Pix 501 and Cable modem - lost packets 1

[thegirlofsteel]

Hello,

I have a Cisco pix 501 at a branch office connecting via cable connection to a pix 515 at our main branch. We seem to always be losing internet connection and of course the vpn goes down. The cable company says our connection to the modem is great. In-house the cabling is fine. What can cause this? Is it because of the modem to pix connection. We lose packets when we are on between the main office and that branch. Any advise to lead me in the right direction to troubleshoot this?

 

[karmic]

I've found the only time there's ever problems with the pix vpn's is when there's problems with internet. I'd be getting back on the phone with your isp...

a few things you can try tho:

If you can afford vpn downtime for a while, replace the pix with a basic d-link or linksys to see if it's more stable.

try a steady ping to the dns servers of your isp using ping -t

are you running dhcp or static addresses? if dhcp, trying statically assigning the current address for a while. It's annoying to the isp but who cares right now.

When the vpn tunnel is up, try pinging (ping -t) to a device across the tunnel, i'm willing to bet you're getting drops.

Make sure to have isp's check both sides of your tunnel. I ran into a problem a couple of weeks ago where problems on both sides were causing flaky connections.

Good luck

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[thegirlofsteel]

Thanks so much for the response!!! I get lost packets (when the pix is up) going to one of our iSeries servers on the other end. Not that bad with 5 missing packets of 100. Now do you think there may be an issue because on the main office side, we have a T1 line. Could our PIX 515 be the cause. It shouldn't cause the branch to lose all connection to both the internet and the vpn tunnel. Would the pix at the main office disabling the pix at the branch level due to some sort of virus..etc.

We had one PC at the branch that had a program called ARES something similar to napster. I was wondering if it were blocking it because of that connection.

Another weird thing is I tried to ping -n 100 google.com from the branch and I get request timeout.

Sorry for the long winded email!

 

[karmic]

Has it worked well for a while and started developing problems? Or has it always been a problem?

The place to start is getting a thorough check on the internet lines on both sides, that's the more likely culprit. doesn't matter if there's 5 packets or 20 packets lost, it's a good indication of problematic internet. I've spent countless hours fighting with isp's that there's a problem.

If all else fails, tell them to send a tech in to check everything out. You can beat your

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[karmic]

Whoops, hit submit before finishing... meant to say you can beat your head against a wall all you want checking out internal issues...

Viruses can cause slowdowns, yes. They can flood your network and effectively take you offline. Do you have any problems connecting to your server when you're on the same subnet or wired directly thru a switch? If not, this probably isn't an issue.

Heavy usage programs like p2p can cause problems too... But if you're able to download fine while still having problems with the vpn, then...




~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[thegirlofsteel]

Well, I did a ping -t from a pc on the main office to the modem at the branch office for more than 9 minutes because it seems at the branch the connection goes down about around that time.

The results were (after 16 minutes)

Packets: Sent = 617, Received = 615, Lost = 2 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 45ms, Maximum = 204ms, Average = 50ms

I also ran the same ping from home to the outside ip of that cable modem at the branch.

Packets: Sent = 360, Received = 360, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 15ms, Maximum = 35ms, Average = 20ms

This one is from home to the outside ip of the main office modem:

Packets: Sent = 369, Received = 368, Lost = 1 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 45ms, Maximum = 72ms, Average = 48ms

The ones with the request time out seem to be at the main office. I was inside the main office pix to the modem at the branch and I got 2 lost packets. From home I got 1 lost packet. Could this be the culprit?

Would a lost packet at the main office pix create the pix at the branch to lose its connection and then the pix freezes or disables internet at the other side....??? confused!!

 

[thegirlofsteel]

Another bit of interesting tid bit. I ran the ping-t from home to our branch office modem and got no packet loss after around 15 minutes.

I'm starting to believe its on my main office pix.

 

[thegirlofsteel]

Here is what I got from the main office pix show tech:

------------------ show interface ------------------

interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0003.6bf6.bdc3
IP address xx.xx.xx.x, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
69107 packets input, 6818996 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
79141 packets output, 10688087 bytes, 0 underruns
0 output errors, 360 collisions, 0 interface resets
0 babbles, 208 late collisions, 186 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/7)
output queue (curr/max blocks): hardware (0/34) software (0/34)

 

[thegirlofsteel]

BTW, I'm worried about the deferred collisions. Could this be an issue?

 

[thegirlofsteel]

I'm at my wits end!!! I did all the diagnostics, changed the ethernet card speed, checked with the isp's....what is going on???

 

[daidem77]

Can I see show interface on your 501?

I think there is a duplex mismatch. Your H/O shows it's half duplex.

 

[thegirlofsteel]

Do you think this should be full duplex on both ends. How do I change it to full duplex?