Cisco IPSec VPN strange packet loss issue

[ihaveaproblem]

having problems with a Cisco site to site IPSec VPN using a pix firewall and cisco 837 on telstra ADSL (pppoe).

The vpn is functioning, however there is a large amount of packet loss over the vpn.

Sending 200, 100-byte ICMP Echos to REMOTE_INTERNAL_LAN, timeout is 2 seconds:
Packet sent with a source address of LOCAL_INTERNAL LAN
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!.!!!!!!!.!!.!!!!!!!!!!!!!!!!!!
!!!!!!.!.!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!
!!!.!!!!!!!!!!!!.!!!!!.!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!
Success rate is 93 percent (187/200), round-trip min/avg/max = 52/64/84 ms

between the two gateways There does not appear to be a problem.

Sending 200, 100-byte ICMP Echos to EXTERNAL_GATEWAY, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (200/200), round-trip min/avg/max = 44/52/80 ms

I have played with the 837 mtu and mss setting a little however this does not appear to help.

the router interfaces do not have any errors, but the pix is getting recieve errors on the vpn

Any ideas would be appreciated.

Alot of the following config is now redundant and will be tossed, a few things left there from before previous administraton.

here's a copy of the config:

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxx
!
logging queue-limit 100
logging buffered 51200 warnings
!
username user privilege 15 password 0 enable
clock timezone Australia/Sydney 10
clock summer-time Australia/Sydney date Mar 30 2003 3:00 Oct 26 2003 2:00
ip subnet-zero
ip domain name xxxxxxx.com.au
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip dhcp excluded-address 192.x.x.1 192.x.x.99
ip dhcp excluded-address 192.x.x.201 192.x.x.254
!
ip dhcp pool sdm-pool1
network 192.x.x.0 255.255.255.0
domain-name xxxxx.com.au
dns-server xxx.xxx.x.x
default-router 192.x.x.1
!
!
ip inspect name sdm_ins_in_100 ftp
ip inspect name sdm_ins_in_100 h323
ip inspect name sdm_ins_in_100 netshow
ip inspect name sdm_ins_in_100 rcmd
ip inspect name sdm_ins_in_100 realaudio
ip inspect name sdm_ins_in_100 rtsp
ip inspect name sdm_ins_in_100 smtp
ip inspect name sdm_ins_in_100 sqlnet
ip inspect name sdm_ins_in_100 streamworks
ip inspect name sdm_ins_in_100 tftp
ip inspect name sdm_ins_in_100 tcp
ip inspect name sdm_ins_in_100 udp
ip inspect name sdm_ins_in_100 vdolive
ip inspect name sdm_ins_in_100 icmp
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 0 ****KEY1**** address yyy.yyy.yyy.yyy
crypto isakmp identity hostname
crypto isakmp keepalive 300 5
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set botanyvpn esp-3des esp-md5-hmac
crypto ipsec transform-set botany-SHA esp-3des esp-sha-hmac
!
crypto map botanyvpn 10 ipsec-isakmp
set peer yyy.yyy.yyy.yyy
set transform-set botany-SHA
match address 120
!
!
!
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$$ETH-SW-LAUNCH$
ip address 192.x.x.1 255.255.255.0
ip access-group 104 in
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
crypto map botanyvpn
!
interface ATM0.1 point-to-point
description ISP DSL
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
description $FW_OUTSIDE$
ip address xxx.xxx.xx.xx 255.255.255.0
ip mtu 1452
ip inspect sdm_ins_in_100 in
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxx@xxx.xxx.net
ppp chap password xxx
crypto map botanyvpn
!
ip nat pool 192.x.x.x 192.1xxx.xxx.2 192.1xxx.x.255 netmask 255.255.255.0
ip nat inside source list 1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.x.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.0.0 0.0.255.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 192.xxx.0.0 0.0.255.255 host xxx.xxx.xxx.xxx eq telnet
access-list 100 permit tcp 192.xxx.0.0 0.0.255.255 host xxx.xxx.xxx.xxx eq 22
access-list 100 permit tcp 192.xxx.0.0 0.0.255.255 host xxx.xxx.xxx.xxx eq www
access-list 100 permit tcp 192.xxx.0.0 0.0.255.255 host xxx.xxx.xxx.xxx eq 443
access-list 100 permit tcp 192.xxx.0.0 0.0.255.255 host xxx.xxx.xxx.xxx eq cmd
access-list 100 deny tcp any host xxx.xxx.xxx.xxx eq telnet
access-list 100 deny tcp any host xxx.xxx.xxx.xxx eq 22
access-list 100 deny tcp any host xxx.xxx.xxx.xxx eq www
access-list 100 deny tcp any host xxx.xxx.xxx.xxx eq 443
access-list 100 deny tcp any host xxx.xxx.xxx.xxx eq cmd
access-list 100 deny udp any host xxx.xxx.xxx.xxx eq snmp
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.x.0 0.0.0.255 192.168.y.0 0.0.0.255
access-list 101 permit ip 192.168.x.0 0.0.0.255 any log
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 permit ip any any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 192.168.0.0 0.0.255.255 host 192.x.x.1 eq telnet
access-list 103 permit tcp 192.168.0.0 0.0.255.255 host 192.x.x.1 eq 22
access-list 103 permit tcp 192.168.0.0 0.0.255.255 host 192.x.x.1 eq www
access-list 103 permit tcp 192.168.0.0 0.0.255.255 host 192.x.x.1 eq 443
access-list 103 permit tcp 192.168.0.0 0.0.255.255 host 192.x.x.1 eq cmd
access-list 103 deny tcp any host 192.x.x.1 eq telnet
access-list 103 deny tcp any host 192.x.x.1 eq 22
access-list 103 deny tcp any host 192.x.x.1 eq www
access-list 103 deny tcp any host 192.x.x.1 eq 443
access-list 103 deny tcp any host 192.x.x.1 eq cmd
access-list 103 deny udp any host 192.x.x.1 eq snmp
access-list 103 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1

access-list 105 permit udp host zzz.zzz.zzz.z eq ntp host xxx.xxx.xxx.xxx eq ntp


access-list 105 permit udp host 194.137.39.67 eq ntp host xxx.xxx.xxx.xxx eq ntp
access-list 105 deny ip 192.168.x.0 0.0.0.255 any
access-list 105 permit icmp any host xxx.xxx.xxx.xxx echo-reply
access-list 105 permit tcp 202.92.0.0 0.0.255.255 host xxx.xxx.xxx.xxx eq telnet
access-list 105 permit icmp any host xxx.xxx.xxx.xxx time-exceeded
access-list 105 permit icmp any host xxx.xxx.xxx.xxx unreachable
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any log
access-list 120 permit ip 192.168.x.0 0.0.0.255 192.168.y.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address 101
!
banner login ^C
-----------------------------------------------------------------------

-----------------------------------------------------------------------

^C
!
line con 0
login local
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 102 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server zzz.zzz.zzz.zzz
sntp server zzz.zzz.zzz.zzz
sntp server zzz.zzz.zzz.zzz
sntp server zzz.zzz.zzz.zzz
!
end

[krang]

Hi,
Easiest solution IMHO is to dump the config and create a fresh one - I like to keep it simple

[Shrekkie]

i've had this problem before.

I had a problem between two routers like this once. One router was on 100Mb/full duplex, while the other one on 100Mb/half duplex mode. Which would explain some packetloss, cause one interface does look only at data over two wires while the full-duplex one sends and receives on 4 wires.

Hope this helps.

<edit>
So i'd check the interfaces when vpn is setup.
</edit>

[ihaveaproblem]

Thanks for the replies. sorted this one out a few days back. have not had time to add to post.

short version, IOS bug.

there was a deferment notice on the initial ios, however had to go through one or two more before finding one which was stable and did not have other issues.

Config was redone from scratch as well which i probably should have done first as there was alot of useless rubbish in there wich just made for more reading (sorry for the long first post. mainly config).

anyway thanks again.