We recently put a SA520 at a data center and a SA520W at an office and created an IPSEC VPN tunnel between the two. We then added a configuration for remote users using the QuickVPN client (very unhappy no 64 bit or Win 7 support).
Now that we've begun testing we've observed that as soon as anyone uses the VPN tunnel, the latency jumps from 12-16ms to 120-240ms and stays there for about 15-30 seconds.
Once we observed that, we started doing ping tests from the outside. For some reason both routers drop nearly all the ping requests and actually respond about 1 in every 50 pings. I've ensured that all the firewall items are turned off and that fact that it will respond every now and then tells me something is up.
I then tested using a VNC connection behind the device at the data center. The connection stays open until about 3-7 minutes in and the connection drops or hangs while it tries to refresh (dropped packets). I have no issues with any other routers or equipments on the same subnet, in the same rack. I'd blame one router being bad if it wasn't for the fact that I see the issue on both routers, at two different sites, on two different ISPs.
I've called the small business support line and they have no idea what to troubleshoot other than maybe changing the MTU settings. They've escalated the issue to a team in California but apparently escalation only means someone else will contact me within 48 hours (seriously?!?!?!).
As I'm at wits end, that's why I'm trying all options such as posting here. Anyone else observed similar behaviour?
Glad to see that just got released today.
Any feedback or thoughts on the other issues I stated? If we have to wait 48 hours to begin escalation troubleshooting we might have to just return these and go with another vendor for our customer. Don't get me wrong, I love Cisco but I don't think this is much to ask of two simple VPN routers.
QuickVPN v 188.8.131.52
Support for Windows Vista and Windows 7 (32-bit and 64-bit) are available in this release.
Download Center (login required): http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=184.108.40.206&mdfid=282414013&sftType=Quick+Virtual+Private+Network+%28QVPN%29+Utility&optPlat=&nodecount=2&edesignator=null&modelName=Cisco+RVS4000+4-port+Gigabit+Security+Router+-+VPN&treeMdf...
Check your PM. I would like you to send me the configurations that you have.
I am also interested in getting some more information about the topology, the amount of users on it, and how those users connect.
Hello, Have you had any luck correcting this issue? I recently purchased two SA520W's and setup a VPN between our two offices. I am having the exact same issues as you are and have spent hours on the phone with support but we have yet to figure anything out. If you have a resolution please let me know and if I get anywhere with their support who is currently reviewing packet captures I sent the, I will do the same. Thanks!!
The folks at Cisco have confirmed this is a problem with the software on the routers. I won't go into details but the only way to rectify while they're working on a fix is to completely delete all VPN configuration and then punch holes in the firewall.
We had to do this for a new client we just put these in for. They are less than thrilled. If the firewall hole punching wasn't an option we would have had to return these. We still might and just go with the 881s.
Funny enough, it took 1 week for the escalation team to contact me after the basic techs didn't know what was happening. All the escalation team did was send me an email asking me to call them. This is even though I requested they call my cell ASAP. The process has been quite a let down. I don't like feeling like my clients and I are beta testers.
Our record shows that this problem has been fixed in 1.1.42 release.
The DDTS to track this problem was CSCtf58449 - SA520 to SA520W high VPN latency and packet drop
Are you still seeing this problem with the latest firmware?