Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco VPN Tunnel Intermittently Connecting

Posted on 2011-02-14
17
Medium Priority
?
1,318 Views
Last Modified: 2012-05-11
I have 2 Cisco ASA 5505's set up for a vpn.  One is a remote location.  Last week the remote location started having a intermittent connection problem here at the central office.  I have been on with Cisco support and the setup is correct on both routers.  I have a second vpn tunnel that is functioning properly and hasn't seen any issues at all back to the central office.  While on with Cisco support we have run packet captures and we see the packets going out and from both locations but they aren't always being received by the other location.  Cisco suggested that it might be something to do with the ISP. We got them on a conference call and they said that there isn't anything that could be happening on there end.  They said we could email them the packet captures but that doesn't mean anything can be done.  This all started to occur when they had network problem.  I was concerned that maybe our traffic might have been possibly being intercepted by I monitored over the weekend and didn't have any unusual traffic in my snort logs or my ntop.  Traffic was non existent.  So I'm kind of at a loss as well as Cisco Support also.  We are going to redo the packet captures today and email to the ISP support but who knows they said it isn't them already.  Could this possibly be a hardware issue?  Cisco doesn't seem to think so.
0
Comment
Question by:geleman
  • 9
  • 7
17 Comments
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34887836
Post both ASA configs, please.
0
 

Author Comment

by:geleman
ID: 34887956
0
 

Author Comment

by:geleman
ID: 34887972
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 

Author Comment

by:geleman
ID: 34887994
I hope I sanitized it enough I've never publicly posted my config before.  Just a little more info also.  There are times that it will connect and stay up for a short amount of time but it doesn't continue to stay up.  The thing is also the 2nd vpn I have, the remote location is with another ISP and there isn't a problem at all with that connection.
0
 
LVL 1

Expert Comment

by:nwhitaker2
ID: 34888338
I had this problem once before.  I finally deleted the VPN tunnels config on both sides and set it up again.  This fixed the problem.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890214
How many users are at each location?  How does that compare with the user license limit of the ASA?  5505s have a 10 user limit on entry level ASA.
0
 

Author Comment

by:geleman
ID: 34890588
Only 1 user.  So it's not a license issue.  As I said before everything worked fine up until the ISP had and issue but they claim there is nothing wrong on there end at all despite us seeing the packets leaving both ends and encrypted.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890663
Are you dropping packets?
0
 

Author Comment

by:geleman
ID: 34890716
They are leaving the locations but not all packets are making the destination.  This is happening both ways.  The remote location can surf the net but the VPN tunnel is not connecting correctly.  
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890893
No.  I mean outside of the tunnel.

If you ping from public address to public address on ASA are you dropping packets?
0
 

Author Comment

by:geleman
ID: 34890947
ICMP is blocked on the outside interface of the routers.  The ISP support was able to ping both public IP's without a problem.  You should be able to ping from inside interface to inside interface through the tunnel though.  Problem is that they are leaving but not arriving.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890979
I suggest that you enable ICMP on the outside interface.  Set up a continuous ping and look for dropped packets.

Dropped packets will cause innumerable VPN issues.
0
 

Author Comment

by:geleman
ID: 34891645
Enable icmp by issuing command permit icmp any outside on both routers and there seems to be some packet loss
0
 
LVL 20

Accepted Solution

by:
RPPreacher earned 2000 total points
ID: 34891704
There's your issue.

Log ping responses, send to ISP.
0
 

Author Comment

by:geleman
ID: 34891724
seems if I ping another IP from the either location i.e. google.com I don't have any packet loss, but when I ping the IP addresses that the vpn tunnel is on I get packet loss.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34891869
OK.  So submit that to the ISP.
0
 

Author Closing Comment

by:geleman
ID: 34900075
The ISP finally figured out it was their problem and not mine.
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question