07-02-2024 10:30 AM
Hi,
We have a VPN site to site tunnel between USA and Asia.
The firewall in Asia can ping the Firewall in USA well, no packet loss.
However, a Asia Server 10.89.100.5 ping a USA server (10.0.99.73 has packets loss.
Packet capture ASP drops show something as below. Does it relate to the issue? Please advise.
colo-fw1/pri/act# sh cap asp | i ttl
1: 12:18:02.529300 10.89.100.5 > 10.0.99.73 icmp: echo request Drop-reason: (ttl-exceeded) ttl exceeded, Drop-location: frame 0x000000aab4d031a8 flow (NA)/NA
2: 12:18:07.518619 10.89.100.5 > 10.0.99.73 icmp: echo request Drop-reason: (ttl-exceeded) ttl exceeded, Drop-location: frame 0x000000aab4d031a8 flow (NA)/NA
Thanks
Loc
Solved! Go to Solution.
07-02-2024 02:59 PM
then it temporally loop, if you ping from site to site over vpn and there is no drop then every thing is OK.
MHM
07-02-2024 05:29 PM
Nope, the drop in ASP-DROP is still there.
51: 19:25:17.180944 10.89.100.5 > 10.0.99.73 icmp: echo request Drop-reason: (ttl-exceeded) ttl exceeded, Drop-location: frame 0x000000aab4d031a8 flow (NA)/NA
71: 19:25:22.168951 10.89.100.5 > 10.0.99.73 icmp: echo request Drop-reason: (ttl-exceeded) ttl exceeded, Drop-location: frame 0x000000aab4d031a8 flow (NA)/NA
colo-fw1/pri/act#
Ping still replies normally in the inside interface.
colo-fw1/pri/act# show cap in | i 10.0.99.73
3: 19:27:54.472708 10.89.100.5 > 10.0.99.73 icmp: echo request
4: 19:27:54.472875 10.0.99.73 > 10.89.100.5 icmp: echo reply
5: 19:27:54.540545 10.0.99.73.4001 > 10.89.100.131.50082: P 3096680285:3096680333(48) ack 1114464398 win 238
6: 19:27:54.541414 10.0.99.73.4001 > 10.89.100.148.64767: P 2833687425:2833687473(48) ack 1772863204 win 238
7: 19:27:54.830080 10.89.100.148.64767 > 10.0.99.73.4001: . ack 2833687473 win 1020
8: 19:27:54.830447 10.89.100.131.50082 > 10.0.99.73.4001: . ack 3096680333 win 1020
11: 19:27:55.480352 10.89.100.5 > 10.0.99.73 icmp: echo request
Users report the connection is slow.
07-02-2024 01:05 PM
Do you think the issue stays here?
[locngu@mdta-vip1 ~]$ route -n | grep 100
0.0.0.0 10.0.99.250 0.0.0.0 UG 100 0 0 ens192
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens224
07-02-2024 01:09 PM
This routing for Which device in my topolgy ?
MHM
07-02-2024 01:16 PM
- Server 10.0.99.73 routing table=server 2:
[locngu@mdta-vip1 ~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.99.250 0.0.0.0 UG 100 0 0 ens192
0.0.0.0 10.0.0.250 0.0.0.0 UG 101 0 0 ens224
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ens224
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens224
10.0.99.0 0.0.0.0 255.255.255.0 U 0 0 0 ens192
10.0.99.0 0.0.0.0 255.255.255.0 U 100 0 0 ens192
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
L3SW: we don't have L3 switch.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide