Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3027
Views
0
Helpful
2
Replies

VPN Lan-to-Lan intermittent ping timeout

hfma_hk09
Level 1
Level 1

‎07-24-2009 01:56 AM

Hi experts, I found my L2L setting which configuration between VPN concentrator and Pix has intermittent ping timeout (20% ping timeout) problem.

I have.

Here is the network topology:

10.0.0.0/24 <=> VPN Concentrator <=> Internet <=> PIX <=> 20.0.0.0/24

- Already check the connection is ok between the concetrator & pix is ok (no packet loss).

- Ping from 10.0.0.10 to 20.0.0.80, there is around 20% packet loss

- The MTU for both devices are set to 1500

Do any expert has idea for this? Does it related to packet fragmentation issue?

Please advice...

Labels:
0 Helpful
2 Replies 2

Kevin Redmon
Cisco Employee
Cisco Employee

‎08-05-2009 05:59 PM

There are a number of different things that could be causing the packet loss. Being the fact that this is a connectionless (UDP/ICMP versus TCP) protocol going over the internet, you must be willing to endure a certain level of packet loss.

ICMP is a great tool to use when troubleshooting IPSEC tunnels. To determine what is causing the packet-loss, here is one idea to consider to troubleshoot where the packet loss is:

1.) Configure a host-to-host cryptomap containing only a single host on one end with the destination being a single host on the remote end.

2.) Ensure that the 'encaps' and 'decaps' for the relevant Phase-2 tunnel on either end indicate zero for the host-to-host tunnel. You can clear these counters via 'clear cry ipsec sa counters'. You will need to clear these counters on both ends of the tunnel.

3.) Ping from A-to-B for the first part of this test - we'll repeat this later from B-to-A. Set the pings up for 10,000 packets and, for the sake of time for completing the test, a timeout of 0 seconds. Extended pings from a Cisco Router works quite well.

4.) After the pings have completed, gather the output of 'show cry ipsec sa peer | include caps|peer|ident'. This will give you a condensed view of the critical counters for this test - along with the endpoints. From the sending end, encaps imply the outbound Ping Requests sent and decaps imply the outbound Ping Replies Received. As ICMP packets are significantly small, these should equal one-to-one on each end. You may see a number of Ping Requests lost in transit from A-to-B and possibly a number of packets lost in the Reply from B-to-A.

When comparing these counters, if the packets are indeed being lost on the Internet, unfortunately you will not be able to do anything to correct that. If you have access to any upstream routers, you can monitor host-to-host access-list counters to determine where other packet losses are happening - if found, confirm speed/duplex and link saturation to determine why.

Best of luck in your troulbeshooting.

0 Helpful

hfma_hk09
Level 1
Level 1
In response to Kevin Redmon

‎08-06-2009 10:35 PM

Hi Kredmon,

Thanks for you great idea. But actually the VPN is using by our users, so we are unable to setup host-to-host setting. But in the other side, I have checked the Internet connection which from my local to the remote peer, the ping result is ok when I found the ping test for L2L is fail

VPN Con <=> Router <=> Internet <=> Pix

I have tried to ping from Router public interface to Pix public internet, the ping test has no dropped packets.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents