This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Some VPN packet is being dropped and particular counter increased and traffic slow.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Some VPN packet is being dropped and particular counter increased and traffic slow.

RohJaewoong
L3 Networker

‎07-13-2014 01:53 AM

Hello guys,

I have a issue about the IPsecVPN tunnel.  One side of IPsecVPN tunnel is slow for receiving traffic but opposite side is OK to receiving traffic.

flow_tunnel_activate                       2        0 info      flow      tunnel    Number of packets that triggerred tunnel activation

flow_tunnel_decap_err                  47373        0 drop      flow      tunnel    Packet dropped: tunnel decapsulation error

flow_tunnel_ipsec_replay_err           47372        0 drop      flow      tunnel    Packet dropped: header sequence number is a replay

flow_tunnel_ipsec_wrong_spi                1        0 drop      flow      tunnel    Packet dropped: IPsec SA for spi in packet not found

As you above that flow_tunnel_decap_err and flow_tunnel_ipsec_replay_err counter are being increased and I believe that dropped packet caused above counter that makes slow to tunneled traffic.

I also disabled the option the replay protection on IPsecVPN configuration as below. But flow_tunnel_ipsec_replay_err counter is being increased for now even if anti-replay option disabled.

              <tunnel-monitor>

                <enable>no</enable>

              </tunnel-monitor>

              <anti-replay>no</anti-replay>

              <copy-tos>no</copy-tos>

              <tunnel-interface>tunnel.1</tunnel-interface>

I cannot understand why above counter increasing and tunneled packet are being dropped. I read that similar case IPSec Tunnel is up but Packet is Getting Dropped with Wrong SPI Counter Increase but I cannot solve the my case.

Anybody knows about this issue? if yes, Please let me know and help.

Thanks.

Regards,

Roh

0 Likes Likes
2 REPLIES 2

ajbool
L3 Networker

‎07-13-2014 03:48 AM

Rather than just checking the config for the anti-replay status, can you check the live tunnel itself with the command,

show vpn flow name <tunnel name>

There is an "anti-replay check" field in the output of this command...

0 Likes Likes

pulukas
L7 Applicator

‎07-13-2014 07:02 AM

Could you run through the phase 2 troubleshooting command outlined in the following document.

How to Troubleshoot VPN Connectivity Issues

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes
  • 5042 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks