Cisco VPN/ASDL/MTU problems/questions

Soldato
Joined
1 Nov 2002
Posts
6,487
Location
South Shields
Im having some issues with a connection to a remote site.

We currently have numerous remote sites all connected by VPN using the following setup:

HQ internet - HQ - Cisco ASA5505 - 2wire ADSL modem - internet - 2wire ASDL modem - Cisco ASA5505 - Remote Site

The internet between the 2wire modems is solely used for the VPN connection between HQ and the remote site.

We have had numerous issues with the BT supplied 2wire modems, so I've recently setup a remote site like this:

HQ internet - HQ - Cisco 887 Router/Modem - internet - Cisco 887 Router/Modem - Remote Site

This is gave us great control over the connection as BT have a habit of rolling out updates to the modems which has caused problems in the past.

The main issue we've had since the installing the new routers is the connection does not seem stable. The VPN does not appear to go down but if I PING a remote PC from HQ, usually the 1st or 3rd PING will fail (after some more testing its almost always the 3rd PING that fails) then it appears quite stable and very few PINGs after the initial ones are dropped. Citrix sessions are dropping out every 10minutes or so on the remote site.

I'm no expert when it comes to ADSL, I've been reading that MTU can effect performance. The ASAs were all configured to use an MTU of 1500 and I've tried that and various other values on the 887 routers and we still experience the same issues.

The 887 config is fairly bare bones, it has literally the VPN/ADSL configured and very little else.

Anyone came across a similar issue? I can provide the Cisco configs etc if needed.
 
Last edited:
Not sure if this could help, as we were going to try it on a few of our 877's which had experience with drops (although we don't have dont use BT retail as an ISP) but we are an ISP so use their Wholesale services.

The firmware upgrade might be worth a shot though.

http://www.problutions.com/?p=110
 
Last edited:
I'm not sure if it would help, its very strange that it now always appears to be the 3rd ping that fails then the next few 100 will be fine. If you then stop the pings, give it a few minutes then ping again, the 3rd one will fail but the rest will be fine.
 
MTU does effect performance with VPNs due to fragmentation.
I think with IPSEC VPNs an MTU of 1452 is recommended (iirc).

Ciscos do like to drop the first ping sent to them, and it's well within specification that they could also could seem to drop the third ping instead.

As for connection losses, DJMK4 is quite right about using a newer modem firmware.
 
Yamahahahaha is correct. Because of additional overheads and encap on IPSEC to avoid fragmentation you need to drop the configured MTU so that the whole lot fits within your standard 1500 MTU space.

Though your issue sounds like the modem crapping out as small delays and losses due to fragments should be corrected by TCP retransmission
. You could set up dumping to a syslog server, that should at least allow the router to tell you what it thinks is causing the drop, if anything.
 
The size of the header can vary depending on the type of encryption used so you might want to google your encryption you are using to optimize the MTU. It can basically range from 1346 right up to 1492.
 
After many hours of playing around it looks like it could have been a far simpler problem.
After reading about various issues with Citrix over IPsec VPN links, I decided to give a basic GRE tunnel a go, pre configured some routers, went to the remote site and switched the hardware over whilst a colleague done the same in HQ.
At which point we noticed someone had plugged the ASA back into the switch. This was previously providing the VPN connection and has the same LAN address at the router which is being used for the VPN now.
 
Back
Top Bottom