Site to site VPN using ASA is not down when internet connection is unstable

Eman.Bakri · ‎08-26-2020

My internet connection is unstable, i lost internet several times a day for short time (5-7 minutes) then return back, my monitor system read that the internet is down, and actually my client can not browsing or using internet, but the VPN is not down, the clients can use the applications via VPN normally although their application using real time traffic.

I want to understand how VPN work normally even when internet is DOWN for short time.

Please i need your support urgently.

Note that i have no access to VPN configuration, i just want to know how this happen?

Thanks all

balaji.bandi · ‎08-26-2020

May be different Cases here example :

1. how are you Monitoring Internet, usng Ping or Interface.

2. When Internet down from your network people not able browse ? - do you have any proxy in the network.

3. May be case Internet down / Ping and http/https traffic, may be network is still up ? (this required to check)

If port really down where your ISP connected, VPN still working ? then we need to Look your network diagram and confirm is there any otehr alternative route for you ?

At this stage hard to say what is wrong, until we see more information.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Eman.Bakri · ‎08-26-2020

Hi cjrchoi11,

Thanks for your reply.

bellow my answers to your questions:

1.I monitor using ping and interface utilization using SNMP, Ping is down, but interface utilization shows normal traffic without down or decreasing the traffic, I though that because VPN connection is working and there is traffic.

2.yes they can not browsing, some of them using proxy and other not, and in both cases browsing not working.

3. about this question, i though about same thing but how can I check that?

Note:

(I have /30 network I used one of them in my network and the other is configured in my ISP as gateway for my traffic),

when the issue happen I actually can not reach my gateway in ISP network using PING

Thanks.

balaji.bandi · ‎08-26-2020

thanks for the information, do you have any high level diagram, have you contacted ISP for this issue ? did they confirm it was down ?

When you identified down, from end user who remote in, still able to ping local network ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎08-26-2020

Hello,

can you give us an overview (schematic drawing) of your topology ? How do the clients connect to the VPN, are these remote (home) users ?

Eman.Bakri · ‎08-26-2020

The internet connection link terminated physically in switch, then to other Vendor firewall (my public IP is configured here), then to ASA where the VPN is configured, the clients are connected to switch terminated in inside interface of ASA.

Georg Pauwen · ‎08-26-2020

So the ASA does not have a public IP address ? The VPN between the ASA and the vendor firewall is using private IP addresses ? What VPN applications are still working when the Internet is down ?

Richard Burts · ‎08-26-2020

I agree that it would be helpful if we had more details about the topology and environment for this issue. If I am understanding correctly your network, including your monitoring equipment, is connected to ASA inside interface, ASA outside interface connects to Vendor firewall, which connects to a switch, which connects to the Internet connection. Is it possible that some issue in your network might prevent parts of the network (including your monitoring equipment) while other parts of your network were still able to access the ASA? Is it possible that some sort of issue on your ASA might impact some user traffic (including the monitoring equipment) while of traffic (including vpn) still worked? Is it possible that some sort of issue on the Vendor firewall might reject normal user traffic but allow the vpn traffic?

HTH

Rick