IPSEC VPN weird problem with Cisco Router and Palo Alto

Benny Chong · ‎02-20-2014

Hi guys,

I've encountered a weird problem with my Cisco router IPSEC vpn with another office terminating on a Palo Alto firewall. Both side Phase 1 and 2 configurations are similar

Phase1

Encryption = aes256

Authentication = sha

group = 2

lifetime = 86400

Phase 2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Everything works fine and both end has a 10Mbps internet pipe. Now users from the Palo Alto end always access a shared drive on the Cisco router end and can download files pretty fast with out any problem. The problem starts when the users at Palo Alto end start to upload files to the Cisco router shared drive. I notice the speed is pretty slow only at max 1-2Mbps very consistent! I have cacti setup and looking at the trend, uploading from Palo Alto end is very consistent at 1Mbps-2Mbps and wont go higher! The internet pipe at Palo Alto end is capable of uploading 10Mbps and i've tested this myself on speedtest.net. The speed of the upload on Palo Alto end isn't the only problem but half way tansfering file from the Palo Alto end to the Cisco Router end, all connection will drop for 5 secs suddenly and file transfer timed out. When i started noticing the drop, i did a ping test runing form both ends while transfering file from the Palo Alto side to the Cisco router side and when the ping drops, that is when the file transfer also will fail. It's not just ping from the shared drive on Cisco router end to Palo Alto but it's to everything. The connection dropped and the VPN stays up same time.

Initially i thought the problem was with ISP but they came back to me saying it's not their fault. I did the upload again from Palo Alto end to Cisco Router end. I knew it was going to drop so i did 2 ping test, one to the internal network and one to the Palo Alto public ip. Just want to see if the ping drops for the public ip end but when the internal IP drops, the public ip was still pinging. So it isn't the public ip problem and vpn stays up. I did check the logs on both Cisco Router and Palo Also and there isn't any logs that says the problem. Infact the VPN was up!

Now i am runing out of ideas. Could this be a problem on the Palo Alto end? I know that the problem only starts when i start uploading files from Palo Alto end to the Cisco router and there's 2 problem. One is the upload speed is very consistent at 1-2Mbps max which isn't the real pipe potential and the file transfer will drop anytime if i upload files from the Palo Alto end within the first minute of the transfer or 10 mins later. It is sure to drop. Other than that my internal network works fine and downloading from Palo Alto end.

Do you think i should play around with the MTU? Default is at 1500 and if i do play around with the MTU, What number should i put on both ends? Any suggestion would be good. Thanks in advance.

Benny Chong · ‎02-20-2014

ok, i tried adjusting the MTU until 1360 and also the adjust-mss but sad to say the problem still persist and connection will get dropped out while vpn stays alive. Any idea to try or overcome this?

antonischr · ‎03-31-2014

I am experiencing the same problem. Did you managed to sort this out?

Benny Chong · ‎03-31-2014

Well, i did sloved the problem and it was a speed duplex issue on the internet facing side! I noticed this when i thought of changing the cables that's facing internet and so happened i saw the speed was on half. Changed that to full and now it's working like how it should. That smallest mistake not noticed somehow!

Hope this will slove the same problem you're facing

mjmckenz · ‎08-20-2014

Same problem on a Palo Alto pa-3020. Same fix for me.