Cisco ASA: VPN behaviour when packet loss is high on WAN

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View

In our site-to-site VPN setup between two ASA's we see the following
effect: On the internet route from Office A to Office B in another
country we notice that one of the provider routers in between has 70%
packet loss or more. In this situation the ASA then drops TCP sessions
over VPN, i.e. after a telnet login one gets kicked out after a few
seconds or minutes.

Previously we had that VPN connection made with a Sonicwall and then
only the network troughput or response time went slow.

Is there a way to control this behaviour?

Thanks in advance.


Re: Cisco ASA: VPN behaviour when packet loss is high on WAN
Quoted text here. Click to load it

I wonder if your packets are being dropped as being too large?
Are you using path MTU detection? Have you tried using the
tcp mss adjust feature?

Quoted text here. Click to load it

It could be that the previous connection used a different encapsulation
that was just shorter enough to not be a problem on the link.

For example, if you have isakmp nat-traversal turned on now,
that probably wasn't present on your prior sonic wall, and so you
might now have a UDP layer encapsulating an ESP layer encapsulating
the payload TCP or UDP layer -- overhead build-up!

Site Timeline