Packet Loss between ASA and 871

We are running a Cisco ASA 5505 and remote clients are 871's. We currently use a EasyVPN configuration between the single ASA and our 13 871's.
Today (1) out of the (13) tunnels is experiencing packet loss. I have power cycles the broadband router on the 871 end and the 871 and the situation still exists.
Does anyone know what would cause this and how to troubleshoot it?
Thanks,
Jason

Have you contact broadband provider on the 871 side to rule out any issues on the link? what broadband ADSLAM pppoa? start first rulling out physical issues WAN interface, LAN interface stats and work your way up, is this is something that suddenly developped? from what you post indicates it seems this tunnel have been fine, it could be broadband link issues but fist investigate with provider to go the next step.
what do you see in 871 router logs in terms of links, turn on logging informational before staring debugg proceedures.
HTH
Jorge

Similar Messages

IPSec ikev2 between ASA and Cisco Router

Hi,
i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
- Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
- Authentication with Certificats
- integrity sha2
I try a lot of configurations without success.
Thanks for your help.
Mic

The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
There are two (three) better options:
Best option with very little needed configuration:
Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
Best option with a little stronger crypto but more configuration:
Move to AnyConnect with IPsec/IKEv2.
Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
For option 1) and 2) there is an extra license needed, but thats not very expensive.

Packet Loss on Xen and Coherence

We are currently experiencing packet loss issues with Coherence 3.4.2 during the datagram test.
Packet loss statistics are as follows:
Rx from publisher: /10.96.67.169:9999
elapsed: 149384ms
packet size: 1468
throughput: 66 MB/sec
46889 packets/sec
received: 7004519 of 8252377
missing: 1247858
success rate: 0.848788
out of order: 0
avg offset: 0
gaps: 535018
avg gap size: 2
avg gap time: 0ms
avg ack time: -1.0E-6ms; acks 0
The Coherence implementation is running on a Xen VM.
We see this happen for both Fully Virtual and Paravirtualized Guests.
This problem does not happen on physical hardware.
Here is the general sequence that we tried:
1. After finding the problem on coherence, we tried to simulate similar results on 2 HVM xen systems and we did not find the problem there.
        a. These boxes were HVM guests.
        b. Were running kernel 2.6.18-164 and redhat 5.4
        c. These guests were running on Dom-0 kernel of 2.6.18-164.2.1el5xen
2. We had 2 para virt machines on the same Dom-0 as above but they were redhat 5.2 so we ran the same test there and still we were running into problem.
3. We upgraded the para virt machines to redhat 5.4 with latest patch rev and still problem was present.
4. after this research found out that we need to disabled module ipv6 and that seems to fix the problem. After disabling IPv6 module ran some more tests between pl1rap704-beta and pl1rap706-beta. Results were performance improved but still packet loss.
5. We converted 2 para virt guests to HVM guests (pl1rap704-beta and pl1rap705-beta) and ran the tests it was still having problem.
6. Upgrade pl1rap704-beta and pl1rap705-beta to redhat release 5.4 and latest kernel rev and see if the problem is still there
We haven't tried this on Oracle VM, but think that would be the next step to see if the problem persists there, although Oracle support indicates that Coherence is not officially supported on Oracle VM.
We still see the packet loss issues and wonder if anyone has encountered this issue before and has a solution to it?

Just saw your post.
If still a problem.....send a PM to   Heather_VZ she has been very helpful to many people on many subjects
Tom
Freedom Essentials, QIP 7100 1,Bose SOLO TV Sound System,,QIP 7216 P2,M1424WR Rev F, iPad 2 WiFi,iPhone 5,TV SYST INFO Release 1.9.5 Build No. 17.45
Data Object 39.45

ISAKMP Phase 1 dying for Site to Site tunnel between ASA and Fortigate

      I am facing strange issue on my asa and client Fortigate fw.
We have site to site tunnel with 3des and sha and DH-5 on asa
3des sha1 and dh-5 on Fortigate.
Tunnel came up when configured after some time it went down and it is throwing below errors. Please
some one help me here.
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 8
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing ISAKMP SA payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, constructing Fragmentation VID + extended capabilities payload
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 244
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ke payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing ISA_KE payload
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, processing nonce payload
Jul 24 17:25:13 [IKEv1]: IP = X.X.X.X, Unable to compute DH pair while processing SA!<<<<---------Please suggest if DH group 5 does not work with PSK.
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error history (struct &0xcf9255d8) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GEN_DH_KEY-->MM_WAIT_MSG3, EV_PROCESS_MSG-->MM_WAIT_MSG3, EV_RCV_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_BLD_MSG2, EV_BLD_MSG2
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:5f1fdffc terminating: flags 0x01000002, refcnt 0, tuncnt 0
Jul 24 17:25:13 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with reason message
Mum-PRI-ASA#

Hey All,
I experienced same issue with my another tunnel. Lately I came to know it was higher level of DH computation which my ASA was not able to perform and ASA reboot worked here. See the logs for tunnel which came up after reboot.
Eror Before Reload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ISAKMP SA payload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Fragmentation VID + extended capabilities payload
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 416
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
Aug 06 21:17:33 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 06 21:17:33 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: True
Aug 06 21:17:33 [IKEv1]: IP = xx.xx.xx.xx, Unable to compute DH pair while processing SA!
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE MM Initiator FSM error history (struct &0xd0778588) , : MM_DONE, EV_ERROR-->MM_BLD_MSG3, EV_GEN_DH_KEY-->MM_WAIT_MSG2, EV_PROCESS_MSG-->MM_WAIT_MSG2, EV_RCV_MSG-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_BLD_MSG1, EV_BLD_MSG1
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE SA MM:64cf4b96 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Aug 06 21:17:33 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, sending delete/delete with reason message
Isakmp phase completion After reload
Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing SA payload
Aug 25 10:40:35 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 25 10:40:35 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Oakley proposal is acceptable
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Fragmentation VID
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: True
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ke payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing nonce payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Cisco Unity VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing xauth V6 VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send IOS VID
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing VID payload
Aug 25 10:40:35 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Aug 25 10:40:35 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
SENDING PACKET to xx.xx.xx.xx

Connectivity loss between PLC and Kepware

Hi Experts,
I m working on SAP PCo and PLC connectivity using Kepware.
I m trying to find out ways to find connectivity loss between
1) PLC and kepware
2) kepware and PCo
For 2nd approch,if connectivity loss is there then PCo instance will go in error state and using remote monitoring we can get alert.
But m not able to find any way for 1st approch.
If PLC connection lost then only tag quality in kepware is bad.
Is there any way in PCo expression editor to check tag quality so that i can trigger MII transaction?
Thanks in advance.
Regards,
Neha

To add to Hubrisnsx's comment ... are you provisioned Ethernet or MoCA for the WAN connection?
Edit: Never mind, I see in the first post you said MoCA. So, if the MoCA channel is staying up, then it sounds like it might be something inside the ONT.
Keep in mind that while some Verizon folks do drop by these forums from time to time, that this is primarily are user to user forum where customers can help one another.

High Packet Loss, High Ping and Slow Connection Ov...

Hi There,
I have been a customer with the BT unlimited broadband package for a little under two years and up until recently have had no real issues with the service. This was until around 3/4 weeks ago I noticed that the internet was very slow and certain online games or applications like Netflix would lose all of its quality or stop completely. At first I thought nothing of it and simply reset my BT Home hub router, and sure enough everything was back to normal. However after around 2-3 hours of moderate use (gaming online or watching Netflix) the problem surfaced again.
Now I am lucky if I can get the entire way through a 40 minute TV episode before the quality drops and/or the service requires buffering. I have already contacted BT via the helpline and the service lady ran through the obligatory steps (turn off, wait 5 minutes, reset the home hub etc.) but she failed to understand that although rebooting the home hub does alleviate the problem initially, the symptoms of a slow connection, high packet loss and high ping always return within an hour.
Four the last couple of weeks I have been trying to investigate the problem myself and I have done the following things:
Tested the line using the master socket (no difference)
Opened the ports on my firewall within the home hub (no difference)
Directly wired in the computer instead of relying on the wifi (no difference)
Tested for interference from neighbours wifi using inSSIDider office (it wasn’t, operating on different channels)
Switched every device that requires internet off apart from the PC (no difference)
So with all that in mind I am fairly confident that it is nothing within my house that has caused a significant reduction in internet quality.
Now I have tried my best to display the problem I am having by recording the connection quality for the last 24 hours. The table below represents the condition and quality of the connection after leaving it a period of time without resetting:
ADSL Line Status
Connection Information
Line state:
Connected
Connection time:
0 days, 21:52:14
Downstream:
12.96 Mbps
Upstream:
910 Kbps
ADSL Settings
VPI/VCI:
0/38
Type:
PPPoA
Modulation:
G.992.5 Annex A
Latency type:
Interleaved
Noise margin (Down/Up):
6.7 dB / 5.4 dB
Line attenuation (Down/Up):
29.4 dB / 16.4 dB
Output power (Down/Up):
20.4 dBm / 12.6 dBm
FEC Events (Down/Up):
987297 / 12745
CRC Events (Down/Up):
254 / 15268
Loss of Framing (Local/Remote):
0 / 0
Loss of Signal (Local/Remote):
0 / 0
Loss of Power (Local/Remote):
0 / 0
HEC Events (Down/Up):
2437 / 252630
Error Seconds (Local/Remote):
189 / 36430
And here is a result of the ping and packet loss during this time:
Now I immediately reset the home hub after running that test and ran the test again. These are the results I a achieved within 2 minutes of internet connectivity:
ADSL Line Status
Connection Information
Line state:
Connected
Connection time:
0 days, 00:01:05
Downstream:
13.77 Mbps
Upstream:
910 Kbps
ADSL Settings
VPI/VCI:
0/38
Type:
PPPoA
Modulation:
G.992.5 Annex A
Latency type:
Interleaved
Noise margin (Down/Up):
6.4 dB / 5.6 dB
Line attenuation (Down/Up):
29.4 dB / 16.4 dB
Output power (Down/Up):
20.4 dBm / 12.6 dBm
FEC Events (Down/Up):
159 / 12746
CRC Events (Down/Up):
1 / 15573
Loss of Framing (Local/Remote):
0 / 0
Loss of Signal (Local/Remote):
0 / 0
Loss of Power (Local/Remote):
0 / 0
HEC Events (Down/Up):
0 / 252639
Error Seconds (Local/Remote):
1 / 36438
Even within the time it has taken to compose this page my internet quality has nose-dived from the previous result above to the following:
Connection Information
Line state:
Connected
Connection time:
0 days, 00:52:31
Downstream:
13.77 Mbps
Upstream:
910 Kbps
ADSL Settings
VPI/VCI:
0/38
Type:
PPPoA
Modulation:
G.992.5 Annex A
Latency type:
Interleaved
Noise margin (Down/Up):
6.1 dB / 5.4 dB
Line attenuation (Down/Up):
29.4 dB / 16.4 dB
Output power (Down/Up):
20.4 dBm / 12.6 dBm
FEC Events (Down/Up):
14544 / 12749
CRC Events (Down/Up):
14 / 15584
Loss of Framing (Local/Remote):
0 / 0
Loss of Signal (Local/Remote):
0 / 0
Loss of Power (Local/Remote):
0 / 0
HEC Events (Down/Up):
72 / 252647
Error Seconds (Local/Remote):
10 / 36449
What is causing this poor quality in connection and what can be done to rectify the problem?
Thank you for your response in advanced.
Regards,
Richard.

Thank you for you quick reply, I have just moved my hub to the master socket again and re-run the test and I seem to be getting the same results.
ADSL Line Status
Connection Information
Line state:
Connected
Connection time:
0 days, 00:17:47
Downstream:
12.96 Mbps
Upstream:
910 Kbps
ADSL Settings
VPI/VCI:
0/38
Type:
PPPoA
Modulation:
G.992.5 Annex A
Latency type:
Interleaved
Noise margin (Down/Up):
6.0 dB / 5.2 dB
Line attenuation (Down/Up):
28.7 dB / 15.9 dB
Output power (Down/Up):
20.4 dBm / 12.6 dBm
FEC Events (Down/Up):
26417 / 5
CRC Events (Down/Up):
1 / 303
Loss of Framing (Local/Remote):
0 / 0
Loss of Signal (Local/Remote):
0 / 0
Loss of Power (Local/Remote):
0 / 0
HEC Events (Down/Up):
31 / 11
Error Seconds (Local/Remote):
10 / 36522
I have also checked if the bell wire was attached and it is not. My socket is of the new type with the inclusion of an inductor on the faceplate. My ADSL filters and modem cable already have the middle connecting pins removed so I don’t think it is a wiring problem, at least in my apartment anyway. I have also searched for problems with the exchange and they are showing green for my area. (Liverpool Central)
I have just rang the quiet line and I do not appear to have any noise on the line. However, all I have is a cordless phone and I know that is not ideal for determining noise due to the radio frequency interfering with the phone speaker.
Again thank you for you time on this issue.
Regards,
Richard

Can't get L2L VPN up between ASA and Fortinet (IKEv2)

Hi,
I'm having issues getting a L2L tunnel up between a Cisco ASA and a Fortinet. This is the first tunnel being setup with IKEv2. The ASA is complaining that it can't find a matching policy.
The Fortinet device is configured by other party and I have confirmed that they are using the agreed settings.
Configuration from the ASA:
crypto ipsec ikev2 ipsec-proposal AES-3DES-SHA1
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map VPN 100 match address ABC
crypto map VPN 100 set pfs group5
crypto map VPN 100 set peer x.x.x.x
crypto map VPN 100 set ikev2 ipsec-proposal AES-3DES-SHA1
crypto map VPN 100 set security-association lifetime seconds 28800
crypto map VPN interface outside
crypto ikev2 policy 10
encryption aes-256 3des
integrity sha256 sha
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key blablabla
ikev2 local-authentication pre-shared-key blablabla
Debugs say that there is no matching policy:
IKEv2-PROTO-3: (97): Get peer authentication method
IKEv2-PROTO-3: (97): Get peer's preshared key for x.x.x.x
IKEv2-PROTO-3: (97): Verify authentication data
IKEv2-PROTO-3: (97): Use preshared key for id x.x.x.x, key len 15
IKEv2-PROTO-2: (97): Processing auth message
IKEv2-PROTO-1: (97): Failed to find a matching policy
IKEv2-PROTO-1: (97): Received Policies:
ESP: Proposal 1: 3DES SHA96
IKEv2-PROTO-1: (97): Failed to find a matching policy
IKEv2-PROTO-1: (97): Expected Policies:
IKEv2-PROTO-5: (97): Failed to verify the proposed policies
IKEv2-PROTO-1: (97): Failed to find a matching policy

Dear Robert,
The above error from ASA indicates there may be a problem with your preshared key..Both Local and remotre sites...or an Out of Synce problem to the remote end/peer. Give more details about ur Watchguard version with what application it is running..Send the complete log of
1. sh crypto ipsec sa
2. sh crypto isakmp sa
3. debug crypto isa 255
4. debug crypto ipsec 255

Issue bringing up VPN between ASA and Checkpoint - HELP

Hi all
We are having major issues bringing up a vpn between our ASA and third party checkpoint, it seems if the checkpoint initiates the connection it works, but if we initiate it from the ASA it doesnt come up.
on the ASA I see the following
any ideas what this is ?
7
Jan 30 2014
11:52:03
715065
IP = 159.50.93.1, IKE MM Initiator FSM error history (struct &0x79c4bb68) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Phase 2 failures means several things:
Encryption domain (interesting traffics) fail to match. Checkpoint tends to supper net network together, by design,
Phase 2 parameters such as ESP, PFS and seconds timeouts do not match.
Why don't you put in relevance configuration on the ASA and if possible, ask the checkpoint firewall guy to do the following on the firewall:
- output of "uname -a" and "fw ver"
- is this Nokia, Windows or Secureplatform Checkpoint?
- run the following commands on the firewall: "debug ike off", "debug ike trunc" and send you the ike.elg file. That file can be decoded with the IKEView.exe and it will tell you exactly where things are wrong.
Disable/turn OFF kilobytes timeouts is not the solution.

Transfer files between ASA and a host across a VPN

Hello Guys,
I have a Remote Access VPN between an ASA and a Windows PC, the issue that I'm seeing is that I can't transfer files between the ASA and my PC across the VPN.
The first time I thought that because the size of the file and some issue with my ADSL service bandwidth could be the problem. However, I tried to copy the running config of the ASA to my PC and is also impossible. I received this error:
ASA# copy running-config tftp:
Source filename [running-config]?
Address or name of remote host []? 10.10.10.2 ----> This is the address of my PC over the VPN tunnel
Destination filename [running-config]? ASA-Config04032014
Cryptochecksum: f5a9f8cb 9f63b2e5 e8c99e36 9498cb50
%Error writing tftp://10.10.10.2/ASA-Config04032014 (Timed out attempting to connect)
Does anybody had this kind of problem before?
Thanks in advance,

I was wondering if I transfer files between a PC and Mac via Ethernet cable can I reverse the transfer from a Mac to a Pc?
Yes. Start Windows File Sharing on the Mac and then access it on the PC.
(47464)

How to use the private subnet between ASA and Router

Guys,
Here is the context:
I am connecting to 2 ISPs for load sharing traffic coming from my private network.
The 2 links from the ISPs terminate in the router which connects to an ASA via a private subnet, back to my private network.
I have configured PBR in the router, to prefer ISP1 for trafic coming from my internal servers X, Y, Z (public addresses, no need for the ASA to translate). The router should send any other traffic coming from the rest of my private address space, servers W, V, U (after translation by ASA) to ISP2.
So far so good. The default route defined on ASA points to the internal LAN interface of the Router (private ip address). How can I route this subnet used between the ASA and Router? Being a private address I have to translate it to something (public) before the router can send it out. But translate to what?
Alternatively I could use a public subnet. But I do not have any.How do I get aroung this?
Regards
Ndaungwe

You have IP addresses on the direct interface links to the ISP's?? You ccould use those IP addresses with NAT overload.

Connection dropped between ASA and router

Hi,
Last night Internet traffic was going from my 2811 router to the Internet via my ASA 5510 (as it should do and in accordance with my route-map policy) but, when I came in this morning, traffic wasn't going via my ASA as my route-map policy specified, it was going straight to the Internet via my Gateway of Last Resort (an SDSL router). When I did a ping between the ASA and the 2811 router, traffic started to be routed via the ASA again, as specified by the Route-Map policy. Does anyone know what caused this to happen?
Thanks,
Jaime

Ensure your ACL configured properly in your device or may be you did any changes recently.

Dynamic routing alternative between ASA and edge routers?

This is the current setup between two edge routers and an ASA 5580. The edge routers carry approximately 9200 BGP routes with ISP A also supplying the default route. Is there a good, i.e. has been successfully implemented, dynamic routing situation between the edge routers and ASA such that the ASA can send traffic to the particular edge router that carries the best specific route?

Hello,
Let's remember that the ASA was built as a High-Level Next Generation Firewall.
That does not mean it's not useful for routing but here we are talking about thousands of routes, I do not think there will be a performance issue on the FW because of that. I mean you have one of the greatest Cisco Firewalls (functionality and power speaking).
So if that's the case and you really want to do that you will need to implement either RIP,EIGRP,OSPF on the link and then do the redistribution on the routers.
Makes sense?
Regards,
Jcarvaja
CCIE 42930

Problem with a s2s IP SEC between ASA and Adtran

I'm having a problem getting this tunnel to come up. What info would you guys need to help me out? I'm just cutting my teeth on networking i've always had guys to defer these problems to but I dont right now....
This is what keeps popping up in the logs
6
Dec 08 2012
12:19:13
713172
Group = x.x.x.x, IP = x.x.x.x, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
and
6
Dec 08 2012
12:19:13
302015
OutsideIP
500
x.x.x.x
500
Built outbound UDP connection 1088 for outside:x.x.x.x/500 (x.x.x.x/500) to identity:OutsideIP/500 (OutsideIP/500)
and
4
Dec 08 2012
12:19:33
713903
Group = x.x.x.x, IP = x.x.x.x Information Exchange processing failed
there's a couple more logs, let me know if ya'll need anything else to help.

a copy of the configuration of the ASA would help and also advise which vpn tunnel is to the adtran device.
also, if you can run the following debug:
debug cry isa
debug cry ipsec
and share the output when you try to ping between the 2 LANs.

Routable VPN Between ASA and Windows RRAS

Hi all,
I'm trying to figure out the best way to create a routable VPN between my production network and a small DR server that I have colo'd offsite.
On the production side I have an ASA 5515-X (10.1.0.0/23) and on the DR side I have a Windows Server 2012 R2 server running RRAS, DHCP, NAT, and Hyper-V. The DR server has a virtual environment with a subnet of 10.5.0.0/24 behind NAT (diagram attached for a visual). I've seen some tutorials online for how to create a routable VPN between the two, some utilizing the Windows Advanced Firwall to create an IPSec tunnel. So far, I've not been able to get the tunnel to come up.
Before I spend even more time trying to troubleshoot this, I was wondering what the best way to create a secure connection between these two subnets is and if anybody has done something similar successfully.
Thanks,
Jason

None yet, I've been stuck on this for a while now. My latest attempt caused the DR site to go offline and required hands-on at the colo site to get it back online due to a bad ipsec policy, so I've backed off a bit on trying things.

VPN between ASA and IOS router

We have established a VPN tunnel between IOS router and ASA, however it i working only from the latter. What are the common dissimilarities whcih occur between these two devices when setting up VPN?

Do a search for the following on cisco.com- "Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions"
It should help fix any problems.
HTH and please rate.

Packet Loss between ASA and 871

Similar Messages

Maybe you are looking for