Core issue
When the VPN client user tries to terminate IPsec over TCP connection on the external interface of VPN Concentrator, the Concentrator does not accept IPsec over TCP connections on
this interface regardless of it is allowed in a filter and sends pack a reset packet. This occurs since this feature is not yet supported.
Note: IPsec over TCP is supported only on the public interface of VPN Concentrators.
Resolution
In order to workaround this issue, complete one of these steps:
Refer to the IPSec | NAT Transparency section of Tunneling and Security for more information about IPsec over TCP and NAT -T.
For more information refer to How to configure NAT Transparency
Note: When both NAT-T and IPsec over UDP are enabled, NAT-T takes precedence.