Cisco ASA 5505 VPN Tunnels

level9tech
level9tech used Ask the Experts™
on
I have 4 remote sites that are connected to a central site via VPN tunnels.  I installed one Cisco ASA 5505 at a remote site to improve reliability.  The central site was also using a Linksys until yesterday.  Adding these Cisco devices was done due to complaints about unreliable connections to a terminal server.

All remote sites and the central site use either cable or DSL for their internet connections.

I am still having trouble with tunnels failing at the remote sites.  Would this Cisco device use any more bandwidth than Linksys devices?  I would not imagine so as the protocols are the same.

Is there anything we can change to improve or optimize the VPN tunnels to be more reliable?  Is it common for VPN tunnels to drop on a regular basis using DSL and cable?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2010

Commented:
How often are they dropping?   Tunnels dropping for no real reason can be alot of different things.    Almost like trying to diagnose a BSOD in Windows.   But here are some things you can check:

#1 - make sure the rekey times are the same on all units
Top Expert 2010

Commented:
-- sorry clicked submit before i finished --

#2 - make sure the kb times are the same on all units
#3 - check for any errors in the syslog (turn on informational in the cisco logging for more detailed info).

Commented:
If you are able monitor the outside interface of the asa to see if it is an issue with the ISP as well.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
Ran into the same type of issue with on ISP tunnel kept dropping was a bad modem from the isp.

Author

Commented:
I am just a bit concerned that this new ASA may actually be contributing to Internet problems.  We actually found a router that was locked up today and all I can think is that some packets from the Cisco locked it up.  It is just ironic because when I installed the first remote Cisco device it locked up the central linksys device when I was changing some configuration settings.
Top Expert 2010

Commented:
I'm not saying that it's not possible, it just doesn't seem probable.  

Now if you do suspect there is an issue with your devices, check the version of the ASA code you are running then hit up the cisco tac and ask for any known issues related to that version that match the problem you are having.    If you are running older code, you should consider updating to the latest stable release which TAC can provide.  

As a side note, I've used ASA5510 and 5520 with linksys routers for site to site VPNs and aside from some minor issues, they have proven stable over time.  

As far as the devices locking up, I would begin with the log files if any.   Linksys doesn't provide great logs, but they are there.  

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial