Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
408
Views
0
Helpful
5
Replies

Cisco 515E Dropping Packets on IPSec Tunnels

j0s3phgr4nt
Level 1
Level 1

‎10-24-2006 04:20 AM - edited ‎02-21-2020 02:41 PM

We have a 515E with 64MB RAM that has been working fine with two tunnels configured out of it. Recently we attempted to add an additional tunnel and this caused all the tunnels to start dropping packets. We confirmed that this was the new tunnel by removing it and the issue resolved itself. I looked at memory usage and it seems that there is plenty available so I am at a loss as to why this would be an issue. Any suggestions would be helpful.

Labels:
0 Helpful
5 Replies 5

jmia
Level 7
Level 7

‎10-24-2006 04:32 AM

Sounds more like a configuration issue? Can you post the config (to include the 3rd tunnel setup). Please remember to take out any sensitive info.

Cheers

0 Helpful

j0s3phgr4nt
Level 1
Level 1
In response to jmia

‎10-24-2006 05:24 AM

Here is the relative configuration information.

sysopt connection permit-ipsec

crypto ipsec transform-set TFSET1 esp-3des esp-md5-hmac

crypto ipsec transform-set TFSET2 esp-3des esp-md5-hmac

crypto ipsec transform-set TFSET2 esp-3des esp-md5-hmac

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address 120

crypto map newmap 20 set peer site1ip

crypto map newmap 20 set transform-set TFSET1

crypto map newmap 30 ipsec-isakmp

crypto map newmap 30 match address 130

crypto map newmap 30 set peer site2ip

crypto map newmap 30 set transform-set TFSET2

crypto map newmap 40 ipsec-isakmp

crypto map newmap 40 match address 120

crypto map newmap 40 set peer site3ip

crypto map newmap 40 set transform-set TFSET3

crypto map newmap interface outside

isakmp enable outside

isakmp key site1key address site1ip netmask 255.255.255.255 no-xauth no-config-mode

isakmp key site2key address site2ip netmask 255.255.255.255 no-xauth no-config-mode

isakmp key site3key address site3ip netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 1000

Again let me point out that without site3 in the configuraiton things are fine. No dropped packets or connection issues. When you add site 3 to the configuration all sites begin dropping packets. For example a continuous ping from a station off site 1 to a station on site 3 will drop continously for 3-15 secs then resume for 60-90 seconds then drop again. Even during the 60-90 second span you occasionally see 1 dropped packet.

0 Helpful

r.sneekes
Level 1
Level 1
In response to j0s3phgr4nt

‎10-24-2006 06:04 AM

Why are vpn num1 & num3 using the same acces-list to match traffic this doens't seem logical to me? Because if it matches the same traffic why would you need 2 vpn tunnel instead of 1.

Try using a seperate acl to match traffic for vpn no3

0 Helpful

j0s3phgr4nt
Level 1
Level 1
In response to r.sneekes

‎10-24-2006 06:48 AM

Sorry, that was a typo on my part, the access list for site 3 should be 140 not 120. Each tunnel has a separate ACL.

0 Helpful

jmia
Level 7
Level 7
In response to j0s3phgr4nt

‎10-24-2006 06:52 AM

Try the following example....

access-list nonat permit ip 10.x.x.x 255.255.255.0 192.x.x.x 255.255.255.0

access-list 100 permit ip 10.x.x.x 255.255.255.0 192.x.x.x 255.255.255.0

access-list nonat permit ip 10.x.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list 200 permit ip 10.x.x.x 255.255.255.0 172.16.x.x 255.255.255.0

access-list nonat permit ip 10.x.x.x 255.255.255.0 172.30.x.x 255.255.255.0

access-list 300 permit ip 10.x.x.x 255.255.255.0 172.30.x.x 255.255.255.0

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac

crypto map VPNMAP 1 ipsec-isakmp

crypto map VPNMAP 1 match address 100

crypto map VPNMAP 1 set peer

crypto map VPNMAP 1 set transform-set TSET1

crypto map VPNMAP 2 ipsec-isakmp

crypto map VPNMAP 2 match address 200

crypto map VPNMAP 2 set peer

crypto map VPNMAP 2 set transform-set TSET1

crypto map VPNMAP 3 ipsec-isakmp

crypto map VPNMAP 3 match address 300

crypto map VPNMAP 3 set peer

crypto map VPNMAP 3 set transform-set TSET1

crypto map VPNMAP interface outside

isakmp key KEY1 address netmask 255.255.255.255

isakmp key KEY2 address netmask 255.255.255.255

isakmp key KEY3 address netmask 255.255.255.255

isakmp enable outside

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

Save with write mem and also issue in config mode:

clear xlate / clear isakmp sa / clear ipsec sa

Hope this helps and pls rate post if it does.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents