[c-nsp] ASA VPN Tunnels

Blake Pfankuch blake at pfankuch.me
Sat Dec 29 16:04:29 EST 2012


Yes the dsl modem is doing NAT.  It's a centurylink PK5001z which is a zytel rebrand.  When the vpn goes offline, we lose all remote access to the ASA5505.  I have a non technical user on the far side so I cant walk him through much...  once the tunnel goes down, I cant get into the ASA by any means until it is restarted.

With this clearing up though, it definitely looks like a L2/L3 issue carrier side.  Thanks to all the suggestions and if this issue crops up again I will dig more into it.

Thanks.

Blake

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy Ellsworth
Sent: Saturday, December 29, 2012 10:23 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA VPN Tunnels

So the customer's DSL modem is doing routing rather than bridging - any chance it's also providing some kind of stateful firewall behavior?
Wondering if it could be timing out/closing the session passing through it.
If the DSL modem has stateful packet inspection, perhaps it can be turned off.

Regardless, packet captures are your friend. Run a capture on the client ASA and get a mirrored capture on the RA gateway ASA, load them both up side by side in Wireshark, and see what is happening to your session.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml




On Fri, Dec 28, 2012 at 4:53 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:

> Given that same setup elsewhere is working then this problem is local. 
> The world isn't ideal. I would suggest its an L1 or L2 issue with this 
> customers line or broadband modem. Maybe line issues and renegotiation 
> of the link or faulty modem. Get the line checked/measured/conditioned 
> and/or the modem swapped out.
>
> alan
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list