Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
1
Replies

Problems sending IKE and ESP traffic over AnyConnect

Go to solution
ABaker94985
Spotlight
Spotlight

‎05-01-2023 02:10 PM

We have an ASA 5508-X running 9.16(4)18 that's only being used for client VPN traffic.We have a system that has privacy information on it, and the group policy requires all connection to the server to be encrypted. The problem is, all connections time out. The server can't be pinged, and the application won't connect. The anyconnect version is 4.10, and I've tried to pass IPsec traffic with and without "sysopt connection permit-vpn". We are able to make connections to all other systems on the network - problem is with IKE and ESP to our main server. Here is a typical capture:

1: 19:33:35.752600 192.168.222.1.500 > 172.16.11.10.500: udp 288
2: 19:33:35.753836 172.16.11.10.500 > 192.168.222.1.500: udp 240
3: 19:33:35.890075 192.168.222.1.500 > 172.16.11.10.500: udp 80
4: 19:33:35.890914 172.16.11.10.500 > 192.168.222.1.500: udp 80
5: 19:33:36.038663 192.168.222.1 > 172.16.11.10 ip-proto-50, length 84
6: 19:33:36.038938 172.16.11.10 > 192.168.222.1 ip-proto-50, length 84
7: 19:33:40.301131 192.168.222.1 > 172.16.11.10 ip-proto-50, length 84

Any thoughts as to what we might try? Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ABaker94985
Spotlight
Spotlight

‎05-01-2023 03:12 PM

I just pasted this into the configuration, and the problem is resolved:

 

access-list ipsec-acl extended permit udp any any eq 500
class-map ike-class
match access-list ipsec-acl

policy-map type inspect ipsec-pass-thru ipsec-map
parameters
esp per-client-max 32 timeout 00:06:00
ah per-client-max 16 timeout 00:05:00

policy-map ike-policy
class ike-class
inspect ipsec-pass-thru ipsec-map

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
ABaker94985
Spotlight
Spotlight

‎05-01-2023 03:12 PM

I just pasted this into the configuration, and the problem is resolved:

 

access-list ipsec-acl extended permit udp any any eq 500
class-map ike-class
match access-list ipsec-acl

policy-map type inspect ipsec-pass-thru ipsec-map
parameters
esp per-client-max 32 timeout 00:06:00
ah per-client-max 16 timeout 00:05:00

policy-map ike-policy
class ike-class
inspect ipsec-pass-thru ipsec-map

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card