IPSEC tunnel dropping packets.

Boleytech · ‎10-12-2020

I have a vpn tunnel between a ASA 5506x and a Palo Alto PA220 firewall. The tunnel has been fine for the past 3 years it’s been up. Starting since July the ASA started dropping packets. Anywhere between 5 and 11% drop. I contacted our ISP and had them run some troubleshooting on the line and Modem. They found some trouble on the line and repaired it, we also replaced the ISP Modem. We are still dropping packets, on the inside going across the VPN Tunnel. No packets are dropping across the ISP line. I replaced the ASA with a new 5506x. The ASA has a newer ver of software than the old one. Restoring the config to the new ASA didn’t exactly take. I ended up manually reconfiguring the ASA. After doing all this, the site is still experiencing dropped packets. I worked on my NAT Statements and ASA calmed down and packet drop went to 1-3% drop. But when my employee does some internal work on a webserver, the packet drop picks back up to 5%+. Web sites start timing out. I can’t pin down exactly why. I’m not sure if it’s my NAT statements or an ACL is dropping/blocking it. Attached is a copy of my running config. Any help is appreciated.

Aref Alsouqi · ‎10-12-2020

It is a bit tricky to troubleshoot this kind of issues, since a lot of factors could affect the flow. Did you check on the Palo Alto side? maybe something on their end that is causing this traffic to drop?