Try doing a Embedded packet

mialbert · ‎09-09-2014

I have a site ipsec tunnel between a c7204vxr and a c1941isr. The tunnel is established successfully but I am noticing packet drops on the ingress to the c7204 from the c1941. Specifically, there is an ssl website that is being accessed that is behind the 1941. When a node from behind the 7204 is accessing it, 27 packets traverse successfully from the 7204 to the 1941. On the return, 38 packets are sent from the 1941 and only 21 make it to the 7204(this is determined from tracking acl hit counts placed at inside interfaces of the 1941 and 7204). The log at the 7204 shows even less packets then that arrived(only two). The c7204 ios does not have ability for ip inspect log drop-pkt. The crypto acl is a full ip acl(access-list 105 permit ip <net> <mask> <net> <mask>). There are no other firewalls or natting happening between the endpoints. I can ping nodes on both sides of the tunnel successfully with no loss or drops. A packet capture of the access attempt shows the node behind the 1941 continually sending tls, ssl, and tcp packets to the node behind the 7204 without response. What other tools could be used to interrogate this?

Raja Periyasamy · ‎09-14-2014

Try doing a Embedded packet capture for ESP packets on the Wan interfaces of the routers and do a ping test. Use ICMP packets of specific size and then extract the captures and check for the packets that are a little bigger than the size of packets you have sent.

Then you can count them to see if all the packets of those size are being received. If the count is less then there is a ESP packet loss on the ISP path.

ipsec tunnel c7204vxr to c1941isr