06-10-2019 11:58 PM - edited 02-21-2020 09:40 PM
dear all,
i am facing problem with IPSEC tuneel the traffic between interest( private ip ) is dropping due to this dropping my remote desktop and data transfer is not able to success while from remote pc to internet there is no drops but from HO to branch huge drops
2nd once i connect remote router through lan ip (10.64.77.10) my session suddenly disappear with in few second while through public ip 91.x.x.x there is no issue
06-11-2019 12:33 AM
06-11-2019 01:43 AM
dear ,
i checked every thing there is no cpu utilization and the traffic between internet and branch is fine i make split tunnel
06-11-2019 11:44 PM
dear ,
i resolve the issue thanks
the problem was with PFS on my head office asa we enable pfs while branch side there is no PFS so i enable on branch its working now
06-12-2019 01:33 AM
Just to add for other what is PFS.
"In the first quick mode packet, the initiator sends the identity information, IPSec SA proposal, Nonce payload, and the optional Key Exchange (KE) payload in case Perfect Forward Secrecy (PFS) is used
Perfect Forward Secrecy (PFS) is a cryptographic technique where the newly generated keys are unrelated to any previously generated key. With PFS enabled, the security Cisco ASA generates a new set of keys which is used during the IPSec Phase 2 negotiations. Without PFS, the Cisco ASA uses Phase 1 keys during the Phase 2 negotiations. The Cisco ASA uses Diffie-Hellman group 1, 2, 5, and 7 for PFS to generate the keys. Diffie-Hellman group 1 uses 768-bits modulus size to generate the keys, while group 2 uses 1024-bits and group 5 uses a 1536 bits modulus size. Group 7, where the elliptical curve field size is 163 bits, is designed for the faster computation of keys usually used by the handheld PCs. Group 5 is the most secure technique but requires more processing overhead. The syntax to configure PFS is
crypto map map-name seq-num set pfs {group1 | group2 | group5 | group7}
it is Optional Command"
Reference https://community.cisco.com/t5/vpn-and-anyconnect/do-i-need-to-use-pfs-on-asa-vpn-s/td-p/1129831
06-12-2019 02:07 AM
dear i know this is for hopping key but once i put the pfs on my branch i found my connection reliable i dont know how ???
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide