Cisco ASA site to site

Posted on 2009-12-28
Last Modified: 2012-05-08
I have a site to site VPN set up but am experiencing dropouts. I will paste below some of the log entries from site 2. Keepalives are left as default.

Group =, IP =, Received DPD sequence number 0x210df0e3 in R_U_THERE_ACK, expected 0x210df0e4

Group =, IP =, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

IPSEC: An inbound LAN-to-LAN SA (SPI= 0xA78A69E8) between and (user= has been deleted.

IPSEC: An outbound LAN-to-LAN SA (SPI= 0xCDB659DA) between and has been deleted.

Group =, Username =, IP =, Session disconnected. Session Type: IPsec, Duration: 0h:00m:50s, Bytes xmt: 3818, Bytes rcv: 5045, Reason: Lost Service

One of the sites 79.x has a slow internet connection which I think may be to blame here. Any suggestions gratefully received.

Thanks. J.
Question by:jerryhatt
    LVL 76

    Expert Comment

    Is the slow connection location experiences bandwidth saturation?
    Do you have QoS policy setup to prioritize resources/bandwidth for the VPN?
    What is your interface queuing policy queue or FIFO with packets being dropped when bandwidth usage is exceeded?

    Author Comment

    The connection at one end is an ADSL 4 meg connection. The other end is a 100meg leased line.
    The ADSL connection is used solely for the transfer between servers so there is no other traffic. I guess it could be saturation as it is only a narrow pipe.

    I have not set up IQP or FIFO so it would be default (Cisco ASA 5505 both ends).

    LVL 76

    Accepted Solution

    Well it seems as though it is a queuing setup since one side received a delayed packet.
    What is the upstream on the ADSL. ADSL is often asynchronous i.e. you could have 4meg down and 768k up.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now