We have a Site to Site VPN with another company that hosts an application server. If I setup a ping -r from my windows computer to their server i will received about 150 successful ping replies then 13 request timed out and this repeats endlessly. We have both triple checked our settings and are not aware of any changes at either end that was made.
Any help in troubleshooting would be greatly appreciated.
We have an ASA5505 and they have a Palo Alto product.
Could there be any IPS/thread detection or any other features/devices that might be thinking that it is an attack and temporarily blocking the ping? if it is repetitive at exactly 150 success and 13 timeout, it might be something that is blocking it temporarily.
I agree with Jen. might be the IPS at your end.
Try disabling icmp inspect on your ASA and try the ping(on the VPN tunnel if you have no filters/restrictions -all traffic should flow seamlessly)
Do you have any other tunnel from your ASA to a diferent peer. do you notice similar results?
thanks for the two replies. Our ASA5505 does have a IPS module -
ASA 5500 Series AIP Security Services Card-5 ASA-SSC-AIP-5 but I have turned it off . This peer has two subnets and we have the issue pinging to hosts in both the subnets. The main issue is when we are connected to the application on their end we get disconnected after two minutes, the ping i am using as a test which validates we are having packet loss.
debug crypto isakmp 255 & debug crypto ipsec 255 show no issues and in adsm i select monitoring , logging debug and view i don't see anything specific blocking traffic when the pings time out.
any other ideas/suggestions appreciated!
its a finance application by a company called tylerworks called munis and uses port 6400. I am sure if the ping just continued uninterrupted the application would be fine. I just need to see what is causing that interruption
From my continued research im hoping it is a traffic shaping issue with one of our ISPs, but I am not sure if others might of seen this before from their ISP?
policing is done only to shape the b/w at ISP's.
I would check the device at the remote end whether it has reached it's threshold and it's queues are full.
It could possibly be this bug as well:
What version of ASA are you running?