Packet loss over IPSEC Tunnel

grantb7 used Ask the Experts™
Hi Experts,

I have a VPN tunnel connected from a Cisco 871 back to the office connecting to a Juniper SSG550.  The tunnel is used for both data and VOIP.  I have noticed that every minute there is a significant amount (possibly 100%) of packet loss for 2-3 seconds.  This is most obvious when I am on my Cisco VOIP phone, as when the packet loss starts occurring, the call goes garbled for a couple of seconds.f

I have connected a network analyzer and noticed that there are several SPI packets that are being sent/received every one minute which is coinciding with the brief outage.

Any ideas?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Have you checked to make sure your phase 2 parameters for key re-negotiation are matching between both sides of the tunnel and that you are not bumping into a scenario wher the SPI index's are changing every minute for each side of the tunnel?

From the Cisco side you should be able to determine these paramters using the command show crypto ipsec security-association lifetime and it will provide you the amount of data or time before the SPI items are re-negotiated between the peers.


The Cisco device shows: 4608000 kilobytes/3600 seconds.   It is unlikely that we would be exceeding the data threshold every minute.

Any other thoughts?
What are the settings on the SSG side - it will also have an impact. If the parameters do not match that could also lead to oddities in the connection. What version of OS are you running on the SSG and then also on the Cisco side which IOS?
Thanks guys, it turns out it was the entire ingress/egress traffic taking a hit every minute due to the BGP Scanner process maxing out the CPU

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial