08-24-2012 04:52 PM
We currently have L2L using cisco (2) ASA 5505’s setup between our main office and new location. We have recently moved our DC from our 192.168.1.0 network to our 192.168.2.0 network. This server provides dhcp for the new location and DNS for both sites. We are currently experience a high percentage of drop packets close to 25%. When we try to ping the DC (192.168.2.10) from the .1.0 network we have a high percentage of drop packets but pinging to outside address (4.2.2.2) we have about a 5% drop packets. It seems that something is wrong with the VPN tunnel which is causing the dropped packets. This was first noticed because pcs are taking extremely long time to authenticate to the domain and contact the DC for files.
Thanks ahead of time for any assistance. If more info is needed, just ask.
I may be missing something on the asa’s that could mean an easy fix but I am unable to figure this out. The config is as followed:
Config for Site A (new site - w/ DC 192.168.2.0):
login as: admin
admin@*.*.*.* password:
Type help or '?' for a list of available commands.
LSCMainCar-asa> en
Password: **************
LSCMainCar-asa# sh conf
: Saved
!
ASA Version 8.2(5)
!
hostname LSCMainCar-asa
domain-name *.local
enable password VPIGZJE/slohtM0G encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.10 lsc-dc01
!
interface Ethernet0/0
switchport access vlan 2
speed 10
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description LSC Internal Interface
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface Vlan2
description LSC External Interface
nameif outside
security-level 0
ip address *.*.*.* 255.255.255.252
!
ftp mode passive
dns server-group DefaultDNS
domain-name *.local
access-list CarMain2Laf extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list CarMain2C extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_in extended permit tcp any any eq 3389
access-list LSC_sACL extended permit ip 192.168.2.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 lsc-dc01 3389 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server aaa_group2 protocol radius
aaa-server aaa_group2 (inside) host 192.168.1.10
key *
radius-common-pw *
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address CarMain2C
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer <*.*.*.*66>
crypto map outside_map 20 set transform-set myset
crypto map outside_map 30 match address CarMain2Laf
crypto map outside_map 30 set pfs
crypto map outside_map 30 set peer (*.*.*.*173)
crypto map outside_map 30 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password * encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 60 retry 10
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 60 retry 10
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 60 retry 10
tunnel-group *.*.*.*66 type ipsec-l2l
tunnel-group *.*.*.*66 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 60 retry 10
tunnel-group *.*.*.*173 type ipsec-l2l
tunnel-group *.*.*.*173 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 60 retry 10
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c23927f0cd44c433db6d7ccec039d6ed
Config for Site B (old site - 192.168.1.0):
login as: admin
admin@*.*.*.*66 password:
Type help or '?' for a list of available commands.
lsc-asa> en
Password: **************
lsc-asa# sh conf
: Saved
!
ASA Version 8.2(1)
!
hostname lsc-asa
domain-name * .local
enable password VPIGZJE/slohtM0G encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.10 lsc-dc01
!
interface Vlan1
description LSC Internal Interface
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
description LSC External Interface
nameif outside
security-level 0
ip address *.*.*.*66 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name *.local
access-list C2LAF extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_in extended permit tcp any any eq 3389
access-list LSC_sACL extended permit ip 192.168.1.0 255.255.255.0 any
access-list CarMain2C extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list from_outside extended permit icmp any any echo
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool LSCpool 192.168.5.175-192.168.5.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-642.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.*66 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server aaa_group2 protocol radius
aaa-server aaa_group2 (inside) host 192.168.1.10
key *
radius-common-pw *
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 101 set pfs group1
crypto dynamic-map outside_dyn_map 101 set transform-set myset
crypto map outside_map 20 match address C2LAF
crypto map outside_map 20 set peer *.*.*.*173
crypto map outside_map 20 set transform-set myset
crypto map outside_map 30 match address CarMain2C
crypto map outside_map 30 set pfs
crypto map outside_map 30 set peer *.*.*.*66
crypto map outside_map 30 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 60
telnet 192.168.1.0 255.255.255.0 inside
telnet *.*.*.*66 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname *@static.att.net
vpdn group pppoe_group ppp authentication pap
vpdn username *@static.att.net password *
dhcpd dns lsc-dc01
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.150 inside
dhcpd dns lsc-dc01 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy LSCvpn internal
group-policy LSCvpn attributes
dns-server value 192.168.2.10
vpn-idle-timeout none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LSC_sACL
default-domain value *.local
username admin password * encrypted privilege 15
tunnel-group LSCvpn type remote-access
tunnel-group LSCvpn general-attributes
address-pool LSCpool
authentication-server-group aaa_group2
default-group-policy LSCvpn
tunnel-group LSCvpn ipsec-attributes
pre-shared-key *
tunnel-group *.*.*.*173 type ipsec-l2l
tunnel-group *.*.*.*173 ipsec-attributes
pre-shared-key *
tunnel-group *.*.*.*216 type ipsec-l2l
tunnel-group *.*.*.*216 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group LSCvpn
!
class-map inspection_default
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
prompt hostname context
Cryptochecksum:9d508111536d875dda252f29bc8a49f1
08-25-2012 02:36 AM
Hi
eth 0/0 o site A has speed set to 10. Site B not. Why is this? I would set them to 100 full on both sites. .
Check show interfaces en check speed and duplex settings if an interface is running half duplex, check for drops and collisions.
When i set up the asa here i saw the inside interface was running half duplex (it was set to auto and got to 100 Mb half duplex). So i configured the interfaces to run 100, full (both sides).
08-25-2012 06:27 AM
Thanks for the suggestion. I will make the change and return with an update. Thanks again.
08-25-2012 02:36 PM
Eth 0/0 is my outside interfaces and is set to 10MB b/c it is request by the ISP for general setup. Unfortonetly after changing the duplex and speed on the outside interfaces to match for both asa's, I am still dropping packets.
08-26-2012 10:25 PM
Ok.
can you post the output of::
show crypto ipsec sa
show interfaces
08-27-2012 06:40 AM
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: *.*.*.* 173
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: *.*.*.*66
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Site A (outside)
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Full-Duplex(Full-duplex), 10 Mbps(10 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address d48c.b591.7a19, MTU not set
IP address unassigned
124057 packets input, 26347884 bytes, 0 no buffer
Received 2 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
31 switch ingress policy drops
180974 packets output, 221656234 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Site A (inside)
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address d48c.b591.7a1a, MTU not set
IP address unassigned
198294 packets input, 228260954 bytes, 0 no buffer
Received 485 broadcasts, 0 runts, 0 giants
1740 input errors, 1740 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
98 switch ingress policy drops
133448 packets output, 21915599 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 rate limit drops
0 switch egress policy drops
0 input reset drops, 0 output reset drops
Site B (outside)
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Full-Duplex(Full-duplex), 10 Mbps(10 Mbps)
Available but not configured via nameif
MAC address d0d0.fd70.bdbd, MTU not set
IP address unassigned
8702242 packets input, 9098904844 bytes, 0 no buffer
Received 358 broadcasts, 0 runts, 0 giants
33050 input errors, 33050 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
8563 switch ingress policy drops
6786259 packets output, 1156412413 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Site B (inside)
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Available but not configured via nameif
MAC address d0d0.fd70.bdbe, MTU not set
IP address unassigned
7305862 packets input, 1076925691 bytes, 0 no buffer
Received 205631 broadcasts, 0 runts, 0 giants
827 input errors, 827 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
25925 switch ingress policy drops
8794455 packets output, 8940093415 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
08-28-2012 12:24 AM
Hi
can you explain the following:
"When we try to ping the DC (192.168.2.10) from the .1.0 network we have a high percentage of drop packets"
I m not sure i understand the following.
192.169.2.0 is the new network behind the inside interface of Site A, right?
.
Where is network 192.168.1.0 ? is it behind the other Site (Site B) inside interface? Or does it not exist anymore.
I m wondering about it because in the config of Site A,
- aaa-server aaa_group2 (inside) host 192.168.1.10 points to the inside. Is this correct?
i would expect this to be 192.168.2.10 now, but i m not sure about how your topology looks like.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: