Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1981
Views
0
Helpful
4
Replies

Slow and unreliable L2L VPN connection

PetriSignal
Level 1
Level 1

‎05-06-2012 10:29 PM

Hi,

a customer is running ASA5505 and they have a cloud server behind site-to-site VPN tunnel. They are complaining that FTP transfers are very slow (3-4MB) and the connection goes down very often. They are transfering large (3-6GB) back-up files and ISP connection is 100MB fiber.

The problem is not the speed, but that FTP fails to transfer the backups. I recommended to drop MTU size from 1500 to 1430 from the server side, but it didn't seem to help. What to do, what to do?

Basic info about the tunnel:

P1 Diffie: Group5

P1 Enc: 3DES

P1 Auth: SHA-1

P1 Lifetime: 28000

P2 PFS: No PFS

P2 Enc: AES256

P2Auth: SHA-1

P2 ESP AH: ESP

P2 Lifetime: 28000

Thank you,

Petri

Labels:
0 Helpful
4 Replies 4

hobbe
Level 7
Level 7

‎05-06-2012 10:38 PM

Hi

What does the logs tell you ?

is it the tunnel that fails ?

is it ONLY the ftp transfer that fails ?

What does the FTP log tell you ?

Good luck

HTH

0 Helpful

PetriSignal
Level 1
Level 1
In response to hobbe

‎05-23-2012 03:50 AM

Hi,

finally got syslog server to customer's network. It seems that the tunnel goes down, not the ftp. Only following errors appear:

May 23 2012 10:46:27: %ASA-3-713902: Group = 83.145.28.240, IP = 83.145.28.240, QM FSM error (P2 struct &0xd5381030, mess id 0xf3edce72)!

May 23 2012 10:46:27: %ASA-3-713902: Group = 83.145.28.240, IP = 83.145.28.240, Removing peer from correlator table failed, no match!

Any comments?

At the other end of the tunnel is WatchGuard fw. We are using ASA5505 (v.8.2(5))

Br,

Petri

0 Helpful

muranskycotech
Level 1
Level 1
In response to PetriSignal

‎05-23-2012 04:11 AM

I usually find that QM FSM errors are related to a mismatch in security settings-- either subnet masks not matching up or in the crypto options configured.

It's also possible that the performance issue is caused by "inspect" rules. I remember having to adjust some of the default inspect rules (or straight up turn them off in some cases) in order to get things moving quickly.

0 Helpful

hobbe
Level 7
Level 7
In response to PetriSignal

‎05-23-2012 06:38 AM

Hi

The errormessage indicates that there is a configuration error between the two units.

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4776471

Error Message    %ASA-3-713902 descriptive_event_string

Explanation    This syslog message could have several possible text strings describing an error. This may be the result of a configuration error either on the headend or remote access client.

Recommended Action    It might be necessary to troubleshoot the configuration to determine the cause of the error. Check the ISAKMP and crypto map configuration on both peers.

Ask the remote end to give you the details and write them down.

Take your details and write them down

now compare the two notes.

Good luck

HTH

0 Helpful
Customers Also Viewed These Support Documents