?
Solved

Cisco VPN Tunnel Intermittently Connecting

Posted on 2011-02-14
17
Medium Priority
?
1,328 Views
Last Modified: 2012-05-11
I have 2 Cisco ASA 5505's set up for a vpn.  One is a remote location.  Last week the remote location started having a intermittent connection problem here at the central office.  I have been on with Cisco support and the setup is correct on both routers.  I have a second vpn tunnel that is functioning properly and hasn't seen any issues at all back to the central office.  While on with Cisco support we have run packet captures and we see the packets going out and from both locations but they aren't always being received by the other location.  Cisco suggested that it might be something to do with the ISP. We got them on a conference call and they said that there isn't anything that could be happening on there end.  They said we could email them the packet captures but that doesn't mean anything can be done.  This all started to occur when they had network problem.  I was concerned that maybe our traffic might have been possibly being intercepted by I monitored over the weekend and didn't have any unusual traffic in my snort logs or my ntop.  Traffic was non existent.  So I'm kind of at a loss as well as Cisco Support also.  We are going to redo the packet captures today and email to the ISP support but who knows they said it isn't them already.  Could this possibly be a hardware issue?  Cisco doesn't seem to think so.
0
Comment
Question by:geleman
  • 9
  • 7
17 Comments
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34887836
Post both ASA configs, please.
0
 

Author Comment

by:geleman
ID: 34887956
0
 

Author Comment

by:geleman
ID: 34887972
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 

Author Comment

by:geleman
ID: 34887994
I hope I sanitized it enough I've never publicly posted my config before.  Just a little more info also.  There are times that it will connect and stay up for a short amount of time but it doesn't continue to stay up.  The thing is also the 2nd vpn I have, the remote location is with another ISP and there isn't a problem at all with that connection.
0
 
LVL 1

Expert Comment

by:nwhitaker2
ID: 34888338
I had this problem once before.  I finally deleted the VPN tunnels config on both sides and set it up again.  This fixed the problem.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890214
How many users are at each location?  How does that compare with the user license limit of the ASA?  5505s have a 10 user limit on entry level ASA.
0
 

Author Comment

by:geleman
ID: 34890588
Only 1 user.  So it's not a license issue.  As I said before everything worked fine up until the ISP had and issue but they claim there is nothing wrong on there end at all despite us seeing the packets leaving both ends and encrypted.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890663
Are you dropping packets?
0
 

Author Comment

by:geleman
ID: 34890716
They are leaving the locations but not all packets are making the destination.  This is happening both ways.  The remote location can surf the net but the VPN tunnel is not connecting correctly.  
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890893
No.  I mean outside of the tunnel.

If you ping from public address to public address on ASA are you dropping packets?
0
 

Author Comment

by:geleman
ID: 34890947
ICMP is blocked on the outside interface of the routers.  The ISP support was able to ping both public IP's without a problem.  You should be able to ping from inside interface to inside interface through the tunnel though.  Problem is that they are leaving but not arriving.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890979
I suggest that you enable ICMP on the outside interface.  Set up a continuous ping and look for dropped packets.

Dropped packets will cause innumerable VPN issues.
0
 

Author Comment

by:geleman
ID: 34891645
Enable icmp by issuing command permit icmp any outside on both routers and there seems to be some packet loss
0
 
LVL 20

Accepted Solution

by:
RPPreacher earned 2000 total points
ID: 34891704
There's your issue.

Log ping responses, send to ISP.
0
 

Author Comment

by:geleman
ID: 34891724
seems if I ping another IP from the either location i.e. google.com I don't have any packet loss, but when I ping the IP addresses that the vpn tunnel is on I get packet loss.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34891869
OK.  So submit that to the ISP.
0
 

Author Closing Comment

by:geleman
ID: 34900075
The ISP finally figured out it was their problem and not mine.
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Have a Cisco router that you forgot the password or maybe you bought a used router that is locked with a password? This article will guide you through the steps on how to recover the password on your Cisco gear.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question