Both devices are on VLAN10 which has a scope of 10.0.0.0/22. All of our servers are on VLAN10 and have their default gateway to the Nexus (10.0.0.1). All of the IP routes exist on the Nexus. We have about 20 different locations (each with their own subnet) that terminate to the Nexus either via fiber or hosted WAN. These connections are all Layer3 routed.
The problem I am having is that I am getting about 7-12% packet loss when traffic comes from 10.0.0.0/22 and is destined for a remote Site-to-Site VPN that is behind the ASA. The Nexus has routes to all the remote sites. The packet loss can be seen from pings, SMB traffic, HTTP traffic, and SSL. Also, I am only able to get about 100KB/sec through the VPN tunnel. However, from another location outside the datacenter (Ex: 10.1.0.0/23), I can transfer to the remote site with 20 mbit throughput and 0 dropped packets. Therefore, the issue is that only VLAN10 traffic is slow to the remote sites. Would having the ASA's inside interface on the same network be causing the issue? I can't believe it is a VPN config problem as I can get 20 mbit through the tunnel from other IP scopes on the network. Any ideas....I am stumped.
if you issue the command show crypto ipsec sa do you see approx. the same number of encrypted as decrypted packets?
is there a large amount of send and/or receive errors?
What MTU do you have configured for the ASA interfaces? Try setting the MTU to 1360
Run a packet tracer with the source IP of a local server and source interface the server subnet interface with destination outside interface. Might be that the traffic is hitting the wrong NAT statement.
Please remember to select a correct answer and rate helpful posts
Please remember to rate and select a correct answer
The MTU was set to 1500, so I changed to 1360 but it made no difference. Also did a packet tracer and all comes back good.
Would this have to do with proxy ARP by chance since the ASA is on the same subnet as the servers? The servers default gateway is the Nexus, but it seems that servers could talk directly to the ASA via Layer2. I wonder if the ARP entries are getting screwed up somehow. If I ping 3 different servers and the Nexus from a remote site, the Nexus never drops a packet, but all 3 servers will drop packets but at different times.
Turned off ProxyARP on ASA's without success. I did some packet captures on remote sites and I am seeing TCP retransmissions and duplicate acknowledgements. I'm opening a Cisco TAC case as I've run out of ideas.
We were able to identify a scenario in vlan 10 where the Nexus 7000 was forced to software switch the traffic from devices that live on vlan 10. This is because of the hair pinning that was occurring which drives an IP redirect message to be generated. Please find the resource below that explains this scenario in greater detail:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :