 02:14 PM
does the output of show crypto ipsec sa on both sites have corresponding encrypted and decrypted values for this tunnel?
if you open the logging monitor in ASDM, do you see any drops in traffic when you are trying to connect to the server (at both sites)?
Have you tried reloading the ASA at Site A?
Have you considered an ASA version upgrade?
--
Please remember to select a correct answer and rate helpful posts
08-24-2015 02:29 PM
Thanks for the reply Marius!
Site A - #pkts encaps: 4424, #pkts encrypt: 4424, #pkts digest: 4424
#pkts decaps: 11009, #pkts decrypt: 11009, #pkts verify: 11009
Site B - #pkts encaps: 11553, #pkts encrypt: 11553, #pkts digest: 11553
#pkts decaps: 4424, #pkts decrypt: 4424, #pkts verify: 4424
No drops show in the ASDM
We have reloaded the ASA at Site A and also rebuilt the VPN from both sites.
An ASA upgrade is not out of the question especially if you feel there may be a bug causing this issue. Though, again this issue just randomly started happening this morning.
08-24-2015 02:37 PM
Just because you havent experience the bug earlier doesn't mean there isn't one.
But as you can see you have lost around 500 packets that have Not been decrypted at site A. Are you 100% sure that the ISP has provided correct information that there is no routing issues on their end? Is this over Internet or over a WAN?
Could you do a packet capture on site A inside interface and site B inside interface and compare the two when you initiate traffic to the server.
I have had similar issues recently and in each case it was either the ISP having a routing issue or there was an issue with the server that was being accessed. Not saying this is the case for you.
--
Please remember to select a correct answer and rate helpful posts
08-24-2015 02:43 PM
Hi Marius,
Understood regarding the IOS.
My initial assumptions were Site A's ISP as well, but their tech side didn't agree and stated multiple times that they see no latency on their equipment. Again, Site B's host public IP (as a test) when accessed from Site A works with no issues at all even taking the same path through traces. The private IPs though are the ones in question over the VPN.
With packet captures, I've been unable to replicate the issues seen through the ping drops or application slowness.
08-24-2015 03:22 PM
I suggest opening a case with TAC. If you are unable to open a case with TAC I suggest trying a software upgrade.
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide