Cisco – Some VPNs have 1-5% packet loss

ciscointernetpacket-lossvpn

I am currently in this situation and I'll try to be as specific as I can.
My firewall has 20 VPNs (over the internet) with different vendors. Everything was fine til a month ago.

I usually use ping to monitor the remote networks and some of my VPNs have 1-5% packet loss. The VPN does not go down, but the ping does. The firewall log shows nothing wrong, not any blocked packets everything seems all right. Overall, it is a 0% packet loss / day, but in some intervals it goes to 5% (at about 1pm, where traffic peaks)
Some other VPNs are fine with 100% reply.

What I noticed:

-Most loss occours when we're at peak traffic (again, only for the "damaged" VPNs. The other VPNs are fine)

-From my WAN i have 0% loss with 8.8.8.8 but there's 1-5% packet loss with the remote WANs in question.

-Restarting the firewall stabilizes the situation for about a day, but then everything starts over again.

-The VPN tunnel is UP all the time.

any help from your experience would be truly appreciated

Best Answer

same boat here

what we have determined is carriers are using adavnced boxes (like giant bluecoats) to rate limit udp and esp traffic.

try getting one of these on cisco vpn ezvpn if they are cisco asa 5505's and use ipsec/tcp to the main site with network extension mode. this "chap" has a nice quick write up for you to follow

http://www.jump.net.uk/blog-cisco-easy-vpn-on-asa

the loss stopped when we did ipsec/tcp

but smokeping had 5% loss for weeks.

nasty times, huh?

Related Solutions

VPN Connection: Can ping printer but not server what is blocking things

Since you are temporarily able to ping the server, VPN and ACLs should be fine.

I recommend to verify:

A local firewall on the server could block the ICMP requests. The fact that it responds at startup, but stops later, leads to this assumption.
There may be an IP conflict, i.e. another device in the network with the same IP. That cause is possible since it works if you unplug all other devices.

Cisco – Finding transparent firewall packet loss

Interface Internal-Data0/0 "", is up, line protocol is up
     2749335943 input errors, 0 CRC, 0 frame, 2749335943 overrun, 0 ignored, 0 abort
                                              ^^^^^^^^^^^^^^^^^^
         0 output errors, 0 collisions, 0 interface resets

You show overruns on the InternalData interfaces, so you are dropping traffic through the ASA. With that many drops, it's not hard to imagine that this is contributing to problem. Overruns happen when the internal Rx FIFO queues overflow (normally because of some problem with load).

EDIT to respond to a question in the comments:

I don't understand why the firewall is overloaded, it is not close to using 10Gbps. Can you explain why we are seeing overruns even when the CPU and bandwidth are low? The CPU is about 5% and the bandwidth either direction never goes much higher than 1.4Gbps.

I have seen this happen over and over when a link is seeing traffic microbursts, which exceed either the bandwidth, connection-per-second, or packet-per-second horsepower of the device. So many people quote 1 or 5 minute statistics as if the traffic is relatively constant across that timeframe.

I would take a look at your firewall by running these commands every two or three seconds (run term pager 0 to avoid paging issues)...

show clock
show traffic detail | i ^[a-zA-Z]|overrun|packets dropped
show asp drop

Now graph out how much traffic you're seeing every few seconds vs drops; if you see massive spikes in policy drops or overruns when your traffic spikes, then you're closer to finding the culprit.

Don't forget that you can sniff directly on the ASA with this if you need help identifying what's killing the ASA... you have to be quick to catch this sometimes.

capture FOO circular-buffer buffer <buffer-size> interface <intf-name>

Netflow on your upstream switches could help as well.

Best Answer

Related Solutions

VPN Connection: Can ping printer but not server what is blocking things

Cisco – Finding transparent firewall packet loss

Related Topic