https://live.paloaltonetworks.com/t5/general-topics/bad-vpn-connectivity-packet-loss-ip-sec-vpn/m-p/36079#M26515 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I have configured an fixed IP sec VPN tunell on my PA 500. The tunell comes up OK, and I can ping an traceroute an IP adress on the network I am connectod too, through the vpn tunell. But Packet loss lies between 20 and 40 % running ping tests.</P><P></P><P>We experience the same thing on both sides of the tunell.</P><P></P><P>what can be wrong here, to me it seems like the vpn config is OK, but that it may be a routing or policy issue, but since 60-80% of the packets are actually coming through, then I dont think it is routing or policy either.</P><P></P><P>can it be an issue with ARP tables, if so will a reeboot of the firewall help, or should I reboot our ADSL modem\internet connection ?</P><P></P><P>I am not familiar with the use of "tunel monitor" - but could it be a solution there ?</P><P></P><P>knut</P></BODY></HTML> Wed, 04 Sep 2013 13:46:05 GMT knutelde 2013-09-04T13:46:05Z https://live.paloaltonetworks.com/t5/general-topics/bad-vpn-connectivity-packet-loss-ip-sec-vpn/m-p/36079#M26515 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>I have configured an fixed IP sec VPN tunell on my PA 500. The tunell comes up OK, and I can ping an traceroute an IP adress on the network I am connectod too, through the vpn tunell. But Packet loss lies between 20 and 40 % running ping tests.</P><P></P><P>We experience the same thing on both sides of the tunell.</P><P></P><P>what can be wrong here, to me it seems like the vpn config is OK, but that it may be a routing or policy issue, but since 60-80% of the packets are actually coming through, then I dont think it is routing or policy either.</P><P></P><P>can it be an issue with ARP tables, if so will a reeboot of the firewall help, or should I reboot our ADSL modem\internet connection ?</P><P></P><P>I am not familiar with the use of "tunel monitor" - but could it be a solution there ?</P><P></P><P>knut</P></BODY></HTML> Wed, 04 Sep 2013 13:46:05 GMT https://live.paloaltonetworks.com/t5/general-topics/bad-vpn-connectivity-packet-loss-ip-sec-vpn/m-p/36079#M26515 knutelde 2013-09-04T13:46:05Z https://live.paloaltonetworks.com/t5/general-topics/bad-vpn-connectivity-packet-loss-ip-sec-vpn/m-p/36080#M26516 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>The following document explains tunnel monitoring and DPD feature on the Palo Alto:</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1323">Dead Peer Detection and Tunnel Monitoring</A></P><P></P><P>As far as improving IPsec performance, you can try adjusting TCP MSS value on the interface associated with that IPsec tunnel. Please refer the following document for the same:</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-3839">How to Improve Performance for IPSEC Traffic in PANOS 4.0 and above.</A></P><P></P><P></P><P>Hope that helps!</P><P></P><P>Regards,</P><P>Kunal Adak</P></BODY></HTML> Wed, 04 Sep 2013 15:23:48 GMT https://live.paloaltonetworks.com/t5/general-topics/bad-vpn-connectivity-packet-loss-ip-sec-vpn/m-p/36080#M26516 kadak 2013-09-04T15:23:48Z https://live.paloaltonetworks.com/t5/general-topics/bad-vpn-connectivity-packet-loss-ip-sec-vpn/m-p/36081#M26517 <HTML><HEAD></HEAD><BODY><P>Thx Kunal, </P><P></P><P>it did not solve this case, it was only a matter of old\filled up ARP tables, because a reboot of ISP router and PA 500 made it work, but it is intresting pdfs because I configure these kind of tunells often</P></BODY></HTML> Mon, 09 Sep 2013 12:52:56 GMT https://live.paloaltonetworks.com/t5/general-topics/bad-vpn-connectivity-packet-loss-ip-sec-vpn/m-p/36081#M26517 knutelde 2013-09-09T12:52:56Z