Solved

Cisco VPN Tunnel Intermittently Connecting

Posted on 2011-02-14
17
1,308 Views
Last Modified: 2012-05-11
I have 2 Cisco ASA 5505's set up for a vpn.  One is a remote location.  Last week the remote location started having a intermittent connection problem here at the central office.  I have been on with Cisco support and the setup is correct on both routers.  I have a second vpn tunnel that is functioning properly and hasn't seen any issues at all back to the central office.  While on with Cisco support we have run packet captures and we see the packets going out and from both locations but they aren't always being received by the other location.  Cisco suggested that it might be something to do with the ISP. We got them on a conference call and they said that there isn't anything that could be happening on there end.  They said we could email them the packet captures but that doesn't mean anything can be done.  This all started to occur when they had network problem.  I was concerned that maybe our traffic might have been possibly being intercepted by I monitored over the weekend and didn't have any unusual traffic in my snort logs or my ntop.  Traffic was non existent.  So I'm kind of at a loss as well as Cisco Support also.  We are going to redo the packet captures today and email to the ISP support but who knows they said it isn't them already.  Could this possibly be a hardware issue?  Cisco doesn't seem to think so.
0
Comment
Question by:geleman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
17 Comments
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34887836
Post both ASA configs, please.
0
 

Author Comment

by:geleman
ID: 34887956
0
 

Author Comment

by:geleman
ID: 34887972
0
Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

 

Author Comment

by:geleman
ID: 34887994
I hope I sanitized it enough I've never publicly posted my config before.  Just a little more info also.  There are times that it will connect and stay up for a short amount of time but it doesn't continue to stay up.  The thing is also the 2nd vpn I have, the remote location is with another ISP and there isn't a problem at all with that connection.
0
 
LVL 1

Expert Comment

by:nwhitaker2
ID: 34888338
I had this problem once before.  I finally deleted the VPN tunnels config on both sides and set it up again.  This fixed the problem.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890214
How many users are at each location?  How does that compare with the user license limit of the ASA?  5505s have a 10 user limit on entry level ASA.
0
 

Author Comment

by:geleman
ID: 34890588
Only 1 user.  So it's not a license issue.  As I said before everything worked fine up until the ISP had and issue but they claim there is nothing wrong on there end at all despite us seeing the packets leaving both ends and encrypted.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890663
Are you dropping packets?
0
 

Author Comment

by:geleman
ID: 34890716
They are leaving the locations but not all packets are making the destination.  This is happening both ways.  The remote location can surf the net but the VPN tunnel is not connecting correctly.  
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890893
No.  I mean outside of the tunnel.

If you ping from public address to public address on ASA are you dropping packets?
0
 

Author Comment

by:geleman
ID: 34890947
ICMP is blocked on the outside interface of the routers.  The ISP support was able to ping both public IP's without a problem.  You should be able to ping from inside interface to inside interface through the tunnel though.  Problem is that they are leaving but not arriving.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890979
I suggest that you enable ICMP on the outside interface.  Set up a continuous ping and look for dropped packets.

Dropped packets will cause innumerable VPN issues.
0
 

Author Comment

by:geleman
ID: 34891645
Enable icmp by issuing command permit icmp any outside on both routers and there seems to be some packet loss
0
 
LVL 20

Accepted Solution

by:
RPPreacher earned 500 total points
ID: 34891704
There's your issue.

Log ping responses, send to ISP.
0
 

Author Comment

by:geleman
ID: 34891724
seems if I ping another IP from the either location i.e. google.com I don't have any packet loss, but when I ping the IP addresses that the vpn tunnel is on I get packet loss.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34891869
OK.  So submit that to the ISP.
0
 

Author Closing Comment

by:geleman
ID: 34900075
The ISP finally figured out it was their problem and not mine.
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question