06-30-2010 11:23 PM
I have one ASA5520 and one ASA5505 in two different cities A and B, and created site to site vpn between them.
recently the vpn performance became worse and worse, there are 10-20% packages lost when pinging from LAN A to LAN B.
but there is no any problem if ping from 5520 external interface to 5505 external interface.
I have changed a new 5505 and upgraded the software to the same version of 5520, but no luck to solve
and I also tried to disconnected the LAN B, and connected only one laptop on 5505, it's the same.
BTW, i have the same 5505 in city C, and it works perfect.
Could this be the problem of ISP in city B?
thanks.
07-02-2010 03:36 AM
Hi Vincent
Have you tried checking the latency within your own LAN ? From your lan pc to the inside ip of the asa, if you have any issues within your lan it may result in packets getting lost inside your lan itself.
If you are sure about LAN B did u check the other LAN side which is LAN A ? can you do a trace and check where you are seeing the spike in latency or drops ?
if possible post the outputs of the same here with your config.
regds
07-03-2010 07:07 PM
Hi Spremkumar,
thanks for your reply.
there is no any latency if I ping the corresponding inside interface from LAN A or B.
actually asa5520 in city A is the hub firewall, we have 2 more spoke asa5505 firewalls in city C and D, and all work fine
if there is any latency in LAN A, all the other cities will be impacted, is it right?
and the trace from LAN A to LAN B has no drops, but the trace from outside interface A to B or B to A could not complete
the drops appear in city A ISP routers if trace from B to A, and vice versa
thanks
07-04-2010 06:08 AM
Hi Vincent,
I think it would be a good idea to find out how bad your connectivity would be in a longer time frame (perhaps with smokeping (ip-sla)).
Make sure to check the TTL field at both sides.
07-04-2010 06:24 PM
hi Gaston,
it seems the TTL is correct on both side
Reply from 192.168.20.2: bytes=32 time=47ms TTL=127
Request timed out.
Reply from 192.168.20.2: bytes=32 time=49ms TTL=127
Reply from 192.168.20.2: bytes=32 time=47ms TTL=127
Reply from 192.168.20.2: bytes=32 time=50ms TTL=127
Request timed out.
Reply from 192.168.20.2: bytes=32 time=49ms TTL=127
Reply from 192.168.20.2: bytes=32 time=48ms TTL=127
Reply from 192.168.20.2: bytes=32 time=85ms TTL=127
Reply from 192.168.20.2: bytes=32 time=47ms TTL=127
Request timed out.
Reply from 192.168.20.2: bytes=32 time=51ms TTL=127
Reply from 192.168.20.2: bytes=32 time=50ms TTL=127
Request timed out.
07-05-2010 10:13 AM
Hi Vincent,
If you look at the SA created for this tunnel, can you see any errors ?
What if you source the traffic from the inside interface of the one ASA to the inside interface of the remote ASA ?
What kind of traffic gets affected ? Does UDP face the same issue ?
If you place a capture on the ASA, do you see drops, retransmission among others ?
Please, face also a drop capture to isolate and analyze the issue from the ASA's standpoint.
One more thing, please place a capture on the outside interface of each ASA, in order to capture VPN traffic (you can decrypted by using the pre-shared-key). Let's send some traffic through the VPN tunnel, you should be able to see the packet leaving the ASA and if you can not see the packet arriving to the remote end, I will recommend you to check with your ISP on this issue as well.
Please provide us with this information in order to figure out what might be causing the issue.
Thanks in advance for your cooperation.
Take care.
07-05-2010 10:36 PM
hi Javier,
thanks for your reply
actually we only run lotus notes and oracle erp on this tunnel
attached are the captures from two external interfaces
pls help to analyze cause i'm quite new to asa config
thanks a lot
07-06-2010 05:17 AM
Thanks for the information, however the capture is not very useful in that format, please create different captures for each different purpose.
One capture on the inside and another capture on the outside.
Then please point to the following URL in your browser, as if you were trying to access the ASDM:
07-12-2010 02:08 AM
thanks all who replied to me these days
the problem has been solved, I changed the ISP and it works perfect now.
07-12-2010 05:24 AM
Great !!!
Its good to hear good news.
I would like to invite you to post any other issue / question you might have in the future.
You can always count on us.
Take care.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide