I've got an ASA running a single context on 7.2(2) connecting via a web based VPN to a VPN3020 concentrator. Whilst the tunnel is up and reporting no errors, we are losing maybe 1 in 10 packets. The pattern isn't regular, with sometimes over a minute between losing packets and then dropping 3-4 on the trot.
The 3020 is terminating over 50 other VPNs with no issue.
The latency over the vpn is very very consistant at circa 110ms. I have increased the ICMP timeout to 5 seconds but the suspect packets are definately being dropped rather than delayed. There is no NAT'ing taking place.
The interface output on the ASA shows the number of drops increasing but no packet errors (i.e. CRC, Jumbo etc..)
Whilst I understand that traversing the internet can cause variable latency issues, I have never seen this many packets being dropped on a web VPN before.
Any ideas what to check or how to find out why the drop packet count on the ASA is increasing?
You can configure the keepalive time interval, which is the frequency at which the Cisco IOS software sends messages to itself (Ethernet and Token Ring) or to the other end (serial and tunnel), to ensure that a network interface is alive. The interval is adjustable in 1-second increments down to 1 second. An interface is declared down after five update intervals have passed without receiving a keepalive packet unless the retry value is set higher. If you are running a Cisco IOS image prior to Cisco IOS Release 12.2(13)T, the default retry value is 3.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...