Also, what's on ACL 102 and what is your IP Pool and NAT 0 ACL?

Hmm interesting point on the "no crypto isakmp nat-traversal" thats not in my base config so must have been default in the PIX.

Have enabled and things look a little more stable from my test client, but then they have been more stable in the last hour or so anyhow!

ACL, IP Pool and NAT 0 detail below:

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 dev-vpn-pool 255.255.255.0

access-list 102 extended permit udp dev-vpn-pool 255.255.255.0 192.168.1.0 255.255.255.0 eq domain

access-list 102 extended permit tcp dev-vpn-pool 255.255.255.0 192.168.1.0 255.255.255.0 eq ftp

access-list 102 extended permit tcp dev-vpn-pool 255.255.255.0 192.168.1.0 255.255.255.0 eq www

access-list 102 extended permit tcp dev-vpn-pool 255.255.255.0 192.168.1.0 255.255.255.0 eq 3389

access-list 102 extended permit icmp dev-vpn-pool 255.255.255.0 192.168.1.0 255.255.255.0

!

ip local pool dev-vpn-pool 192.168.10.1-192.168.10.62

!

global (outside) 1 interface

nat (inside-inf) 0 access-list 101

nat (inside-inf) 1 0.0.0.0 0.0.0.0

Ride on

Lets hope it stays stable then .

I can remember what the default is for NAT-T.

Nope back to being a pain again.

Just had an hour or so where pings were consistently less than 300ms with few drops.

Now its back to 2000+ms round trip time with packets being dropped all the time

Obviously this could be just network conditions (bandwidth/utilisation of the internet link the VPN is hanging off) but I can't imagine there will be much going on at the moment (nearly midnight in UK)........

Ok then, from a VPN client connected to the ASA start a continuos ping to host on the inside. From another host (hopefully from the same network as the first one, or same Internet connection) start a ping to the outside interface of the ASA.  (you could this from the same host but you would need to enable split tunneling for the VPN client).

If both pings get drops then and high response times then the problem is indeed the Internet Link. If you get fast response times from the ASA public's IP address but slow responses from the internal host then the ASA/VPN config needs to be looked at .

Ping is blocked to the PIX hosting the VPN by an inter-mediate firewall between it and the outside world (which is configured to pass the VPN traffic before anyone asks ).

I have therfore from the same LAN with two clients setup:

> Constant ping to internet router at the site (perfect, sub 40ms at all times)

> VPN connection + constant ping to internal host (useless, high latency and packet loss)

So looks like its either:

a) PIX configuration (which is above so if anyone can spot errors please shout)

b) Network/Firewall between internet router and VPN PIX (will speak to the admin of this in the morning)

Thanks for all the suggestions thus far.....

As the last tests I would try removing the filter, just to rule it out as posible problem and try again.

Also, you could try reducing the TCP MSS size however it's kind of weird that your pings are that slow (plus ICMP will not be affected by the TCP MSS, only your TCP apps)

sysopt connection tcp-mss 1200 

Your VPN config looks good, so I would check the rest of the path. 

OK have found the source of the problem - QoS.....

We'd been told this development environment couldn't use more than 2Mbps of the shared internet link so I'd applied a QoS policy to the outside interface of the PIX (shape average etc).

Removing this and the pings immediately dropped to sub 40ms and consistent!!!

So now off to go and re-read the Cisco papers on PIX QoS

Hrm Interesting but yeah that definetely explains why.

I have very little experience with QoS, but I do have this doc that might help:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a008084de0c.shtml

Sorry, I wish I could help more .

Good luck!

Luis,

Got it sorted now (thanks for all the suggestions along the way).

Had missed a 0 off the end of the QoS burst bandwidth - doh!

So instead of being 2048Kbps with 256Kbps burst it was 2048Kbps with 25.6Kbps burst.

As soon as I increased the burst figure everything was happy!

Thanks
Mike