Good Day Mohit, thank you for

damrut5763 · ‎05-20-2015

I have create a IPsec tunnel between a cisco router and Palo Alto firewall I am dropping significant packet on the tunnel however going to the gig interface 0/0 no packet loss how can I resolve this issue.

interface Tunnel1
description GRE/IPSEC Tunnel to Duluth,Ga
ip unnumbered Loopback0
ip mtu 1428
ip tcp adjust-mss 1388
tunnel source GigabitEthernet0/0
tunnel destination 209.60.243.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile Aberdeen

Mohit Sahai · ‎05-21-2015

Hello,

To isolate the issue, we could follow the below steps.

1. remove the IPSec config from the tunnel and ping tunnel destination IP taking tunnel source as source IP

a. If there are any drops, trace the tunnel destination IP taking tunnel source as tunnel source.

b. Ping each hop in the trace path taking tunnel source as tunnel source.

c. This will identify the hop for which the drops start first and accordingly find if there is any issue in any link in the path.

d. Same needs to be checked for the reverse trace until we identify the hop.

2. If the packet drops gets resolved after removing the IPSec configuration it means there is some issue with the IPSec config.

Let me know once you perform the Step 1.

Thanks,

Mohit

damrut5763 · ‎05-28-2015

Good Day Mohit,

thank you for your response we figured out the issue we change the dead peer timer on the Palo Alto firewall and it resolve the issue. the Palo Alto was constantly rekeying the ISAKMP SA we increase the Dead Peer Interval retry's to 100 to resolve the problem.

Packet Loss on Tunnel Interface