Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
660
Views
0
Helpful
4
Replies

VPN L2L between ASA & Router is not stable, sometime drop

khanhnguyenquoc
Level 1
Level 1

‎05-28-2014 08:12 PM - edited ‎03-03-2019 07:25 AM

Hi Member,

Please help us to optimize VPN L2L between ASA & Router, it's not stable & often drop packet after a day running ok.

Here is configuration information

 

VPN site to site often drop, not stable

1841 Software (C1841-ADVSECURITYK9-M), Version 15.1(4)M8

Cisco Adaptive Security Appliance Software Version 8.2(5)

------------
ASA config :
------------

interface GigabitEthernet0/2.33
 vlan 33
 nameif outside-new
 security-level 0
 ip address yy.yy.yy.yy 255.255.255.224

crypto ipsec transform-set SHA-3DES esp-3des esp-sha-hmac
crypto ipsec transform-set SHA-AES esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside-dynamic-map 65535 set transform-set SHA-3DES

crypto map outside_map 70 match address site1-site2
crypto map outside_map 70 set pfs
crypto map outside_map 70 set peer xx.xx.xx.xx
crypto map outside_map 70 set transform-set SHA-AES
crypto map outside_map 70 set security-association lifetime seconds 86400

crypto map outside_map interface outside-new
crypto isakmp identity address
crypto isakmp enable outside-new

crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 28800
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
 
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
 pre-shared-key secretkey

mtu outside-new 1500

access-list site1-site2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


--------------
Router config:
--------------

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 30
 encr 3des
 authentication pre-share
 group 2

crypto isakmp key secretkey address yy.yy.yy.yy no-xauth


crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map MYDYNMAP 10
 set transform-set 3DES-SHA
!
crypto map InternetLink client authentication list USERAUTHEN
crypto map InternetLink isakmp authorization list GROUPAUTH
crypto map InternetLink client configuration address respond
crypto map InternetLink 10 ipsec-isakmp
 description site2-site1
 set peer yy.yy.yy.yy
 set security-association lifetime seconds 86400
 set transform-set MYSET
 set pfs group2
 match address VPNsite2-site1

interface Dialer2
 mtu 1492
 bandwidth 5000
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 27
 dialer-group 27
 ppp authentication pap chap callin
 ppp chap hostname hostinformation
 ppp chap password 7 secretkey
 ppp pap sent-username hostinformation password 7 secretkey
 no cdp enable
 crypto map InternetLink
 
 ip nat inside source list NoNATsite2-site1 interface Dialer2 overload
 
 ip route 0.0.0.0 0.0.0.0 Dialer2
 
 
access-list VPNsite2-site1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NoNATsite2-site1 extended deny ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NoNATsite2-site1 extended permit ip any any

 

Labels:
0 Helpful
4 Replies 4

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎05-28-2014 08:45 PM

Hi ,

 when you say after day running its okay , suspecting Internet Bandwidth utilization check for internet bandwidth utilization at both end , if you are reaching 80% of your internet bandwidth you may have packet drop . 

During peak hours check for latency pinging WAN IP Address of site B from site A ,vice versa . Similarly ping Internal IP address within VPN sites , you should see both latency same or minimal difference between Both Ping Response .

Check for show logging on both side , from log file try to understand whether your VPN tunnel is tearing down & rebuilding again or its stable . If its stable then problem persists with your internet Bandwidth .

HTH

Sandy 

 

0 Helpful

khanhnguyenquoc
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎05-28-2014 11:42 PM

Thank Sandy,

I am sure that bandwidth is not related to our issues, bandwidth is very huge for both ends and we only use a small amount of that.

Here are some log & ping result that now VPN  tunnel is not stable.

----------------------------

in ASA

show logging

May 29 2014 15:52:58: %ASA-7-609001: Built local-host outside-new:192.168.2.127
May 29 2014 15:52:58: %ASA-6-302020: Built inbound ICMP connection for faddr 192.168.2.127/1 gaddr 192.168.1.11/0 laddr 192.168.1.11/0

May 29 2014 15:56:12: %ASA-6-302021: Teardown ICMP connection for faddr 192.168.2.127/1 gaddr 192.168.1.11/0 laddr 192.168.1.11/0
May 29 2014 15:56:12: %ASA-7-609002: Teardown local-host outside-new:192.168.2.127 duration 0:00:00


from local LAN in site B ping local LAN in site A

Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 192.168.1.11: bytes=32 time=262ms TTL=127
Request timed out.
Request timed out.
Reply from 192.168.1.11: bytes=32 time=263ms TTL=127
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.


from Router ping public IP address of ASA

wr1.siteB#ping yy.yy.yy.yy
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to yy.yy.yy.yy, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 272/276/284 ms

from local LAN in site B ping public IP address of ASA

Pinging yy.yy.yy.yy with 32 bytes of data:
Reply from yy.yy.yy.yy: bytes=32 time=276ms TTL=239
Reply from yy.yy.yy.yy: bytes=32 time=273ms TTL=239
Reply from yy.yy.yy.yy: bytes=32 time=273ms TTL=239
Reply from yy.yy.yy.yy: bytes=32 time=272ms TTL=239

 

 

0 Helpful

SANTHOSHKUMAR SARAVANAN
Level 4
Level 4
In response to khanhnguyenquoc

‎05-29-2014 12:11 AM

Hi ,

 Suspecting MTU Issue on VPN tunnel  , as i could see your MTU dialer supports only MTU 1492

you have configured your ASA for MTU size 1500, remove this and check . 

mtu outside-new 1500

no mtu outside-new 1500

If it does not help you , try reducing MTU Size using below commands on ASA 

ciscoasa(config)# sysopt connection tcpmss 1380

on your router you can do it globally or specific to LAN interface 

Global Mode : 

ip tcp adjust-mss 

Interface specific mode : (which is connecting to your LAN interface)

mtu 1380

 

kindly let me know on this .if your problem pertains , even after this tweaking 

HTH

Sandy

0 Helpful

khanhnguyenquoc
Level 1
Level 1
In response to SANTHOSHKUMAR SARAVANAN

‎05-29-2014 11:33 PM

Hi Sandy,

I tried to change mss value for both devices but it affected all other VPN L2L & GRE/VPN tunnels, I will monitor a couple of days & test again at suitable time.

Thanks!

Regards!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents