Site-To-Site VPN dropping packets

Ck1402 · ‎01-30-2021

Hello everyone,

I am dealing with a packet loss issue with Site-to-Site VPN this issue is causing havok on the voip phone system.

Three Sites

Site A - HQ

Site B

Site C

A has a vpn tunnel to B and C

B and C are also connected to a VPN Tunnel

the vpns are IPSEC using IKEv1

when I ping anything dealing with an outside ip (Google etc or even the external IPs of the ASA’s there is no packet loss from any of the sites.

the moment I ping an internal IP from one of the other sites (it doesn’t matter which site to which site) it will go good. Then drop then good then drop many times in a row then go good.

there is no repeatable pattern

Site A - 5506

Site B - 5505

Site C - 5505

I have messed with the TCP options to increase the allowable packet size and that didn’t help.

I have the DF bit to Clear

the interfaces are all all set to full Duplex and the appropriate speed.

each of these fire all’s are connected to an edge router that provide the SIP trunking.

Each location has fiber. This problem was occurring before the fiber.

the problem that is happening is the VOIP appliances at each of the satellite sites are having an excessive packet loss when connecting to the SIP server at the Main Site. According to the Manufacturer the MTU has to be set to 1472 when over IPSec. I tried to set this in the Firewall>Advance>TCP Options

i have tried 1380, 1472, and 1500

none of them have helped at all

I have contacted the ISP and checked to see if there were any issues and confirmed there was not.

I can ping the external IP on all the ASA’s and there is 0 packet loss.

the moment I ping an internal ip at another site is when it occurs.

any help would be much appreciated.

TJ-20933766 · ‎01-31-2021

Have you looked at the logs? It appears that you are using the ASDM for management. Go to Monitoring > Logging > View and see if there is anything useful there?

Ck1402 · ‎01-31-2021

Thank you for this.
I checked it and kept on getting this error

ASA-4-313005: No Matching Connection for ICMP Error Message.

when I checked which IP address it was coming from it was from the voip phones.

the Voip provider has an upstream router connected so I sent them that message.

Mohammed al Baqari · ‎01-31-2021

Hi,

Try to ping between the public IPs of the sites not internal IPs. This will
verify if the problem is specific to VPN or for the public internet between
the sites.

Once you establish that you can focus your tshoot

**** please remember to rate useful posts

Ck1402 · ‎01-31-2021

I have done this. Whenever I ping the public ip there is 0 packet loss. When I Ping the internal there is.

MHM Cisco World · ‎01-31-2021

...

Ck1402 · ‎01-31-2021

Doing this seem to help some but it is still not stable

MHM Cisco World · ‎01-31-2021

...

MHM Cisco World · ‎01-31-2021

...

MHM Cisco World · ‎01-31-2021

....

TJ-20933766 · ‎01-31-2021

You mentioned that the topology is three locations all with VPNs between each other. Just brainstorming here but is there a chance that this is a routing issue? For example, you may have a crypto ACL on site A's ASA that sends traffic for site C through site C's tunnel which would be expected. But did you also use the same crypto ACL statements to send traffic destined for site C through site B's tunnel? Perhaps the thought was for redundancy? See the graphic for an example of what I mean:

I feel like this could possibly explain why it works sometimes and other times it wouldn't. For example sometimes the traffic goes the expected route and directly to the intended target site through the most efficient path and other times through the other site (may not even make it at all). I could be completely off base but thought I'd ask anyway.

Another option would be to run a packet capture which can also be easily done through the ASDM. I'd capture on the INSIDE interface and the OUTSIDE interface. On the INSIDE interface capture, filter it down to just remote internal IP's and see if you can spot any high number of transmissions or anything out of the ordinary.

Ck1402 · ‎01-31-2021

I will have to look into this. It's quite possible this happened.

A little more background on this whole mess. I took this account over from a previous IT company. So i wasn't the ones who setup the firewalls initially.

I have been half tempted to blow out the configurations at one site and build it fresh, but i would prefer not to do that lol.

Ck1402 · ‎01-31-2021

I have went into the routing and the acl's and cleaned up a bunch of the objects that were duplicated for no reason etc.

Still no increase in performance.

One of the interesting things is this:

Site A - I can ping the external public IP address but not the Internal private (from site B and C)

Site B - I can ping both (From site A and C)

Site C - I can ping both (From Site A and B)

I am trying to get the settings on each of these firewalls as identical to each other as possible with the exception of the object names.

There really isn't anything special that needs to be configured for them.

TJ-20933766 · ‎01-31-2021

Sounds to me like site A's config needs to be evaluated a little closer. Try to get each site's configs to more tightly resemble each other paying particular attention to ACLs. Let me know if you find anything of interest.

Ck1402 · ‎01-31-2021

Please look at my response below with the screen shots.

Thank You!