cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
326
Views
0
Helpful
4
Replies
Beginner

IPsec TUNNEL EXPERIENCING HUGE PACKET LOSS (FLAPPING LINK

Hello Guys, 

 

I have an IPsec VPN between a Cisco ASA 5515x and a Cisco 4331K9. The tunnel has been fine for a couple of months but suddenly started flapping and experiencing huge packet drops. I had thought it was an interface duplex config issue from my ISP. I adjusted settings but issue persisted. Attached are three files. One consists only the IPsec config on both routers (433K9 and ASA), the second one has the config for only the ASA and the last one has the config for only the iOS 4331K9. 

 

Kindly help!!!

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: IPsec TUNNEL EXPERIENCING HUGE PACKET LOSS (FLAPPING LINK

no matching crypto map entry for remote proxy 172.16.130.0/255.255.254.100/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

Looking at your configs, I can see an extra crypto ACL side on the ISR :

ip access-list extended Abuja-IV
 permit ip 172.16.130.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 172.16.130.0 0.0.0.255 172.16.120.0 0.0.7.255
 permit ip 172.16.130.0 0.0.1.155 any

 

Keep the ACL's the same on both sides. What might be happening is that there is some traffic triggering the Phase 2 tunnel from the ISR side. Since it cannot establish completely, it might be tearing down Phase 1 as well. 

4 REPLIES 4
VIP Advocate

Re: IPsec TUNNEL EXPERIENCING HUGE PACKET LOSS (FLAPPING LINK

Run debugs on both the ASA and ISR. Since it is flapping constantly, there should be some log as to why this is happening. Also, do you see any logs on the ASA or ISR when the tunnel flaps?

 

On the ASA, run these debugs:

 

debug crypto ikev1 127

debug crypto ipsec 127

 

On the ISR:

 

debug crypto isakmp

debug crypto ipsec

Beginner

Re: IPsec TUNNEL EXPERIENCING HUGE PACKET LOSS (FLAPPING LINK

Hello @Rahul Govindan

 

Please find attached.

VIP Advocate

Re: IPsec TUNNEL EXPERIENCING HUGE PACKET LOSS (FLAPPING LINK

no matching crypto map entry for remote proxy 172.16.130.0/255.255.254.100/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

Looking at your configs, I can see an extra crypto ACL side on the ISR :

ip access-list extended Abuja-IV
 permit ip 172.16.130.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 172.16.130.0 0.0.0.255 172.16.120.0 0.0.7.255
 permit ip 172.16.130.0 0.0.1.155 any

 

Keep the ACL's the same on both sides. What might be happening is that there is some traffic triggering the Phase 2 tunnel from the ISR side. Since it cannot establish completely, it might be tearing down Phase 1 as well. 

Highlighted
Beginner

Re: IPsec TUNNEL EXPERIENCING HUGE PACKET LOSS (FLAPPING LINK

Hey Rahul, 

 

Thanks so much for spotting that out. I noticed the alien ACL in the debugs, searched for the affected subnet in my config but couldn't find it for odd reasons. I was apparently focused on the numbered ACLs (100, 101, 102...especially the ones with deny statements) but then forgot to look through the most important one (permit ACL). ACLs were obviously conflicting. 

 

You're helpful, thank you!