Cisco ASA: VPN behaviour when packet loss is high on WAN

- B
- Bernd Nies
  
  Contact options for registered users
posted
17 years ago

Tue, Apr 17, 2007 2:14 PM

Hi,

In our site-to-site VPN setup between two ASA's we see the following effect: On the internet route from Office A to Office B in another country we notice that one of the provider routers in between has 70% packet loss or more. In this situation the ASA then drops TCP sessions over VPN, i.e. after a telnet login one gets kicked out after a few seconds or minutes.

Previously we had that VPN connection made with a Sonicwall and then only the network troughput or response time went slow.

Is there a way to control this behaviour?

Thanks in advance.

Regards, Bernd

Loading thread data ...

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Wed, Apr 18, 2007 1:43 PM

I wonder if your packets are being dropped as being too large? Are you using path MTU detection? Have you tried using the tcp mss adjust feature?

It could be that the previous connection used a different encapsulation that was just shorter enough to not be a problem on the link.

For example, if you have isakmp nat-traversal turned on now, that probably wasn't present on your prior sonic wall, and so you might now have a UDP layer encapsulating an ESP layer encapsulating the payload TCP or UDP layer -- overhead build-up!

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.