Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8407
Views
5
Helpful
17
Replies

Site-To-Site VPN dropping packets

Ck1402
Level 1
Level 1

‎01-30-2021 09:47 PM

Hello everyone,

 

I am dealing with a packet loss issue with Site-to-Site VPN this issue is causing havok on the voip phone system. 

Three Sites

Site A - HQ

Site B

Site C

 

A has a vpn tunnel to B and C

B and C are also connected to a VPN Tunnel


the vpns are IPSEC using IKEv1

 

when I ping anything dealing with an outside ip (Google etc or even the external IPs of the ASA’s there is no packet loss from any of the sites. 

the moment I ping an internal IP from one of the other sites (it doesn’t matter which site to which site) it will go good. Then drop then good then drop many times in a row then go good. 

there is no repeatable pattern

 

Site A - 5506

Site B - 5505

Site C - 5505


I have messed with the TCP options to increase the allowable packet size and that didn’t help. 

I have the DF bit to Clear

the interfaces are all all set to full Duplex and the appropriate speed. 

each of these fire all’s are connected to an edge router that provide the SIP trunking. 

Each location has fiber. This problem was occurring before the fiber. 

the problem that is happening is the VOIP appliances at each of the satellite sites are having an excessive packet loss when connecting to the SIP server at the Main Site. According to the Manufacturer the MTU has to be set to 1472 when over IPSec. I tried to set this in the Firewall>Advance>TCP Options

i have tried 1380, 1472, and 1500

none of them have helped at all 

I have contacted the ISP and checked to see if there were any issues and confirmed there was not. 

I can ping the external IP on all the ASA’s and there is 0 packet loss. 

the moment I ping an internal ip at another site is when it occurs. 

any help would be much appreciated.

 

Labels:
0 Helpful
17 Replies 17

MHM Cisco World
VIP
VIP

‎01-31-2021 02:42 PM

I think I figure out the issue here, 

Site A HQ
Site B 
Site C 

both Site B and Site C S2S IPSec to only Site A no issue there.

Site A is issue
you have one ISP interface and you config IPSec for it that OK
BUT
issue is that config one ACL for both Site B and Site C,

Now when Site A want to send traffic to Site B, it use differs S2S tunnel toward Site C and packet drop. 

solution use two different ACL one for Site B and other for Site C and also use IPSec seq. which match ACL to Peer address.

crypto map MapName 1 match address AtoB 

crypto map MapName 1 set peer B.B.B.B

crypto map MapName 2 match address AtoC 

crypto map MapName 2 set peer C.C.C.C

 

the IPSec S2S config here in Site A is not identical to Site B and Site C.

 

0 Helpful

Ck1402
Level 1
Level 1
In response to MHM Cisco World

‎01-31-2021 05:43 PM

Here are some screen shots i have taken. They are basically identical

Site A - Aurora

Site B - Mantua

Site C - Streetsboro

 

I am not sure what i am missing to be honest.

For some reason the packet loss is the worst with Site C over all.

Preview file
111 KB
Preview file
143 KB
Preview file
142 KB
Preview file
99 KB
Preview file
190 KB
Preview file
143 KB
0 Helpful

MHM Cisco World
VIP
VIP
In response to Ck1402

‎01-31-2021 05:56 PM - edited ‎02-02-2021 07:56 AM

You can not use any any instead of lan site a to lan site c or site b 

this make only one ipsec s2s tunnel build not two for each branch 

add object network for site a ,b,c and make new acl 

 

sorry I correct my reply.

0 Helpful
Customers Also Viewed These Support Documents