Connection to Cisco VPN intermittent

Posted on 2009-03-30
Last Modified: 2013-12-14

We have a Cisco VPN in our central office that's been working great for several years.  We've never had a problem with any of our remote clients being able to establish a connection to the VPN.  This includes home-based clients with slower connections like  DSL.

Recently we moved our office (and switched to a different ISP).  Since then, some (but not all) clients have been unable to connect to the VPN (the handshake never gets to the point of prompting for a userid/password).

Since certain clients are able to connect, I think we can assume that the VPN is working properly on the router side.  The clients that are having problems are the home-based ones with slower, DSL connections which makes me suspect this is some sort of latency issue.

Any suggestions or advice on what we might do?

Question by:icarus1806
  • 3

Author Comment

ID: 24028387

A few more things I tried that didn't work:
- reduced MTU size (from 1300 to 576) on the client side
- disabled transparent tunneling on the client
- increased peer response timeout (from 90 to 480) on the client

Comments, advice, suggestions greatly appreciated!


Author Comment

ID: 24085336
Hi again,

Hmmm..I guess I've really stumped the experts on this one since no one responded to my question :-).

Out of desparation, I decided to roll up my sleeves, don my Experts hat and dive in to see if I could figure this one out.

First, I ruled out some obvious causes by disconnecting all other devices on our LAN as I thought maybe some device was spewing packets wantonly, clogging up the network.

That did not fix the problem so as a next step I enabled Netflow in the router so I could capture and analyze incoming packets and I also set up Wireshark on the client end of the connection so I could watch packets going out (a great program by the way :-)).

I should also mention that my original theory that only slow (i.e. DSL-based) clients were the only problem was not correct as further testing showed that those clients would sometimes work intermittently.

Anyway, after spending quite a lot of time watching packets flow over the wire, I concluded that the problem is on the router side, not with the client as I could see packets flowing over the wire during the initial handshake to establish the connection, but never arriving at the router.

These packets are UDP, so yes, there is no guarantee of safe delivery but what I was seeing was 100% packet loss; no packets were making it to the router, even after a number of retries.

Since the problem was intermittent, I concluded that it was either a) flakey hardware or b) related to bandwidth saturation suggesting that the pipe that we get from our ISP must be near capacity (it's a T1 but I believe shared with other users).  Strangely, we had a similar arrangement with a shared T1 in our old office but we never had any problems with packet loss, however, we switched to a new ISP when we changed offices).

As a further check, I ran traceroutes from different clients to the router and also traced the route from a client to our old ISP.  The results of these tests show that the common leg is through the ISP or possibly 1 or 2 hops upstream.  However, those upstream hops are all major Internet switches so it's unlikely that they are the problem :-).

We are now working with our ISP to see if we can resolve the problem.  Worst case, we may need to switch to a different ISP if they cannot provide us with a reliable connection.  It's still not clear whether it's flakey hardware or a bandwidth problem, but in any case it's the ISP's to solve.

I'm leaving this question open until we have the problem fully resolved but that is the current update.  Perhaps this information will be useful to others.


Accepted Solution

icarus1806 earned 0 total points
ID: 24203036
Hi again,

Well we finally figured this one out.  The problem turned out to be a flakey router on our end that was intermittently dropping the incoming UDP packets from the clients.   Although Netflow was reporting that those packets were being dropped, a key insight was that Netflow was being provided by the router itself and therefore its results turned out to be suspect.  We arrived at this conclusion through a process of elimination after looking at the ISP's intake from the upstream provider and observing that the packets were indeed arriving safely.

The conclusion is, don't always trust Netflow to diagnose network problems.  If your router is flakey, Netflow results can also be just as flakey.

Anyway, we replaced the router and everything is back up and running now :-)

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA NAT question. 9 31
Setting up new vpn 15 55
macos sierra "Destination Net Unreachable" 7 22
Mapping drives cross domain via logon script 2 7
One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now