Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
855
Views
0
Helpful
4
Replies

Problem with loss packets with VPN (hub-spoke)

jphvpichi
Level 1
Level 1

‎05-25-2015 06:52 AM

Hi,

I have an ASA 5515X (9.1.5), and a four 5505 (9.1.5) installed at different sites, i have configured a vpn from each of this 5505 to the 5515X,

but i did a dynamic configuration, so there is not a tunnel group config.. and no IP address for each site.

I have problems with packet loss in the VPNs, i have configured QoS in the hub ASA considering problems with bandwidth, yesterday i did some ping from one ASA 5505 and i got 99% of successful pings, so i don't think it has something to do with bandwidth...

Any ideas what is causing this, (perhaps changing MTU, or do i need static tunnel configs)

these are the configurations, the vpn is established from the spoke, everytime is needed..

Regards

 

Juan Pablo

Labels:
Preview file
11 KB
Preview file
5 KB
0 Helpful
4 Replies 4

Andres Villarroel
Level 1
Level 1

‎05-25-2015 01:11 PM

Hello

 

  * Try using the public interface of the ASA to make this test

  * Try sending ICMP traffic from you LAN to a public IP (e.g 8.8.8.8)

 

- Are the ASAs dropping this traffic? Try a "asp drop" capture

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html#anc13

ciscoasa# capture asp type asp-drop all

- What's the ICMP success rate to your local firewall in your LAN?

 

This questions can help you isolate where the drop is located.

 

0 Helpful

jphvpichi
Level 1
Level 1
In response to Andres Villarroel

‎05-25-2015 01:21 PM

Hi,

The test i did yesterday was 100% successful!!, from the internet to the outside IP interface.

I wasn't able to test from the LAN to the Internet (i will do it)

 

From the local lan to the ASA is 100% successful..

But when i connect through access vpn to a spoke site, then ssh connection to the ASA 5505 (spoke ASA) and did extended pings to the LAN at the hub site i got 98% successful pings..

I will do the capture... so i could know if the ASA is dropping this traffic..how could i realize that the asa is dropping the traffic?.

thanks for your help,

regards,

0 Helpful

Andres Villarroel
Level 1
Level 1
In response to jphvpichi

‎05-25-2015 01:32 PM

Hello jphvpichi,

 

ciscoasa# capture asp type asp-drop all
ciscoasa# show cap asp

 

The first command will configure the captures and the second one will show you the content of it.

If you see your traffic in this captures, it means that the ASA is dropping it. Check the previous link for more information.

 

UPDATE

 

By the way, when you mentioned that you tried from the internet to the outside. Was this traffic generated from outside to outside interfaces (between both ASAs)?

 

 

0 Helpful

jphvpichi
Level 1
Level 1
In response to Andres Villarroel

‎05-25-2015 01:32 PM

Hi alvillarroel,

thanks for your explanation!!, i forget to review the link,

I'll do the capture and let you know,

regards,

 

 

0 Helpful
Customers Also Viewed These Support Documents