Solved

Cisco ASA IPSEC L2L Tunnel EqualLogic Replication Problems

Posted on 2010-11-22
4
2,087 Views
Last Modified: 2012-05-10
As part of as VMWare SRM manager setup, I have the following setup at two data centers:

<Data Center A>
EqualLogic SAN Primary Array
        |
Pair of Dell 5424 switches
        |
        |      <vlan for storage network>
        |
Dell 6224 Layer 3 switch (default gateway for all network traffic)
        |
        |
Cisco ASA 5510
        |

IPSEC L2L tunnel (passes all vlans)

        |
Cisco ASA 5510
        |
        |
Dell 6224 Layer 3 Switch (default gateway for all network traffic)
       |
       |      <vlan for storage network>
       |
Pair of Dell 5424 switches
       |
EqualLogic SAN Backup Array
<Data Center B>


I have setup EqualLogic replication between both of the SAN arrays across the L2L tunnel.  Data is replicated, but replication is very sporadic (will work for a few minutes, stop working, continue working again, and so on, until it eventually times out with a “partner down” status).  According to the EqualLogic logs, connectivity is lost between the partner arrays when replication stops.

I’ve tested the obvious and am positive there is no loss of basic connectivity between the sites.  With the aid of EqualLogic support, I tested to ensure that each interface on each controller on both sides could pass a packet back and forth with no loss.  We also confirmed there is adequate bandwidth and the connection is very low latency (there is about 40 meg of throughput).  Additionally, we confirmed it is not a space issue.

Finally, we issued a command on the source EqualLogic to use standard size frames for replication (the command was support repl-use-jumbos no).

My gut tells me the ASA is messing with the packets.  So, going down that route, I did the following:

1.      Disabled all packet inspection
2.      clear-df bit on the tunnel
3.      messed with different sysopt connection tpcmss settings

So far nothing has helped.  

My other thought is that the 6224 is messing with the traffic as it is being passed through.  The vlan for the storage network is not tagged (EqualLogic does not support a tagging).  The pair of 5424’s are connected to a port on the 6224 that is a member of the storage vlan.  That vlan forwards its traffic along the switch’s default route to the ASA so it can get across the L2L tunnel.  I haven’t messed with any of the port settings on the 6224 for the storage vlan, or on the port from the 5424’s that connects them to the 6224.  Only the ports that are connected to the VMWare hosts and SAN are “optimized” for iSCSI (flow control enabled, spanning-tree disabled, etc).  

Does anyone have any thoughts or a similar setup they can share with me?

0
Comment
Question by:entegration
  • 2
4 Comments
 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
Do you have any problems running FTP, SCP, CIFS or NFS data transfers across the VPN? You should probably contact Cisco. I don't normally run my EqualLogic replicatioin over my ASA IPSec VPN, but I don't remember having any issues with it, and I haven't made any changes to the EqualLogic side, and I don't think that I did anything special to the ASA.

You should use ASDM to look at the ASA statistics and logs while replicating traffic to see if anything pops up there, but I still go back to you should contact Cisco.
0
 
LVL 1

Expert Comment

by:leebaskin
Comment Utility
I am having the same issue, just with a different firewall (Sonicwall)

I was told that the problem was with NAT. I dont know exactly how to fix it as I am still working on it but I was passed a document that explains what the problem is.

See attached Txt doc. EqualLogicReplication.txt EqualLogicReplication.txt
0
 

Accepted Solution

by:
entegration earned 0 total points
Comment Utility
I figured it out.  The 6224 was interfering with the replication traffic.  I took a free interface on my firewall and hooked right into the iSCSI backend switches and routed the traffic over the tunnel that way.  It replicates now no problem.  
0
 

Author Closing Comment

by:entegration
Comment Utility
I figured it out myself, just providing the answer for others.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

In this step by step tutorial with screenshots, we will show you HOW TO: Enable SSH Remote Access on a VMware vSphere Hypervisor 6.5 (ESXi 6.5). This is important if you need to enable SSH remote access for additional troubleshooting of the ESXi hos…
In this article, I will show you HOW TO: Create your first Windows Virtual Machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, the Windows OS we will install is Windows Server 2016.
Teach the user how to configure vSphere Replication and how to protect and recover VMs Open vSphere Web Client: Verify vsphere Replication is enabled: Enable vSphere Replication for a virtual machine: Verify replicated VM is created: Recover replica…
Teach the user how to use vSphere Update Manager to update the VMware Tools and virtual machine hardware version Open vSphere Client: Review manual processes for updating VMware Tools and virtual hardware versions: Create a new baseline group in vSp…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now