ASA -> 3020 Tunnel Losing Packets

dgoodridge · ‎06-27-2007

Hi,

I've got an ASA running a single context on 7.2(2) connecting via a web based VPN to a VPN3020 concentrator. Whilst the tunnel is up and reporting no errors, we are losing maybe 1 in 10 packets. The pattern isn't regular, with sometimes over a minute between losing packets and then dropping 3-4 on the trot.

The 3020 is terminating over 50 other VPNs with no issue.

The latency over the vpn is very very consistant at circa 110ms. I have increased the ICMP timeout to 5 seconds but the suspect packets are definately being dropped rather than delayed. There is no NAT'ing taking place.

The interface output on the ASA shows the number of drops increasing but no packet errors (i.e. CRC, Jumbo etc..)

Whilst I understand that traversing the internet can cause variable latency issues, I have never seen this many packets being dropped on a web VPN before.

Any ideas what to check or how to find out why the drop packet count on the ASA is increasing?

Thanks,

Doug

Report Inappropriate Content · ‎07-04-2007

You can configure the keepalive time interval, which is the frequency at which the Cisco IOS software sends messages to itself (Ethernet and Token Ring) or to the other end (serial and tunnel), to ensure that a network interface is alive. The interval is adjustable in 1-second increments down to 1 second. An interface is declared down after five update intervals have passed without receiving a keepalive packet unless the retry value is set higher. If you are running a Cisco IOS image prior to Cisco IOS Release 12.2(13)T, the default retry value is 3.