Screen OS

It's a weird one.  I've worked with both site bandwidth providers, along with the backbone provider that the VPN routes over in between the two sites.  There are not any issues with the network carrying the VPN.  The VPN itself is an AES256 main mode VPN that comes up just fine initially, and traffic routes properly through the VPN, but over a 24 hour period the connectivity through the VPN slowly withers to almost nothing.  I'm running a persistant ping from the inside trust interface of site A, that I have the user's network on, to the inside trust interface of site B, that I have that site's user's on, and I initially get perfect responses, but over 24-36 hours (from power up of the site B SSG 5), it goes from 0 packet loss, with 20-25 ms response times (with occasional spikes when busy), to only one response every 30 or so pings.  And when it does respond, it's still 20ish ms response time.  Shutting the site B SSG 5 down for 30 seconds before rebooting, seems to start me back with perfect connectivity.

I've tried changing the MTU size on the tunnel interfaces from 1500 to 1300, but that doesn't seem to phase it.   What's also very strange is that if I run another persistent ping from the inside trust management interface of site C (yes, a third site) to the inside trust management interface of site B, across a separate tunnel interface (although the VPNs themselves are configured very similarly, just with different routes, subnets and access policies...I could combine the tunnel interfaces, I just haven't yet), I get perfect connectivity, while the user VPN is degrading slowly.  I am about to go test ping from the inside trust management interface of site A to site B, but my guess is that it will be working perfectly as well, it's just this user VPN.

Since all of the hardware and cabling between the two SSG 5 firewalls is the same, just running two VPN's, I have a hard time believing it's a hardware problem, unless something on that specific eth port (to the user network) is going bad...but even so, I'm still hitting that particular interface from the inside of the SSG 5.  However I think the user's at site B are showing degraded internet access as well, which doesn't route through the VPN, so maybe it is the physical interface.

I'm stumped.  Any thoughts, wisdom or knowledge from the community as to what's going on would be greatly appreciated.   Thanks.

I wanted to let everyone know that I finally figured this one out.  And boy do I feel silly for not seeing it in the logs on the site B SSG5.  It was the inside/trust eth interface that the user VPN in question was terminating on.  It was not auto negotiating successfully with the switch, so it was bouncing up and down.  But it was coming up, and it stayed up long enough to pass some traffic, before dropping again, and rinse and repeat.  Why it passed less and less traffic over time is beyond me, but as soon as I set the speed on the interface to 10 half, everything started behaving beautifully!  Time to throw out the switch at that site  🙂  What a pain. 🙂