Solved

Cisco VPN Tunnel Intermittently Connecting

Posted on 2011-02-14
17
1,305 Views
Last Modified: 2012-05-11
I have 2 Cisco ASA 5505's set up for a vpn.  One is a remote location.  Last week the remote location started having a intermittent connection problem here at the central office.  I have been on with Cisco support and the setup is correct on both routers.  I have a second vpn tunnel that is functioning properly and hasn't seen any issues at all back to the central office.  While on with Cisco support we have run packet captures and we see the packets going out and from both locations but they aren't always being received by the other location.  Cisco suggested that it might be something to do with the ISP. We got them on a conference call and they said that there isn't anything that could be happening on there end.  They said we could email them the packet captures but that doesn't mean anything can be done.  This all started to occur when they had network problem.  I was concerned that maybe our traffic might have been possibly being intercepted by I monitored over the weekend and didn't have any unusual traffic in my snort logs or my ntop.  Traffic was non existent.  So I'm kind of at a loss as well as Cisco Support also.  We are going to redo the packet captures today and email to the ISP support but who knows they said it isn't them already.  Could this possibly be a hardware issue?  Cisco doesn't seem to think so.
0
Comment
Question by:geleman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
17 Comments
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34887836
Post both ASA configs, please.
0
 

Author Comment

by:geleman
ID: 34887956
0
 

Author Comment

by:geleman
ID: 34887972
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 

Author Comment

by:geleman
ID: 34887994
I hope I sanitized it enough I've never publicly posted my config before.  Just a little more info also.  There are times that it will connect and stay up for a short amount of time but it doesn't continue to stay up.  The thing is also the 2nd vpn I have, the remote location is with another ISP and there isn't a problem at all with that connection.
0
 
LVL 1

Expert Comment

by:nwhitaker2
ID: 34888338
I had this problem once before.  I finally deleted the VPN tunnels config on both sides and set it up again.  This fixed the problem.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890214
How many users are at each location?  How does that compare with the user license limit of the ASA?  5505s have a 10 user limit on entry level ASA.
0
 

Author Comment

by:geleman
ID: 34890588
Only 1 user.  So it's not a license issue.  As I said before everything worked fine up until the ISP had and issue but they claim there is nothing wrong on there end at all despite us seeing the packets leaving both ends and encrypted.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890663
Are you dropping packets?
0
 

Author Comment

by:geleman
ID: 34890716
They are leaving the locations but not all packets are making the destination.  This is happening both ways.  The remote location can surf the net but the VPN tunnel is not connecting correctly.  
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890893
No.  I mean outside of the tunnel.

If you ping from public address to public address on ASA are you dropping packets?
0
 

Author Comment

by:geleman
ID: 34890947
ICMP is blocked on the outside interface of the routers.  The ISP support was able to ping both public IP's without a problem.  You should be able to ping from inside interface to inside interface through the tunnel though.  Problem is that they are leaving but not arriving.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34890979
I suggest that you enable ICMP on the outside interface.  Set up a continuous ping and look for dropped packets.

Dropped packets will cause innumerable VPN issues.
0
 

Author Comment

by:geleman
ID: 34891645
Enable icmp by issuing command permit icmp any outside on both routers and there seems to be some packet loss
0
 
LVL 20

Accepted Solution

by:
RPPreacher earned 500 total points
ID: 34891704
There's your issue.

Log ping responses, send to ISP.
0
 

Author Comment

by:geleman
ID: 34891724
seems if I ping another IP from the either location i.e. google.com I don't have any packet loss, but when I ping the IP addresses that the vpn tunnel is on I get packet loss.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 34891869
OK.  So submit that to the ISP.
0
 

Author Closing Comment

by:geleman
ID: 34900075
The ISP finally figured out it was their problem and not mine.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question