10-24-2006 04:20 AM - edited 02-21-2020 02:41 PM
We have a 515E with 64MB RAM that has been working fine with two tunnels configured out of it. Recently we attempted to add an additional tunnel and this caused all the tunnels to start dropping packets. We confirmed that this was the new tunnel by removing it and the issue resolved itself. I looked at memory usage and it seems that there is plenty available so I am at a loss as to why this would be an issue. Any suggestions would be helpful.
10-24-2006 04:32 AM
Sounds more like a configuration issue? Can you post the config (to include the 3rd tunnel setup). Please remember to take out any sensitive info.
Cheers
10-24-2006 05:24 AM
Here is the relative configuration information.
sysopt connection permit-ipsec
crypto ipsec transform-set TFSET1 esp-3des esp-md5-hmac
crypto ipsec transform-set TFSET2 esp-3des esp-md5-hmac
crypto ipsec transform-set TFSET2 esp-3des esp-md5-hmac
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 120
crypto map newmap 20 set peer site1ip
crypto map newmap 20 set transform-set TFSET1
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 130
crypto map newmap 30 set peer site2ip
crypto map newmap 30 set transform-set TFSET2
crypto map newmap 40 ipsec-isakmp
crypto map newmap 40 match address 120
crypto map newmap 40 set peer site3ip
crypto map newmap 40 set transform-set TFSET3
crypto map newmap interface outside
isakmp enable outside
isakmp key site1key address site1ip netmask 255.255.255.255 no-xauth no-config-mode
isakmp key site2key address site2ip netmask 255.255.255.255 no-xauth no-config-mode
isakmp key site3key address site3ip netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
Again let me point out that without site3 in the configuraiton things are fine. No dropped packets or connection issues. When you add site 3 to the configuration all sites begin dropping packets. For example a continuous ping from a station off site 1 to a station on site 3 will drop continously for 3-15 secs then resume for 60-90 seconds then drop again. Even during the 60-90 second span you occasionally see 1 dropped packet.
10-24-2006 06:04 AM
Why are vpn num1 & num3 using the same acces-list to match traffic this doens't seem logical to me? Because if it matches the same traffic why would you need 2 vpn tunnel instead of 1.
Try using a seperate acl to match traffic for vpn no3
10-24-2006 06:48 AM
Sorry, that was a typo on my part, the access list for site 3 should be 140 not 120. Each tunnel has a separate ACL.
10-24-2006 06:52 AM
Try the following example....
access-list nonat permit ip 10.x.x.x 255.255.255.0 192.x.x.x 255.255.255.0
access-list 100 permit ip 10.x.x.x 255.255.255.0 192.x.x.x 255.255.255.0
access-list nonat permit ip 10.x.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list 200 permit ip 10.x.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list nonat permit ip 10.x.x.x 255.255.255.0 172.30.x.x 255.255.255.0
access-list 300 permit ip 10.x.x.x 255.255.255.0 172.30.x.x 255.255.255.0
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
crypto ipsec transform-set TSET1 esp-3des esp-md5-hmac
crypto map VPNMAP 1 ipsec-isakmp
crypto map VPNMAP 1 match address 100
crypto map VPNMAP 1 set peer
crypto map VPNMAP 1 set transform-set TSET1
crypto map VPNMAP 2 ipsec-isakmp
crypto map VPNMAP 2 match address 200
crypto map VPNMAP 2 set peer
crypto map VPNMAP 2 set transform-set TSET1
crypto map VPNMAP 3 ipsec-isakmp
crypto map VPNMAP 3 match address 300
crypto map VPNMAP 3 set peer
crypto map VPNMAP 3 set transform-set TSET1
crypto map VPNMAP interface outside
isakmp key KEY1 address
isakmp key KEY2 address
isakmp key KEY3 address
isakmp enable outside
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
Save with write mem and also issue in config mode:
clear xlate / clear isakmp sa / clear ipsec sa
Hope this helps and pls rate post if it does.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: