Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
765
Views
6
Helpful
19
Replies

ttl-exceeded- packet drop in Site to Site VPN tunnel

Go to solution
loc.nguyen
Level 1
Level 1

‎07-02-2024 10:30 AM

Hi,

We have a VPN site to site tunnel between USA and Asia.

The firewall in Asia can ping the Firewall in USA well, no packet loss.

However, a Asia Server  10.89.100.5 ping a  USA server  (10.0.99.73 has packets loss. 

Packet capture ASP drops show something as below. Does it relate to the issue? Please advise.

colo-fw1/pri/act# sh cap asp | i ttl
1: 12:18:02.529300 10.89.100.5 > 10.0.99.73 icmp: echo request Drop-reason: (ttl-exceeded) ttl exceeded, Drop-location: frame 0x000000aab4d031a8 flow (NA)/NA
2: 12:18:07.518619 10.89.100.5 > 10.0.99.73 icmp: echo request Drop-reason: (ttl-exceeded) ttl exceeded, Drop-location: frame 0x000000aab4d031a8 flow (NA)/NA

Thanks

Loc

19 Replies 19

Go to solution
MHM Cisco World
VIP
VIP
In response to loc.nguyen

‎07-02-2024 02:59 PM

then it temporally loop, if you ping from site to site over vpn and there is no drop then every thing is OK. 
MHM

0 Helpful

Go to solution
loc.nguyen
Level 1
Level 1
In response to MHM Cisco World

‎07-02-2024 05:29 PM

Nope, the drop in ASP-DROP is still there. 

51: 19:25:17.180944 10.89.100.5 > 10.0.99.73 icmp: echo request Drop-reason: (ttl-exceeded) ttl exceeded, Drop-location: frame 0x000000aab4d031a8 flow (NA)/NA
71: 19:25:22.168951 10.89.100.5 > 10.0.99.73 icmp: echo request Drop-reason: (ttl-exceeded) ttl exceeded, Drop-location: frame 0x000000aab4d031a8 flow (NA)/NA
colo-fw1/pri/act#

Ping still replies normally in the inside interface. 

colo-fw1/pri/act# show cap in | i 10.0.99.73
3: 19:27:54.472708 10.89.100.5 > 10.0.99.73 icmp: echo request
4: 19:27:54.472875 10.0.99.73 > 10.89.100.5 icmp: echo reply
5: 19:27:54.540545 10.0.99.73.4001 > 10.89.100.131.50082: P 3096680285:3096680333(48) ack 1114464398 win 238
6: 19:27:54.541414 10.0.99.73.4001 > 10.89.100.148.64767: P 2833687425:2833687473(48) ack 1772863204 win 238
7: 19:27:54.830080 10.89.100.148.64767 > 10.0.99.73.4001: . ack 2833687473 win 1020
8: 19:27:54.830447 10.89.100.131.50082 > 10.0.99.73.4001: . ack 3096680333 win 1020
11: 19:27:55.480352 10.89.100.5 > 10.0.99.73 icmp: echo request

Users report the connection is slow. 

0 Helpful

Go to solution
loc.nguyen
Level 1
Level 1

‎07-02-2024 01:05 PM

Do you think the issue stays here?

[locngu@mdta-vip1 ~]$ route -n | grep 100
0.0.0.0 10.0.99.250 0.0.0.0 UG 100 0 0 ens192
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens224

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to loc.nguyen

‎07-02-2024 01:09 PM

This routing for Which device in my topolgy ?

MHM

0 Helpful

Go to solution
loc.nguyen
Level 1
Level 1
In response to MHM Cisco World

‎07-02-2024 01:16 PM

- Server 10.0.99.73 routing table=server 2:

[locngu@mdta-vip1 ~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.99.250 0.0.0.0 UG 100 0 0 ens192
0.0.0.0 10.0.0.250 0.0.0.0 UG 101 0 0 ens224
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ens224
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens224
10.0.99.0 0.0.0.0 255.255.255.0 U 0 0 0 ens192
10.0.99.0 0.0.0.0 255.255.255.0 U 100 0 0 ens192
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0

 

L3SW: we don't have L3 switch. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card