cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1590
Views
0
Helpful
5
Replies

IPSec Tunnel Random Packet Drops

amjadkhan1920
Level 1
Level 1

dear all,

i am facing problem with IPSEC tuneel the traffic between interest( private ip ) is dropping due to this dropping my remote desktop and data transfer is not able to success  while from remote pc to internet there is no drops but from HO to branch huge drops 

 

2nd once i connect remote router through lan ip (10.64.77.10) my session suddenly disappear with in few second  while through public ip 91.x.x.x there is no issue 

5 Replies 5

check the cpu and memory of both devices. Also, it can be the internet
routing between the sites.

dear ,

 

i checked every thing there is no cpu utilization and the traffic between internet and branch is fine i make split tunnel 

dear ,

 

i resolve the issue thanks 

 

the problem was with PFS on my head office asa we enable pfs while branch side there is no PFS so i enable on branch its working now 

Just to add for other what is PFS.

 

"In the first quick mode packet, the initiator sends the identity information, IPSec SA proposal, Nonce payload, and the optional Key Exchange (KE) payload in case Perfect Forward Secrecy (PFS) is used


Perfect Forward Secrecy (PFS) is a cryptographic technique where the newly generated keys are unrelated to any previously generated key. With PFS enabled, the security Cisco ASA generates a new set of keys which is used during the IPSec Phase 2 negotiations. Without PFS, the Cisco ASA uses Phase 1 keys during the Phase 2 negotiations. The Cisco ASA uses Diffie-Hellman group 1, 2, 5, and 7 for PFS to generate the keys. Diffie-Hellman group 1 uses 768-bits modulus size to generate the keys, while group 2 uses 1024-bits and group 5 uses a 1536 bits modulus size. Group 7, where the elliptical curve field size is 163 bits, is designed for the faster computation of keys usually used by the handheld PCs. Group 5 is the most secure technique but requires more processing overhead. The syntax to configure PFS is


crypto map map-name seq-num set pfs {group1 | group2 | group5 | group7}


it is Optional Command"

 

Reference https://community.cisco.com/t5/vpn-and-anyconnect/do-i-need-to-use-pfs-on-asa-vpn-s/td-p/1129831

please do not forget to rate.

dear i know this is for hopping key but once i put the pfs on my branch i found my connection reliable i dont know how ??? 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: