05-28-2014 08:12 PM - edited 03-03-2019 07:25 AM
Hi Member,
Please help us to optimize VPN L2L between ASA & Router, it's not stable & often drop packet after a day running ok.
Here is configuration information
VPN site to site often drop, not stable
1841 Software (C1841-ADVSECURITYK9-M), Version 15.1(4)M8
Cisco Adaptive Security Appliance Software Version 8.2(5)
------------
ASA config :
------------
interface GigabitEthernet0/2.33
vlan 33
nameif outside-new
security-level 0
ip address yy.yy.yy.yy 255.255.255.224
crypto ipsec transform-set SHA-3DES esp-3des esp-sha-hmac
crypto ipsec transform-set SHA-AES esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside-dynamic-map 65535 set transform-set SHA-3DES
crypto map outside_map 70 match address site1-site2
crypto map outside_map 70 set pfs
crypto map outside_map 70 set peer xx.xx.xx.xx
crypto map outside_map 70 set transform-set SHA-AES
crypto map outside_map 70 set security-association lifetime seconds 86400
crypto map outside_map interface outside-new
crypto isakmp identity address
crypto isakmp enable outside-new
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key secretkey
mtu outside-new 1500
access-list site1-site2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
--------------
Router config:
--------------
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 30
encr 3des
authentication pre-share
group 2
crypto isakmp key secretkey address yy.yy.yy.yy no-xauth
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map MYDYNMAP 10
set transform-set 3DES-SHA
!
crypto map InternetLink client authentication list USERAUTHEN
crypto map InternetLink isakmp authorization list GROUPAUTH
crypto map InternetLink client configuration address respond
crypto map InternetLink 10 ipsec-isakmp
description site2-site1
set peer yy.yy.yy.yy
set security-association lifetime seconds 86400
set transform-set MYSET
set pfs group2
match address VPNsite2-site1
interface Dialer2
mtu 1492
bandwidth 5000
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 27
dialer-group 27
ppp authentication pap chap callin
ppp chap hostname hostinformation
ppp chap password 7 secretkey
ppp pap sent-username hostinformation password 7 secretkey
no cdp enable
crypto map InternetLink
ip nat inside source list NoNATsite2-site1 interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2
access-list VPNsite2-site1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NoNATsite2-site1 extended deny ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NoNATsite2-site1 extended permit ip any any
05-28-2014 08:45 PM
Hi ,
when you say after day running its okay , suspecting Internet Bandwidth utilization check for internet bandwidth utilization at both end , if you are reaching 80% of your internet bandwidth you may have packet drop .
During peak hours check for latency pinging WAN IP Address of site B from site A ,vice versa . Similarly ping Internal IP address within VPN sites , you should see both latency same or minimal difference between Both Ping Response .
Check for show logging on both side , from log file try to understand whether your VPN tunnel is tearing down & rebuilding again or its stable . If its stable then problem persists with your internet Bandwidth .
HTH
Sandy
05-28-2014 11:42 PM
Thank Sandy,
I am sure that bandwidth is not related to our issues, bandwidth is very huge for both ends and we only use a small amount of that.
Here are some log & ping result that now VPN tunnel is not stable.
----------------------------
in ASA
show logging
May 29 2014 15:52:58: %ASA-7-609001: Built local-host outside-new:192.168.2.127
May 29 2014 15:52:58: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.2.127/1 gaddr 192.168.1.11/0 laddr 192.168.1.11/0
May 29 2014 15:56:12: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.127/1 gaddr 192.168.1.11/0 laddr 192.168.1.11/0
May 29 2014 15:56:12: %ASA-7-609002: Teardown local-host outside-new:192.168.2.127 duration 0:00:00
from local LAN in site B ping local LAN in site A
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.1.11: bytes=32 time=262ms TTL=127
Request timed out.
Request timed out.
Reply from 192.168.1.11: bytes=32 time=263ms TTL=127
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
from Router ping public IP address of ASA
wr1.siteB#ping yy.yy.yy.yy
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to yy.yy.yy.yy, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 272/276/284 ms
from local LAN in site B ping public IP address of ASA
Pinging yy.yy.yy.yy with 32 bytes of data:
Reply from yy.yy.yy.yy: bytes=32 time=276ms TTL=239
Reply from yy.yy.yy.yy: bytes=32 time=273ms TTL=239
Reply from yy.yy.yy.yy: bytes=32 time=273ms TTL=239
Reply from yy.yy.yy.yy: bytes=32 time=272ms TTL=239
05-29-2014 12:11 AM
Hi ,
Suspecting MTU Issue on VPN tunnel , as i could see your MTU dialer supports only MTU 1492
you have configured your ASA for MTU size 1500, remove this and check .
mtu outside-new 1500
no mtu outside-new 1500
If it does not help you , try reducing MTU Size using below commands on ASA
ciscoasa(config)# sysopt connection tcpmss 1380
on your router you can do it globally or specific to LAN interface
Global Mode :
ip tcp adjust-mss
Interface specific mode : (which is connecting to your LAN interface)
mtu 1380
kindly let me know on this .if your problem pertains , even after this tweaking
HTH
Sandy
05-29-2014 11:33 PM
Hi Sandy,
I tried to change mss value for both devices but it affected all other VPN L2L & GRE/VPN tunnels, I will monitor a couple of days & test again at suitable time.
Thanks!
Regards!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide