Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2659
Views
0
Helpful
5
Replies

Lost packet over Site to Site vpn tunnel, why?

davidwu2007
Level 1
Level 1

‎11-15-2010 12:11 PM

I have replaced the cables and the Cisco ASA 5505,  I still lose packets when

I ping a pc on the other end of the site to site IPsec vpn tunnel.  Can someone

tell me if this is related to the configuration of Cisco ASAs or other networking

problems.  Thanks

here is the ping result:

Pinging 192.168.1.3 with 32 bytes of data:

Reply from 192.168.1.3: bytes=32 time=86ms TTL=99

Reply from 192.168.1.3: bytes=32 time=89ms TTL=99

Reply from 192.168.1.3: bytes=32 time=95ms TTL=99

Reply from 192.168.1.3: bytes=32 time=96ms TTL=99

Reply from 192.168.1.3: bytes=32 time=53ms TTL=99

Ping statistics for 192.168.1.3:

    Packets: Sent = 5, Received = 5, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 53ms, Maximum = 96ms, Average = 83ms

Pinging 192.168.1.3 with 32 bytes of data:

Request timed out.

Request timed out.

Reply from 192.168.1.3: bytes=32 time=84ms TTL=99

Reply from 192.168.1.3: bytes=32 time=88ms TTL=99

Reply from 192.168.1.3: bytes=32 time=100ms TTL=99

Ping statistics for 192.168.1.3:

    Packets: Sent = 5, Received = 3, Lost = 2 (40% loss),

Approximate round trip times in milli-seconds:

    Minimum = 84ms, Maximum = 100ms, Average = 90ms

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎11-15-2010 12:20 PM

David

Are the 2 pings done straight after each other. Bear in mind if the tunnel is down you will lose some packets while the tunnel is brought up as IPSEC can take a while to negotiate and setup the tunnel.

Once the tunnel is up though, you should not be loosing any packets.

Jon

0 Helpful

davidwu2007
Level 1
Level 1
In response to Jon Marshall

‎11-15-2010 12:37 PM

Yes Jon, the two pings are straight after each other.

I created a ping batch ultility that do pingging every 5 seconds.

I received about 10 "request timeout" in one hour.

Strangely the VPN tunnel is up all the time.

Thanks,

David

0 Helpful

apothula
Level 1
Level 1
In response to davidwu2007

‎11-15-2010 05:35 PM

Hi Dave,

What about pings to the WAN interface of the VPN device at the other end ?

Do they drop ?

If we see any drops there, it means the problem is with the internet link to the remote site.


If not, we could apply captures and move forward.

Cheers,

Nash.

0 Helpful

davidwu2007
Level 1
Level 1
In response to apothula

‎11-16-2010 08:26 AM

Hi Avinash,

That is a good idea.  I will try it to see how it goes.

Thanks,

David

0 Helpful

rocky005
Level 1
Level 1
In response to apothula

‎12-10-2017 11:47 PM

Other side VPN device WAN IP ping(ICMP) is disabled for security reason so how to verify it whether we are getting drops to the WAN remote side IP?

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents