Solved

Dropping Packets

Posted on 2009-05-18
6
737 Views
Last Modified: 2012-05-07
Topology:
We have 3 Cisco ASA 5520's connected to an HP Procurve 2824, which is serving as our Internet switch.  One of the ASA's is serving as the primary firewall, one is dedicated to hosting lan-2-lan tunnels, and the 3rd was installed simply for troubleshooting this particular issue.

Our colo is providing active/standby Internet in the form of VRRP -- we have 2 cat5 plugging into the our internet switch.  The VRRP and outside IPs on our ASAs are all within the same subnet.

The Problem:
The VPN and test ASAs are intermittently dropping packets -- They will be fine for 5-10 minutes, then will drop sometimes as much as 30-50% of packets for a period of 30 seconds to several minutes.  Often, but not always, the two ASAs will drop packets simultaneously.  The other ASA (primary firewall, hosting 95% of the traffic) never drops *ANY* packets!!

The drops are occuring not only for traffic both passing through the ASAs, but also for pings initiated directly from the ASA, so I think it safe to assume that it is not a configuration issue -- I have gone so far as to back out all of the config except for what is necessary to test connectivity.  And yes, *ALL* devices on both sides are hard-set to 100/Full.

Other Troubleshooting I've done:
1)  Replaced all the cables
2)  Tried different ports on the internet switch
3)  Confirmed no errors of any sort on either the switch or the firewalls
4)  Changed the default gateway on the VPN ASA to the standby internet router instead of the VRRP IP....this seems to cure the problem!  The "test" ASA, still pointing at the VRRP is still dropping packets!  However, the primary firewall ASA is also pointed at the VRRP and is *NOT* dropping packets?

I'm at a loss....datacenter thinks its our ProCurve...they've claimed multiple customers with random packetloss when using ProCurves as Internet switches...The datacenter is terminating the Internet feeds they hand us on Foundry.
0
Comment
Question by:j4llen
  • 3
  • 3
6 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 24414740
What do the routing tables on the ASA's in question look like, can you post?

harbor235 ;}
0
 

Author Comment

by:j4llen
ID: 24414850
All 3 *had* a default route pointing to the VRRP IP when the problem was occurring, but only 2 of them experience packetloss.  If I change the default route on those 2 to either the active or standby router physical IP, there is no packetloss.

0
 
LVL 32

Expert Comment

by:harbor235
ID: 24415688


Perhaps there is a problem with the devices in teh VRRP group? Configuration issues can cause them both to go active active and fight for control, this causes you problems.

harbor235 ;}
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:j4llen
ID: 24415707
1)  Why is the primary firewall not also affected?
2)  How to convince the colo that their equipment is the issue?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24415772


Are they all connected to the same switch? What happens is that an ARP war ensues, it depends at that momement which device has control of the VIP, I am not sure it's your problem , it is a potential problem, like all troubleshooting someone needs to verify the configuration and start troubleshooting layer2, and layer 3. I need to know more of the physical setup and how things are configured.

harbor235 ;}
0
 

Accepted Solution

by:
j4llen earned 0 total points
ID: 26402524
I *believe* the problem was that the dynamic crypto map had a higher priority (lower sequence number) than the static crypto maps.  As a result, the ASA was sometimes getting confused when a lan-to-lan VPN was coming in.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding 14 151
ACL Logging Optimization 7 41
Expanding Subnet Mask 20 108
Cisco 3560 Switch with Multiple Gateways 10 68
I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question