I have a very peculiar issue regarding two PIX515e's (7.0(6)) running a l2l config. Take the following diagram:
HostB runs an app that does large SQL queries against HostA. When there is a lot of traffic, the TCP connection eventually times out.
Through packet captures and 'show asp drop' on PixA and PixB, and much loss of hair, I have determined what is happening.
HostB sends a packet to HostA. HostA receives the packet, and transmits an ACK. For some reason I haven't discovered, PixB drops the ACK. HostB never recieves the ACK, so it sends a TCP retransmission to HostA. Since PixA already saw the ACK for the initial packet, PixA drops the retransmission (and all subsequent retransmissions) from HostB with a 'TCP DUP and has been ACKed' counter increment in 'show asp drop'. This results in a deadlock condition in the TCP session, and it eventually times out.
Both networks are as secure as can be, and are deemed "trusted". Is there a way that I can disable the PIX's asp checks on any traffic over the l2l VPN?
Yes, HostA and HostB communicate fine. The problem actually affects any host behind PixA talking over the VPN to any host behind PixB. The problem only rears it's head during TCP sessions with a lot of data passing back and forth - ssh traffic is fine.
PixB is very lightly loaded, but PixA might be under load, and that might explain some of the sporadic-ness of the problem. I will look into the CPU and # of connections on PixA and post back.
Talking to the group that admins PixA: "The CPU has only went over 20% twice in the last 3 months and runs steady at 5-10%. Utuilization for outside interface is under 5% on avg and inside is the same."
So I don't think it's overutilization that's causing the problem. If it was too many connections, we'd see that in syslog, wouldn't we?
Answering my own post, we updated the PixA to 7.0(6.4), and like magic, everything works. Not only does the app in question work, everything else over the VPN works *much* faster. Dunno exactly what they did in 6.4, but it made a huge difference for me!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...