Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5812
Views
0
Helpful
6
Replies

Many dropped packets between 2 ASA 5505's - Site 2 Site VPN tunnel

Irontman72
Level 1
Level 1

‎08-24-2012 04:52 PM

We currently have L2L using cisco (2) ASA 5505’s setup between our main office and new location. We have recently moved our DC from our 192.168.1.0 network to our 192.168.2.0 network. This server provides dhcp for the new location and DNS for both sites. We are currently experience a high percentage of drop packets close to 25%. When we try to ping the DC (192.168.2.10) from the .1.0 network we have a high percentage of drop packets but pinging to outside address (4.2.2.2) we have about a 5% drop packets. It seems that something is wrong with the VPN tunnel which is causing the dropped packets. This was first noticed because pcs are taking extremely long time to authenticate to the domain and contact the DC for files.

Thanks ahead of time for any assistance. If more info is needed, just ask.

I may be missing something on the asa’s that could mean an easy fix but I am unable to figure this out. The config is as followed:

Config for Site A (new site - w/ DC 192.168.2.0):

login as: admin

admin@*.*.*.* password:

Type help or '?' for a list of available commands.

LSCMainCar-asa> en

Password: **************

LSCMainCar-asa# sh conf

: Saved

!

ASA Version 8.2(5)

!

hostname LSCMainCar-asa

domain-name *.local

enable password VPIGZJE/slohtM0G encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.2.10 lsc-dc01

!

interface Ethernet0/0

switchport access vlan 2

speed 10

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

description LSC Internal Interface

nameif inside

security-level 100

ip address 192.168.2.254 255.255.255.0

!

interface Vlan2

description LSC External Interface

nameif outside

security-level 0

ip address *.*.*.* 255.255.255.252

!

ftp mode passive

dns server-group DefaultDNS

domain-name *.local

access-list CarMain2Laf extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list CarMain2C extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_in extended permit tcp any any eq 3389

access-list LSC_sACL extended permit ip 192.168.2.0 255.255.255.0 any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 lsc-dc01 3389 netmask 255.255.255.255

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 *.*.*.* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server aaa_group2 protocol radius

aaa-server aaa_group2 (inside) host 192.168.1.10

key *

radius-common-pw *

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address CarMain2C

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer <*.*.*.*66>

crypto map outside_map 20 set transform-set myset

crypto map outside_map 30 match address CarMain2Laf

crypto map outside_map 30 set pfs

crypto map outside_map 30 set peer (*.*.*.*173)

crypto map outside_map 30 set transform-set myset

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 192.168.2.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.0.0 255.255.255.0 inside

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.2.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password * encrypted

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 60 retry 10

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 60 retry 10

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 60 retry 10

tunnel-group *.*.*.*66 type ipsec-l2l

tunnel-group *.*.*.*66 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 60 retry 10

tunnel-group *.*.*.*173 type ipsec-l2l

tunnel-group *.*.*.*173 ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 60 retry 10

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:c23927f0cd44c433db6d7ccec039d6ed

Config for Site B (old site - 192.168.1.0):

login as: admin

admin@*.*.*.*66 password:

Type help or '?' for a list of available commands.

lsc-asa> en

Password: **************

lsc-asa# sh conf

: Saved

!

ASA Version 8.2(1)

!

hostname lsc-asa

domain-name * .local

enable password VPIGZJE/slohtM0G encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.2.10 lsc-dc01

!

interface Vlan1

description LSC Internal Interface

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

description LSC External Interface

nameif outside

security-level 0

ip address *.*.*.*66 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name *.local

access-list C2LAF extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_in extended permit tcp any any eq 3389

access-list LSC_sACL extended permit ip 192.168.1.0 255.255.255.0 any

access-list CarMain2C extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list from_outside extended permit icmp any any echo

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool LSCpool 192.168.5.175-192.168.5.200 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-642.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 *.*.*.*66 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server aaa_group2 protocol radius

aaa-server aaa_group2 (inside) host 192.168.1.10

key *

radius-common-pw *

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 101 set pfs group1

crypto dynamic-map outside_dyn_map 101 set transform-set myset

crypto map outside_map 20 match address C2LAF

crypto map outside_map 20 set peer *.*.*.*173

crypto map outside_map 20 set transform-set myset

crypto map outside_map 30 match address CarMain2C

crypto map outside_map 30 set pfs

crypto map outside_map 30 set peer *.*.*.*66

crypto map outside_map 30 set transform-set myset

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 60

telnet 192.168.1.0 255.255.255.0 inside

telnet *.*.*.*66 255.255.255.255 outside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

vpdn group pppoe_group request dialout pppoe

vpdn group pppoe_group localname *@static.att.net

vpdn group pppoe_group ppp authentication pap

vpdn username *@static.att.net password *

dhcpd dns lsc-dc01

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.150 inside

dhcpd dns lsc-dc01 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy LSCvpn internal

group-policy LSCvpn attributes

dns-server value 192.168.2.10

vpn-idle-timeout none

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value LSC_sACL

default-domain value *.local

username admin password * encrypted privilege 15

tunnel-group LSCvpn type remote-access

tunnel-group LSCvpn general-attributes

address-pool LSCpool

authentication-server-group aaa_group2

default-group-policy LSCvpn

tunnel-group LSCvpn ipsec-attributes

pre-shared-key *

tunnel-group *.*.*.*173 type ipsec-l2l

tunnel-group *.*.*.*173 ipsec-attributes

pre-shared-key *

tunnel-group *.*.*.*216 type ipsec-l2l

tunnel-group *.*.*.*216 ipsec-attributes

pre-shared-key *

tunnel-group-map default-group LSCvpn

!

class-map inspection_default

!

!

policy-map global_policy

class inspection_default

  inspect icmp

!

prompt hostname context

Cryptochecksum:9d508111536d875dda252f29bc8a49f1

Labels:
0 Helpful
6 Replies 6

Ton V Engelen
Level 3
Level 3

‎08-25-2012 02:36 AM

Hi

eth 0/0 o site A has speed set to 10. Site B not. Why is this? I would set them to 100 full on both sites. .

Check show interfaces en check speed and duplex settings if an interface is running half duplex, check for drops and collisions.

When i set up the asa here i saw the inside interface was running half duplex (it was set to auto and got to 100 Mb half duplex). So i configured the interfaces to run 100, full (both sides). 

0 Helpful

Irontman72
Level 1
Level 1
In response to Ton V Engelen

‎08-25-2012 06:27 AM

Thanks for the suggestion. I will make the change and return with an update. Thanks again.

0 Helpful

Irontman72
Level 1
Level 1

‎08-25-2012 02:36 PM

Eth 0/0 is my outside interfaces and is set to 10MB b/c it is request by the ISP for general setup. Unfortonetly after changing the duplex and speed on the outside interfaces to match for both asa's, I am still dropping packets.

0 Helpful

Ton V Engelen
Level 3
Level 3
In response to Irontman72

‎08-26-2012 10:25 PM

Ok.

can you post the output of::

show crypto ipsec sa

show interfaces

0 Helpful

Irontman72
Level 1
Level 1
In response to Ton V Engelen

‎08-27-2012 06:40 AM

Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1   IKE Peer: *.*.*.* 173

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: *.*.*.*66

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

Site A (outside)

Interface Ethernet0/0 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Full-Duplex(Full-duplex), 10 Mbps(10 Mbps)

        Input flow control is unsupported, output flow control is unsupported

        Available but not configured via nameif

        MAC address d48c.b591.7a19, MTU not set

        IP address unassigned

        124057 packets input, 26347884 bytes, 0 no buffer

        Received 2 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops

        31 switch ingress policy drops

        180974 packets output, 221656234 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 rate limit drops

        0 switch egress policy drops

        0 input reset drops, 0 output reset drops

Site A (inside)

Interface Ethernet0/1 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

        Input flow control is unsupported, output flow control is unsupported

        Available but not configured via nameif

        MAC address d48c.b591.7a1a, MTU not set

        IP address unassigned

        198294 packets input, 228260954 bytes, 0 no buffer

        Received 485 broadcasts, 0 runts, 0 giants

        1740 input errors, 1740 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops

        98 switch ingress policy drops

        133448 packets output, 21915599 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 rate limit drops

        0 switch egress policy drops

        0 input reset drops, 0 output reset drops

Site B (outside)


Interface Ethernet0/0 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Full-Duplex(Full-duplex), 10 Mbps(10 Mbps)

        Available but not configured via nameif

        MAC address d0d0.fd70.bdbd, MTU not set

        IP address unassigned

        8702242 packets input, 9098904844 bytes, 0 no buffer

        Received 358 broadcasts, 0 runts, 0 giants

        33050 input errors, 33050 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        8563 switch ingress policy drops

        6786259 packets output, 1156412413 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops

        0 rate limit drops

        0 switch egress policy drops

Site B (inside)

Interface Ethernet0/1 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)

        Available but not configured via nameif

        MAC address d0d0.fd70.bdbe, MTU not set

        IP address unassigned

        7305862 packets input, 1076925691 bytes, 0 no buffer

        Received 205631 broadcasts, 0 runts, 0 giants

        827 input errors, 827 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        25925 switch ingress policy drops

        8794455 packets output, 8940093415 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops

        0 rate limit drops

        0 switch egress policy drops




0 Helpful

Ton V Engelen
Level 3
Level 3
In response to Irontman72

‎08-28-2012 12:24 AM

Hi

can you explain the following:

"When we try to ping the DC (192.168.2.10) from the .1.0 network we have a high percentage of drop packets"

I m not sure i understand the following.

192.169.2.0 is the new network behind the inside interface of Site A, right?

.

Where is network 192.168.1.0 ? is it behind the other Site (Site B) inside interface? Or does it not exist anymore.

I m wondering about it because in the config of Site A,

- aaa-server aaa_group2 (inside) host 192.168.1.10 points to the inside. Is this correct?

i would expect this to be 192.168.2.10 now, but i m not sure about how your topology looks like.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents