Tunnel

Reply
Highlighted
L4 Transporter

Re: Tunnel

tunnel just went down and now I am seeing this

tunnel  Parkway_IPSec_Tunnel5:DR_Network
        id:                     139
        type:                   IPSec
        gateway id:             5
        local ip:               66.94.196.107
        peer ip:                66.94.196.108
        inner interface:        tunnel.5
        outer interface:        ethernet1/3
        state:                  inactive
        session:                0
        tunnel mtu:             1428
        lifetime remain:        N/A
        monitor:                off
        monitor packets seen:   0
        monitor packets reply:  0
        en/decap context:       100
        local spi:              B1874737
        remote spi:             CB7EC37F
        key type:               auto key
        protocol:               ESP
        auth algorithm:         NOT ESTABLISHED
        enc  algorithm:         NOT ESTABLISHED
        proxy-id local ip:      10.135.100.0/24
        proxy-id remote ip:     10.135.11.0/25
        proxy-id protocol:      0
        proxy-id local port:    0
        proxy-id remote port:   0
        anti replay check:      yes
        copy tos:               no
        authentication errors:  0
        decryption errors:      0
        inner packet warnings:  0
        replay packets:         0
        packets received
          when lifetime expired:0
          when lifesize expired:0
        sending sequence:       695231
        receive sequence:       653559
        encap packets:          6467473
        decap packets:          6128324
        encap bytes:            1022177560
        decap bytes:            4230706844
        key acquire requests:   50899

Highlighted
L1 Bithead

Re: Tunnel

Make sure that the Tunnel MTU has been set correctly on both the sides.

Highlighted
L4 Transporter

Re: Tunnel

MTU where do you set that on PA and Cisco?

Highlighted
L7 Applicator

Re: Tunnel

MTU can be adjust on the interface:

MTU.JPG

Thanks

Highlighted
L4 Transporter

Re: Tunnel

If I change that won't that affect all my tunnels and that could break my other tunnels

L7 Applicator

Re: Tunnel

As per my understanding, that might effect other tunnel also. Because, all tunnels are terminated on the same physical interface.

Thanks

Highlighted
L4 Transporter

Re: Tunnel

It dropped the tunnel at 2:16pm and I think this might be why

protocol:               ESP

auth algorithm:         NOT ESTABLISHED

algorithm:              NOT ESTABLISHED

Highlighted
L4 Transporter

Re: Tunnel

This MTU setting is set to adjust TCP MSS

Highlighted
L4 Transporter

Re: Tunnel

I think if the problem was with MTU you would see a consistent problem with your VPN tunnel, like dropped packets. If you ping across the tunnel it would be very evident if you had an MTU issue due to the packet loss. The problem sounds like the tunnel just disconnects and doesn't come back up on a consistent basis. Also, just an FYI, you can just adjust the MTU on the tunnel interface and not for the whole physical interface. Have you opened a ticket with support? They may need to dig into this issue in more detail than can be discussed in a forum to discover the underlying issue. One side is dropping the tunnel. If I had to guess it's the ASA side. Have you tried clearing out the tunnel on the ASA and rebuilding it?

Highlighted
L4 Transporter

Re: Tunnel

Yea I am begining to think the ASA is dropping the tunnel looks like its loosing its SA's

This is when it is working

id 139

tunnel
Parkway_IPSec_Tunnel5:DR_Network

      
id:                   
139

      
type: 

        gateway
id:             5

      
local
ip:            
66.94.196.107

      
peer
ip:              
66.94.196.108

      
inner interface:        tunnel.5

      
outer interface:        ethernet1/3

      
state:                
active

      
session:              
184664

      
tunnel
mtu:           
1428

      
lifetime remain:        20799 sec

      
latest rekey:           8001
seconds ago

      
monitor:              
off

      
monitor packets seen:   0

      
monitor packets reply:  0

      
en/decap context:       100

      
local spi:
            B1874737

      
remote
spi:           
CB7EC37F

      
key
type:             
auto key

      
protocol:             
ESP

      
auth algorithm:         SHA1

      
enc  algorithm:         AES256

      
proxy-id local ip:      10.135.100.0/24

      
proxy-id remote ip:     10.135.11.0/25

      
proxy-id protocol:      0

      
proxy-id local port:    0

      
proxy-id remote port:   0

      
anti replay check:      yes

      
copy
tos:             
no

      
authentication errors:  0

      
decryption errors:      0

      
inner packet warnings:  0

      
replay packets:         0

      
packets received

        
when lifetime expired:0

        
when lifesize expired:0

      
sending sequence:       212815

      
receive sequence:       200841

      
encap packets:          5985057

      
decap packets:          5675607

      
encap bytes:          
945320904

      
decap bytes:          
3924486196

      
key acquire requests:   50803

This is when it’s not appears to lose it SA’s

Tunnel down

tunnel
Parkway_IPSec_Tunnel5:DR_Network

      
id:                   
139

      
type:                 
IPSec

      
gateway
id:             5

      
local ip:             
66.94.196.107

      
peer
ip:              
66.94.196.108

      
inner interface:        tunnel.5

      
outer interface:        ethernet1/3

      
state:                
inactive

      
session:              
0

      
tunnel
mtu:           
1428

      
lifetime remain:        N/A

      
monitor:              
off

      
monitor packets seen:   0

      
monitor packets reply:  0

      
en/decap context:       100

      
local
spi:            
B1874737

      
remote
spi:           
CB7EC37F

      
key
type:             
auto key

      
protocol:             
ESP

 
     auth
algorithm:         NOT ESTABLISHED

      
enc  algorithm:         NOT
ESTABLISHED

      
proxy-id local ip:      10.135.100.0/24

      
proxy-id remote ip:     10.135.11.0/25

      
proxy-id protocol:      0

      
proxy-id local port:    0

      
proxy-id remote port:   0

      
anti replay check:      yes

      
copy
tos:             
no

      
authentication errors:  0

      
decryption errors:      0

      
inner packet warnings:  0

      
replay packets:         0

      
packets received

        
when lifetime expired:0

        
when lifesize expired:0

      
sending sequence:       695231

      
receive sequence:       653559

      
encap packets:          6467473

      
decap packets:          6128324

      
encap bytes:          
1022177560

      
decap bytes:          
4230706844

      
key acquire requests:   50899

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!