cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23389
Views
35
Helpful
60
Replies

Ask the Expert: IPsec VPN

ciscomoderator
Community Manager
Community Manager

Read the bioWith Marcin Latosiewicz

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to Get an update on IPsec VPN with Cisco expert Marcin Latosiewicz who will answer questions on the topic of best practices when implementing IPsec VPNs on IOS and ASA. Marcin Latosiewicz is a Customer Support Engineer at the Cisco Technical Assistance Center in Belgium, which over four years of experience with Cisco Security products and technologies including IPSec, VPN, internetworking appliances, network and systems security, internet services and Cisco networking equipment.

Remember to use the rating system to let Marcin know if you have received an adequate response. 

Marcin might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community   discussion forum shortly after the event.   This event lasts through December 9th, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

60 Replies 60

Hi marcin

i have now got PFS enabled on the router as suggested yesterday

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Tunnel_to_xxxxxxxx set peer 19x.6x.21x.10x

set transform-set VPN-xxxxx

match address 107

set pfs group2

so now PFS is enabled at both ends, are you saying if i disable PFS at both ends the tunnel should not time out?

Sean,

All I'm saying, during rekey there was problem with mismatch of attributes ;-)

Of of which I was spotted was a discrepency in PFS.

Will that give you stability? I don't know I do not have full view of debugs and your network. I think it's step in the right direction ;-)

Open up a case with TAC if you want us to analyse this properly.

Marcin

Marcin,

Thanks for the information on reverse route.

Quick question, is it normal that the site to site vpn can only be brought up from one direction?

Also when I do a test of the tunnel using the CCP, i get an active connection but I get the error message stating:

"A ping with data size of this VPN interface MTU size and 'Do no Fragment' bit set to the other end VPN device is failing. Issue the command crypto ipsec df-bit clear under the VPN interface to avoid packets dropped due to fragmentation.

I added this command to the outside interface on each router but it didnt seem to make a difference.

Thanks,

Chris

Chris,

It definitely not good that the tunnel establishes only one way. But consider that we need to have a route pointing through crypto-enabled interface for the tunnel to be brought up. 

When you bring it up from one side RRI kicks in and a route should be present for return traffic.

Some setups may benefit from "reverse-route static" option, give it a try it MAY resolve the problem (if routing is the only underlying problem).

For what CCP is telling you, we never allow that option by defeult. It's a way to kill performance of any network.

We suggest enabling it only in certain scenarios (big UDP packets - LWAPP for example).

For majority of internet traffic adjusting MSS on LAN interface (ip tcp adjust-mss ... a decent value to start with is 1360) should be enough.

I think CPP is trying to perform a ping with DF-bit set with packet size of 1500 - but it's hard to say, we almost never use CPP/SDM internally or for troubleshooting.

Marcin

dianewalker
Level 1
Level 1

Marcin,

Is there a way to calculate the throughput and evaluate performance on Cisco VPN client?  We are going to upgrade VPN appliances from VPN 3000 Concentrators to ASA 5510.

Thanks.

Diane

Diane,

I see several levels to this question.

1) VPN client's throughput will depend on available CPU power (unlike almost all Cisco platform, where we do encryption/decyption in a special hardware chip, VPN client is using CPU power) and path quality between VPN client and headend (i.e. packet drop, latancy, maximum MTU).

We don't typically measure this, since the outcome will depend on factors external to VPN client itself.

You can probably tweak the performance by a few microseconds switching to aes from 3des, but it should not give a great benefit.

If you're really interested to take measurement, use iperf (it's free). Run two streams of UDP 1400bytes (one in each direction) and see what is the rate you can achive. 

2) Since ASA 5510 is a newer platform (than VPN3k) I doubt you will hit any bottle necks on ASA's side after migration.

There is a more powerful crypto chip built in and way more CPU power to push traffic around.

Does that answer your question?

Marcin

P.S.

Cisco VPN client is going to be retired:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_eol_notices_list.html

Hi there Marcin,

Recently in our headquarters, we have migrated the security appliance from SonicWall to Cisco (ASA5520), however we´re still working with SonicWalls in the offices. Since this migration we´ve started facing some VPN issues within the headquarter and each office separately. Every now and then some tunnels (usually we delivery 4 or 5 headquarters networks to those offices) go down and just get back up again when we connect to the office´s side (Sonicwall) and renegotiate the tunnel or force a ping to that certain network. This occurs usually in the late night, when there is no one working on those offices. Remembering that we have a 24-hour NOC in the headquarter that monitors all the offices via SNMP and ping. We imagine that perhaps could be some sort of timeout and/or keys exchange, we´ve have checked some documentations here but, nothing so far has served us. Do you have some idea that could help us somehow?

Thank you!

Kleber

Hi Kleber

Not knowing your settings and assuming some Cisco defaults it could be a problem during phase 1 rekey (86400 seconds is the default).

What I would also look into whether by any chance you do not have vpn idle timeout or vpn session timeout applied for you (what I assume is) Lan to Lan tunnels.

Check logs on ASA (we drop some logs on informational level) on failure.

If you feel like debugging - debug cry isakmp 127 .

What I would suggest regardless is to open a TAC case, there's quite a few problems we saw in the past with Sonicwall.

Mostly smaller problems with (mis)configuration, but occasionally a bug (on either side).

We need more info :-)

HTH and GL,

Marcin

kslchiang
Level 1
Level 1

Hi, Marcin.

I have two RV042 VPN connected from different places. The VPN are up, and I can ping the RV042 from both side. But I cannot reach/ping the computer behind RV042.

I need to reach the shared folder from the remote computer behind RV042.

Thank you

K.Chiang

Hi Marcin,

I would like to know what is necessary in my cisco ios easy vpn configuration in order to allow remote users access to more than one server on site B. I set up the Easy VPN configuration as you recommended me with the DVTI, it started working but i ran with this problem : Remote users can initiate just one IP session with hosts of site B (just one nat translation is available).

Trafic from site A to site B has to be natted on an IP address in order to be allowed by site B router.I set up the router in site A as describe below:

ip nat pool REMOTO_SERVI 172.18.235.33 172.18.235.33 netmask 255.255.255.0

ip nat inside source route-map REMOTO_SERVI pool REMOTO_SERVI overload

access-list 105 permit ip 192.168.98.0 0.0.0.255 172.18.240.0 0.0.15.255

access-list 105 permit ip host 172.18.235.33 172.18.240.0 0.0.15.255

route-map REMOTO_SERVI permit 10

match ip address 105

Is this possible ?

This is the topology scheme:

Thanks in advance,

Dear sender,

I am currently out of office and have no access to mail or phone.

I will respond to your email on my return.

Best regards,

Mirza Alibasic

Alejandro,

(Ask the experts session finished a week backand I was not checking it).

There should be no reason for only one session to be able to through at a time (especially with NAT overload)

Although I should say line 2 in access-list 105 looks fishy, what's the reason for it?

Did you try specifing a bigger NAT pool to see if it would help?

M.

Dear sender,

I am currently out of office and have no access to mail or phone.

I will respond to your email on my return.

Best regards,

Mirza Alibasic

Hi Marcin,

sorry , I didn´t see that the session already finished.

I change the acl as you and Mopaul said to me, but the issue still on. The weird thing is that , whenever i tried to stablished sessions in the night time (out of working schedule) they do perfectly , without any problem, last night i could stablished 3 session to 3 differents hosts on site B.

But when i tried in a working schedule, i can just stablish one session, and sometimes not even one session.

Check the nat translation table and it shows 7 translations to site B , and more or less one hundred translations to the internet. None nat limiting session command has been set in the router configuration.

When i check the nat statistics it shows missed: 130 on the nat to site B from remote Users.

I really appreciate your help Marcin.

Thanks

Dear sender,

I am currently out of office and have no access to mail or phone.

I will respond to your email on my return.

Best regards,

Mirza Alibasic

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: