VPN B2B link between our 3005 and a Nokia VPN concentrator at our client's site. Link has been up and solid for about 5 months. We support 4 remote servers and these are the only IPs set to cross the tunnel.
In a round-robin fashion, 1 or 2 of the IP addresses fails to ping for a few minutes or a few hours. The target host is actually still working and pingable from the other side of the tunnel. (from the other servers)
* The other IP's work fine
* Net Admin for Nokia side says no change on concentrator and pings work fine there.
* Trace route shows the ping getting to our 3005 but stops there (good tracert shows a router and host at the other end)
* Concentrator setting on 3005 have not changed
* Firmware for our 3005 was upgraded 5 days ago. (just before problem was noticed)
* Other B2B links to other clients do not having issues. (All others Cisco to Cisco)
Is there a way to trace packets through the 3005 concentrator? I'd like to verify the packet enters the tunnel and find out where it stops.
An obvious step is to roll back the firmware and see if the problem is resolved.
VPN 3000 concentrators have some very good administration interfaces that shows a lot of data about the traffic that passes through them. But I am not sure that will help you find where the packets are getting dropped. This most likely could be the firmware issue.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...