site to site vpn problem

Unanswered Question
Jun 30th, 2010

I have one ASA5520 and one ASA5505 in two different cities A and B, and created site to site vpn between them.

recently the vpn performance became worse and worse, there are 10-20% packages lost when pinging from LAN A to LAN B.

but there is no any problem if ping from 5520 external interface to 5505 external interface.

I have changed a new 5505 and upgraded the software to the same version of 5520, but no luck to solve

and I also tried to disconnected the LAN B, and connected only one laptop on 5505, it's the same.

BTW, i have the same 5505 in city C, and it works perfect.

Could this be the problem of ISP in city B?

thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
spremkumar Fri, 07/02/2010 - 03:36

Hi Vincent

Have you tried checking the latency within your own LAN ? From your lan pc to the inside ip of the asa, if you have any issues within your lan it may result in packets getting lost inside your lan itself.

If you are sure about LAN B did u check the other LAN side which is LAN A ? can you do a trace and check where you are seeing the spike in latency or drops ?

if possible post the outputs of the same here with your config.

regds

vincentzou Sat, 07/03/2010 - 19:07

Hi Spremkumar,

thanks for your reply.

there is no any latency if I ping the corresponding inside interface from LAN A or B.

actually  asa5520 in city A is the hub firewall, we have 2 more spoke asa5505 firewalls in city C and D, and all work fine

if there is any latency in LAN A, all the other cities will be impacted, is it right?

and the trace from LAN A to LAN B has no drops, but the trace from outside interface A to B or B to A could not complete

the drops appear in city A ISP routers if trace from B to A, and vice versa

thanks

Gaston Bougie Sun, 07/04/2010 - 06:08

Hi Vincent,

I think it would be a good idea to find out how bad your connectivity would be in a longer time frame (perhaps with smokeping (ip-sla)).

Make sure to check the TTL field at both sides.

vincentzou Sun, 07/04/2010 - 18:24

hi Gaston,

it seems the TTL is correct on both side

Reply from 192.168.20.2: bytes=32 time=47ms TTL=127

Request timed out.

Reply from 192.168.20.2: bytes=32 time=49ms TTL=127

Reply from 192.168.20.2: bytes=32 time=47ms TTL=127

Reply from 192.168.20.2: bytes=32 time=50ms TTL=127

Request timed out.

Reply from 192.168.20.2: bytes=32 time=49ms TTL=127

Reply from 192.168.20.2: bytes=32 time=48ms TTL=127

Reply from 192.168.20.2: bytes=32 time=85ms TTL=127

Reply from 192.168.20.2: bytes=32 time=47ms TTL=127

Request timed out.

Reply from 192.168.20.2: bytes=32 time=51ms TTL=127

Reply from 192.168.20.2: bytes=32 time=50ms TTL=127

Request timed out.

Javier Portuguez Mon, 07/05/2010 - 10:13

Hi Vincent,

If you look at the SA created for this tunnel, can you see any errors ?

What if you source the traffic from the inside interface of the one ASA to the inside interface of the remote ASA ?

What kind of traffic gets affected ? Does UDP face the same issue ?

If you place a capture on the ASA, do you see drops, retransmission among others ?

Please, face also a drop capture to isolate and analyze the issue from the ASA's standpoint.

One more thing, please place a capture on the outside interface of each ASA, in order to capture VPN traffic (you can decrypted by using the pre-shared-key). Let's send some traffic through the VPN tunnel, you should be able to see the packet leaving the ASA and if you can not see the packet arriving to the remote end, I will recommend you to check with your ISP on this issue as well.

Please provide us with this information in order to figure out what might be causing the issue.

Thanks in advance for your cooperation.

Take care.

vincentzou Mon, 07/05/2010 - 22:36

hi Javier,

thanks for your reply

actually we only run lotus notes and oracle erp on this tunnel

attached are the captures from two external interfaces

pls help to analyze cause i'm quite new to asa config

thanks a lot

Javier Portuguez Tue, 07/06/2010 - 05:17

Thanks for the information, however the capture is not very useful in that format, please create different captures for each different purpose.

One capture on the inside and another capture on the outside.

Then please point to the following URL in your browser, as if you were trying to access the ASDM:

https://(IP_address_ASA)/capture/(capture_name)/pcap

vincentzou Mon, 07/12/2010 - 02:08

thanks all who replied to me these days

the problem has been solved, I changed the ISP and it works perfect now.

Javier Portuguez Mon, 07/12/2010 - 05:24

Great !!!

Its good to hear good news.

I would like to invite you to post any other issue / question you might have in the future.

You can always count on us.

Take care.

Actions

This Discussion