×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Many dropped packets between 2 ASA 5505's - Site 2 Site VPN tunnel

Unanswered Question
Aug 24th, 2012
User Badges:

We currently have L2L using cisco (2) ASA 5505’s setup between our main office and new location. We have recently moved our DC from our 192.168.1.0 network to our 192.168.2.0 network. This server provides dhcp for the new location and DNS for both sites. We are currently experience a high percentage of drop packets close to 25%. When we try to ping the DC (192.168.2.10) from the .1.0 network we have a high percentage of drop packets but pinging to outside address (4.2.2.2) we have about a 5% drop packets. It seems that something is wrong with the VPN tunnel which is causing the dropped packets. This was first noticed because pcs are taking extremely long time to authenticate to the domain and contact the DC for files.

Thanks ahead of time for any assistance. If more info is needed, just ask.


I may be missing something on the asa’s that could mean an easy fix but I am unable to figure this out. The config is as followed:


Config for Site A (new site - w/ DC 192.168.2.0):


login as: admin


admin@*.*.*.* password:


Type help or '?' for a list of available commands.


LSCMainCar-asa> en


Password: **************


LSCMainCar-asa# sh conf


: Saved


!


ASA Version 8.2(5)


!


hostname LSCMainCar-asa


domain-name *.local


enable password VPIGZJE/slohtM0G encrypted


passwd 2KFQnbNIdI.2KYOU encrypted


names


name 192.168.2.10 lsc-dc01


!


interface Ethernet0/0


switchport access vlan 2


speed 10


duplex full


!


interface Ethernet0/1


!


interface Ethernet0/2


!


interface Ethernet0/3


!


interface Ethernet0/4


!


interface Ethernet0/5


!


interface Ethernet0/6


!


interface Ethernet0/7


!


interface Vlan1


description LSC Internal Interface


nameif inside


security-level 100


ip address 192.168.2.254 255.255.255.0


!


interface Vlan2


description LSC External Interface


nameif outside


security-level 0


ip address *.*.*.* 255.255.255.252


!


ftp mode passive


dns server-group DefaultDNS


domain-name *.local


access-list CarMain2Laf extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0


access-list CarMain2C extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0


access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0


access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0


access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0


access-list outside_in extended permit tcp any any eq 3389


access-list LSC_sACL extended permit ip 192.168.2.0 255.255.255.0 any


pager lines 24


logging asdm informational


mtu inside 1500


mtu outside 1500


no failover


icmp unreachable rate-limit 1 burst-size 1


no asdm history enable


arp timeout 14400


global (outside) 1 interface


nat (inside) 0 access-list nonat


nat (inside) 1 0.0.0.0 0.0.0.0


static (inside,outside) tcp interface 3389 lsc-dc01 3389 netmask 255.255.255.255


access-group outside_in in interface outside


route outside 0.0.0.0 0.0.0.0 *.*.*.* 1


timeout xlate 3:00:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00


timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00


timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute


timeout tcp-proxy-reassembly 0:01:00


timeout floating-conn 0:00:00


dynamic-access-policy-record DfltAccessPolicy


aaa-server aaa_group2 protocol radius


aaa-server aaa_group2 (inside) host 192.168.1.10


key *


radius-common-pw *


aaa authentication ssh console LOCAL


aaa authentication telnet console LOCAL


http server enable


http 192.168.1.0 255.255.255.0 inside


http 192.168.2.0 255.255.255.0 inside


no snmp-server location


no snmp-server contact


snmp-server enable traps snmp authentication linkup linkdown coldstart


crypto ipsec transform-set myset esp-3des esp-md5-hmac


crypto ipsec security-association lifetime seconds 28800


crypto ipsec security-association lifetime kilobytes 4608000


crypto map outside_map 20 match address CarMain2C


crypto map outside_map 20 set pfs


crypto map outside_map 20 set peer <*.*.*.*66>


crypto map outside_map 20 set transform-set myset


crypto map outside_map 30 match address CarMain2Laf


crypto map outside_map 30 set pfs


crypto map outside_map 30 set peer (*.*.*.*173)


crypto map outside_map 30 set transform-set myset


crypto map outside_map interface outside


crypto isakmp enable outside


crypto isakmp policy 10


authentication pre-share


encryption 3des


hash md5


group 2


lifetime 86400


telnet 192.168.2.0 255.255.255.0 inside


telnet 192.168.1.0 255.255.255.0 inside


telnet 192.168.0.0 255.255.255.0 inside


telnet timeout 5


ssh 192.168.0.0 255.255.255.0 inside


ssh 192.168.1.0 255.255.255.0 inside


ssh 192.168.2.0 255.255.255.0 inside


ssh timeout 5


console timeout 0


dhcpd auto_config outside


!




threat-detection basic-threat


threat-detection statistics access-list


no threat-detection statistics tcp-intercept


webvpn


username admin password * encrypted


tunnel-group DefaultL2LGroup ipsec-attributes


isakmp keepalive threshold 60 retry 10


tunnel-group DefaultRAGroup ipsec-attributes


isakmp keepalive threshold 60 retry 10


tunnel-group DefaultWEBVPNGroup ipsec-attributes


isakmp keepalive threshold 60 retry 10


tunnel-group *.*.*.*66 type ipsec-l2l


tunnel-group *.*.*.*66 ipsec-attributes


pre-shared-key *


isakmp keepalive threshold 60 retry 10


tunnel-group *.*.*.*173 type ipsec-l2l


tunnel-group *.*.*.*173 ipsec-attributes


pre-shared-key *


isakmp keepalive threshold 60 retry 10


!


!


prompt hostname context


no call-home reporting anonymous


Cryptochecksum:c23927f0cd44c433db6d7ccec039d6ed




Config for Site B (old site - 192.168.1.0):


login as: admin


admin@*.*.*.*66 password:


Type help or '?' for a list of available commands.


lsc-asa> en


Password: **************


lsc-asa# sh conf


: Saved


!


ASA Version 8.2(1)


!


hostname lsc-asa


domain-name * .local


enable password VPIGZJE/slohtM0G encrypted


passwd 2KFQnbNIdI.2KYOU encrypted


names


name 192.168.2.10 lsc-dc01


!


interface Vlan1


description LSC Internal Interface


nameif inside


security-level 100


ip address 192.168.1.254 255.255.255.0


!


interface Vlan2


description LSC External Interface


nameif outside


security-level 0


ip address *.*.*.*66 255.255.255.252


!


interface Ethernet0/0


switchport access vlan 2


!


interface Ethernet0/1


!


interface Ethernet0/2


!


interface Ethernet0/3


!


interface Ethernet0/4


!


interface Ethernet0/5


!


interface Ethernet0/6


!


interface Ethernet0/7


!


boot system disk0:/asa821-k8.bin


ftp mode passive


dns server-group DefaultDNS


domain-name *.local


access-list C2LAF extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0


access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0


access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0


access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


access-list outside_in extended permit tcp any any eq 3389


access-list LSC_sACL extended permit ip 192.168.1.0 255.255.255.0 any


access-list CarMain2C extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0


access-list from_outside extended permit icmp any any echo


pager lines 24


logging asdm informational


mtu inside 1500


mtu outside 1500


ip local pool LSCpool 192.168.5.175-192.168.5.200 mask 255.255.255.0


no failover


icmp unreachable rate-limit 1 burst-size 1


asdm image disk0:/asdm-642.bin


no asdm history enable


arp timeout 14400


global (outside) 1 interface


nat (inside) 0 access-list nonat


nat (inside) 1 0.0.0.0 0.0.0.0


static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255


access-group outside_in in interface outside


route outside 0.0.0.0 0.0.0.0 *.*.*.*66 1


timeout xlate 3:00:00


timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02


timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00


timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00


timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute


timeout tcp-proxy-reassembly 0:01:00


dynamic-access-policy-record DfltAccessPolicy


aaa-server aaa_group2 protocol radius


aaa-server aaa_group2 (inside) host 192.168.1.10


key *


radius-common-pw *


aaa authentication ssh console LOCAL


aaa authentication telnet console LOCAL


http server enable


http 192.168.1.0 255.255.255.0 inside


no snmp-server location


no snmp-server contact


snmp-server enable traps snmp authentication linkup linkdown coldstart


crypto ipsec transform-set myset esp-3des esp-md5-hmac


crypto ipsec security-association lifetime seconds 28800


crypto ipsec security-association lifetime kilobytes 4608000


crypto dynamic-map outside_dyn_map 101 set pfs group1


crypto dynamic-map outside_dyn_map 101 set transform-set myset


crypto map outside_map 20 match address C2LAF


crypto map outside_map 20 set peer *.*.*.*173


crypto map outside_map 20 set transform-set myset


crypto map outside_map 30 match address CarMain2C


crypto map outside_map 30 set pfs


crypto map outside_map 30 set peer *.*.*.*66


crypto map outside_map 30 set transform-set myset


crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map


crypto map outside_map interface outside


crypto isakmp identity address


crypto isakmp enable outside


crypto isakmp policy 10


authentication pre-share


encryption 3des


hash md5


group 2


lifetime 86400


crypto isakmp nat-traversal 60


telnet 192.168.1.0 255.255.255.0 inside


telnet *.*.*.*66 255.255.255.255 outside


telnet timeout 5


ssh 192.168.1.0 255.255.255.0 inside


ssh timeout 5


console timeout 0


vpdn group pppoe_group request dialout pppoe


vpdn group pppoe_group localname [email protected]


vpdn group pppoe_group ppp authentication pap


vpdn username [email protected] password *


dhcpd dns lsc-dc01


dhcpd auto_config outside


!


dhcpd address 192.168.1.100-192.168.1.150 inside


dhcpd dns lsc-dc01 interface inside


dhcpd enable inside


!




threat-detection basic-threat


threat-detection statistics access-list


no threat-detection statistics tcp-intercept


webvpn


group-policy LSCvpn internal


group-policy LSCvpn attributes


dns-server value 192.168.2.10


vpn-idle-timeout none


vpn-tunnel-protocol IPSec


split-tunnel-policy tunnelspecified


split-tunnel-network-list value LSC_sACL


default-domain value *.local


username admin password * encrypted privilege 15


tunnel-group LSCvpn type remote-access


tunnel-group LSCvpn general-attributes


address-pool LSCpool


authentication-server-group aaa_group2


default-group-policy LSCvpn


tunnel-group LSCvpn ipsec-attributes


pre-shared-key *


tunnel-group *.*.*.*173 type ipsec-l2l


tunnel-group *.*.*.*173 ipsec-attributes


pre-shared-key *


tunnel-group *.*.*.*216 type ipsec-l2l


tunnel-group *.*.*.*216 ipsec-attributes


pre-shared-key *


tunnel-group-map default-group LSCvpn


!


class-map inspection_default


!


!


policy-map global_policy


class inspection_default


  inspect icmp


!


prompt hostname context


Cryptochecksum:9d508111536d875dda252f29bc8a49f1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ton V Engelen Sat, 08/25/2012 - 02:36
User Badges:
  • Bronze, 100 points or more

Hi


eth 0/0 o site A has speed set to 10. Site B not. Why is this? I would set them to 100 full on both sites. .


Check show interfaces en check speed and duplex settings if an interface is running half duplex, check for drops and collisions.


When i set up the asa here i saw the inside interface was running half duplex (it was set to auto and got to 100 Mb half duplex). So i configured the interfaces to run 100, full (both sides). 

Irontman72 Sat, 08/25/2012 - 06:27
User Badges:

Thanks for the suggestion. I will make the change and return with an update. Thanks again.

Irontman72 Sat, 08/25/2012 - 14:36
User Badges:

Eth 0/0 is my outside interfaces and is set to 10MB b/c it is request by the ISP for general setup. Unfortonetly after changing the duplex and speed on the outside interfaces to match for both asa's, I am still dropping packets.

Ton V Engelen Sun, 08/26/2012 - 22:25
User Badges:
  • Bronze, 100 points or more

Ok.


can you post the output of::

show crypto ipsec sa

show interfaces

Irontman72 Mon, 08/27/2012 - 06:40
User Badges:

Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2


1   IKE Peer: *.*.*.* 173

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: *.*.*.*66

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE


Site A (outside)

Interface Ethernet0/0 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Full-Duplex(Full-duplex), 10 Mbps(10 Mbps)

        Input flow control is unsupported, output flow control is unsupported

        Available but not configured via nameif

        MAC address d48c.b591.7a19, MTU not set

        IP address unassigned

        124057 packets input, 26347884 bytes, 0 no buffer

        Received 2 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops

        31 switch ingress policy drops

        180974 packets output, 221656234 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 rate limit drops

        0 switch egress policy drops

        0 input reset drops, 0 output reset drops


Site A (inside)

Interface Ethernet0/1 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

        Input flow control is unsupported, output flow control is unsupported

        Available but not configured via nameif

        MAC address d48c.b591.7a1a, MTU not set

        IP address unassigned

        198294 packets input, 228260954 bytes, 0 no buffer

        Received 485 broadcasts, 0 runts, 0 giants

        1740 input errors, 1740 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops

        98 switch ingress policy drops

        133448 packets output, 21915599 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 rate limit drops

        0 switch egress policy drops

        0 input reset drops, 0 output reset drops


Site B (outside)


Interface Ethernet0/0 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Full-Duplex(Full-duplex), 10 Mbps(10 Mbps)

        Available but not configured via nameif

        MAC address d0d0.fd70.bdbd, MTU not set

        IP address unassigned

        8702242 packets input, 9098904844 bytes, 0 no buffer

        Received 358 broadcasts, 0 runts, 0 giants

        33050 input errors, 33050 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        8563 switch ingress policy drops

        6786259 packets output, 1156412413 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops

        0 rate limit drops

        0 switch egress policy drops


Site B (inside)

Interface Ethernet0/1 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

        Available but not configured via nameif

        MAC address d0d0.fd70.bdbe, MTU not set

        IP address unassigned

        7305862 packets input, 1076925691 bytes, 0 no buffer

        Received 205631 broadcasts, 0 runts, 0 giants

        827 input errors, 827 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        25925 switch ingress policy drops

        8794455 packets output, 8940093415 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops

        0 rate limit drops

        0 switch egress policy drops





Ton V Engelen Tue, 08/28/2012 - 00:24
User Badges:
  • Bronze, 100 points or more

Hi


can you explain the following:


"When we try to ping the DC (192.168.2.10) from the .1.0 network we have a high percentage of drop packets"

I m not sure i understand the following.


192.169.2.0 is the new network behind the inside interface of Site A, right?

.

Where is network 192.168.1.0 ? is it behind the other Site (Site B) inside interface? Or does it not exist anymore.


I m wondering about it because in the config of Site A,


- aaa-server aaa_group2 (inside) host 192.168.1.10 points to the inside. Is this correct?


i would expect this to be 192.168.2.10 now, but i m not sure about how your topology looks like.

Actions

This Discussion

Related Content