Re: Concentrator 3005 + concurrent connections

chrish · ‎05-23-2007

I have a 3005 Concentrator which I use to terminate remote access PPTP connections. I have users setup and configured so as to allow 5 concurrent connections. However we seem to have demonstrated that I cannot get more than 1 concurrent connection from the same user/IP address combination. When attempting a 2nd connection the log of the concentrator shows a denial--established connection.Furthermore there seems to be a correlation between the Idle Timeout setting and when this 2nd connection can be established ie.. the user can disconnect the 1st, successful, connection but still needs to wait for what appears to be the idle timeout period (this is just an assumption)before the 2nd connection can successfully be established. Is there a way around this or is the theory/assumtion that the box should never see the same user log in more than once from the same IP address concurrently.

carenas123 · ‎05-29-2007

As the VPN tunnel is always created in UDP port 500 after the tunnel is establish traffic is passed in protocol ESP, protocol ESP has no ports and because of this PAT will break. To solve this problem, we need to enable NAT-T (or other transparent tunneling method). Depending on the version your concentrator is running (Administration | Software Update | Concentrator), you may enable NAT-T going to Configuration | System | Tunneling protocols | IPSec | NAT-T. Following link may help you

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a0080094eca.shtml