?
Solved

Cisco ASA IPSEC L2L Tunnel EqualLogic Replication Problems

Posted on 2010-11-22
4
Medium Priority
?
2,128 Views
Last Modified: 2012-05-10
As part of as VMWare SRM manager setup, I have the following setup at two data centers:

<Data Center A>
EqualLogic SAN Primary Array
        |
Pair of Dell 5424 switches
        |
        |      <vlan for storage network>
        |
Dell 6224 Layer 3 switch (default gateway for all network traffic)
        |
        |
Cisco ASA 5510
        |

IPSEC L2L tunnel (passes all vlans)

        |
Cisco ASA 5510
        |
        |
Dell 6224 Layer 3 Switch (default gateway for all network traffic)
       |
       |      <vlan for storage network>
       |
Pair of Dell 5424 switches
       |
EqualLogic SAN Backup Array
<Data Center B>


I have setup EqualLogic replication between both of the SAN arrays across the L2L tunnel.  Data is replicated, but replication is very sporadic (will work for a few minutes, stop working, continue working again, and so on, until it eventually times out with a “partner down” status).  According to the EqualLogic logs, connectivity is lost between the partner arrays when replication stops.

I’ve tested the obvious and am positive there is no loss of basic connectivity between the sites.  With the aid of EqualLogic support, I tested to ensure that each interface on each controller on both sides could pass a packet back and forth with no loss.  We also confirmed there is adequate bandwidth and the connection is very low latency (there is about 40 meg of throughput).  Additionally, we confirmed it is not a space issue.

Finally, we issued a command on the source EqualLogic to use standard size frames for replication (the command was support repl-use-jumbos no).

My gut tells me the ASA is messing with the packets.  So, going down that route, I did the following:

1.      Disabled all packet inspection
2.      clear-df bit on the tunnel
3.      messed with different sysopt connection tpcmss settings

So far nothing has helped.  

My other thought is that the 6224 is messing with the traffic as it is being passed through.  The vlan for the storage network is not tagged (EqualLogic does not support a tagging).  The pair of 5424’s are connected to a port on the 6224 that is a member of the storage vlan.  That vlan forwards its traffic along the switch’s default route to the ASA so it can get across the L2L tunnel.  I haven’t messed with any of the port settings on the 6224 for the storage vlan, or on the port from the 5424’s that connects them to the 6224.  Only the ports that are connected to the VMWare hosts and SAN are “optimized” for iSCSI (flow control enabled, spanning-tree disabled, etc).  

Does anyone have any thoughts or a similar setup they can share with me?

0
Comment
Question by:entegration
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 34219314
Do you have any problems running FTP, SCP, CIFS or NFS data transfers across the VPN? You should probably contact Cisco. I don't normally run my EqualLogic replicatioin over my ASA IPSec VPN, but I don't remember having any issues with it, and I haven't made any changes to the EqualLogic side, and I don't think that I did anything special to the ASA.

You should use ASDM to look at the ASA statistics and logs while replicating traffic to see if anything pops up there, but I still go back to you should contact Cisco.
0
 
LVL 1

Expert Comment

by:leebaskin
ID: 34234026
I am having the same issue, just with a different firewall (Sonicwall)

I was told that the problem was with NAT. I dont know exactly how to fix it as I am still working on it but I was passed a document that explains what the problem is.

See attached Txt doc. EqualLogicReplication.txt EqualLogicReplication.txt
0
 

Accepted Solution

by:
entegration earned 0 total points
ID: 34262540
I figured it out.  The 6224 was interfering with the replication traffic.  I took a free interface on my firewall and hooked right into the iSCSI backend switches and routed the traffic over the tunnel that way.  It replicates now no problem.  
0
 

Author Closing Comment

by:entegration
ID: 34289980
I figured it out myself, just providing the answer for others.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The question appears often enough, how do I transfer my data from my old server to the new server while preserving file shares, share permissions, and NTFS permisions.  Here are my tips for handling such a transfer.
Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root …
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question