Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2399
Views
0
Helpful
8
Replies

Urgent - Site to Site VPN - sequence of reply and timed out

cabarrushealth
Level 1
Level 1

‎06-02-2012 08:30 PM

We have a Site to Site VPN with another company that hosts an application server. If I setup a ping -r from my windows computer to their server i will received about 150 successful ping replies then 13 request timed out and this repeats endlessly. We have both triple checked our settings and are not aware of any changes at either end that was made.

Any help in troubleshooting would be greatly appreciated.

Thanks

We have an ASA5505 and they have a Palo Alto product.

Labels:
0 Helpful
8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-02-2012 08:46 PM

Could there be any IPS/thread detection or any other features/devices that might be thinking that it is an attack and temporarily blocking the ping? if it is repetitive at exactly 150 success and 13 timeout, it might be something that is blocking it temporarily.

0 Helpful

mikull.kiznozki
Level 1
Level 1

‎06-02-2012 10:13 PM

I agree with Jen. might be the IPS at your end.

Try disabling icmp inspect on your ASA and try the ping(on the VPN tunnel if you have no filters/restrictions -all traffic should flow seamlessly)

Do you have any other tunnel from your ASA to a diferent peer. do you notice similar results?

0 Helpful

cabarrushealth
Level 1
Level 1
In response to mikull.kiznozki

‎06-03-2012 06:59 AM

thanks for the two replies. Our ASA5505 does have a IPS module -

ASA 5500 Series AIP Security Services Card-5 ASA-SSC-AIP-5 but I have turned it off . This peer has two subnets and we have the issue pinging to hosts in both the subnets. The main issue is when we are connected to the application on their end we get disconnected after two minutes, the ping i am using as a test which validates we are having packet loss.

debug crypto isakmp 255 & debug crypto ipsec 255 show no issues and in adsm i select monitoring , logging debug and view i don't see anything specific blocking traffic when the pings time out.

any other ideas/suggestions appreciated!

thanks

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to cabarrushealth

‎06-03-2012 07:56 AM

what application is it, and what protocol and port does it use?

0 Helpful

cabarrushealth
Level 1
Level 1
In response to cabarrushealth

‎06-03-2012 08:20 AM

its a finance application by a company called tylerworks called munis and uses port 6400. I am sure if the ping just continued uninterrupted the application would be fine. I just need to see what is causing that interruption

0 Helpful

cabarrushealth
Level 1
Level 1
In response to cabarrushealth

‎06-03-2012 05:11 PM

From my continued research im hoping it is a traffic shaping issue with one of our ISPs, but I am not sure if others might of seen this before from their ISP?

0 Helpful

mikull.kiznozki
Level 1
Level 1
In response to cabarrushealth

‎06-03-2012 06:04 PM

policing is done only to shape the b/w at ISP's.

I would check the device at the remote end whether it has reached it's threshold and it's queues are full.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to mikull.kiznozki

‎06-03-2012 07:24 PM

It could possibly be this bug as well:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd36473

What version of ASA are you running?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents