06-02-2012 08:30 PM
We have a Site to Site VPN with another company that hosts an application server. If I setup a ping -r from my windows computer to their server i will received about 150 successful ping replies then 13 request timed out and this repeats endlessly. We have both triple checked our settings and are not aware of any changes at either end that was made.
Any help in troubleshooting would be greatly appreciated.
Thanks
We have an ASA5505 and they have a Palo Alto product.
06-02-2012 08:46 PM
Could there be any IPS/thread detection or any other features/devices that might be thinking that it is an attack and temporarily blocking the ping? if it is repetitive at exactly 150 success and 13 timeout, it might be something that is blocking it temporarily.
06-02-2012 10:13 PM
I agree with Jen. might be the IPS at your end.
Try disabling icmp inspect on your ASA and try the ping(on the VPN tunnel if you have no filters/restrictions -all traffic should flow seamlessly)
Do you have any other tunnel from your ASA to a diferent peer. do you notice similar results?
06-03-2012 06:59 AM
thanks for the two replies. Our ASA5505 does have a IPS module -
ASA 5500 Series AIP Security Services Card-5 ASA-SSC-AIP-5 but I have turned it off . This peer has two subnets and we have the issue pinging to hosts in both the subnets. The main issue is when we are connected to the application on their end we get disconnected after two minutes, the ping i am using as a test which validates we are having packet loss.
debug crypto isakmp 255 & debug crypto ipsec 255 show no issues and in adsm i select monitoring , logging debug and view i don't see anything specific blocking traffic when the pings time out.
any other ideas/suggestions appreciated!
thanks
06-03-2012 07:56 AM
what application is it, and what protocol and port does it use?
06-03-2012 08:20 AM
its a finance application by a company called tylerworks called munis and uses port 6400. I am sure if the ping just continued uninterrupted the application would be fine. I just need to see what is causing that interruption
06-03-2012 05:11 PM
From my continued research im hoping it is a traffic shaping issue with one of our ISPs, but I am not sure if others might of seen this before from their ISP?
06-03-2012 06:04 PM
policing is done only to shape the b/w at ISP's.
I would check the device at the remote end whether it has reached it's threshold and it's queues are full.
06-03-2012 07:24 PM
It could possibly be this bug as well:
What version of ASA are you running?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide