Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
887
Views
0
Helpful
8
Replies

ASA VPN to PIX - UDP traffic goes unencrypted to outside...

rampf-gruppe
Beginner
Beginner

‎05-13-2009 06:47 AM

Hello!

I have a customer which does some dynamic L2L-VPNs from PIX501s to a 5510 ASA.

When the tunnel establishes th frst time everything is ok.

But after re-establishing it from the 501-side (because of DSL-forced-disconnection) TCP/ICMP-Traffic is ok.

UDP Traffic isn't routed anymore into the tunnel, the packets appear on the outside-interface! Unencrypted!

We saw this with etherreal and we can reproduce it.

Background: Server behind ASA communicates with devices behind PIX on fixed UDP-Port.

Is this a bug? How can we overcome this issue?

ASA has 8.0.(4)28, PIX is on 6.3(5)

Thank you for response.

Regards,

Patrick

Labels:
0 Helpful
8 Replies 8

Not applicable

‎05-19-2009 01:30 PM

If there is no indication that an IPsec VPN tunnel comes up at all, it possibly is due to the fact that ISAKMP has not been enabled. Be sure that you have enabled ISAKMP on your devices. You may try enabling the NAT-T command on ASA. It is important to allow the UDP 4500 for NAT-T, UDP 500 and ESP ports by the configuration of an ACL because the PIX/ASA acts as a NAT device.

0 Helpful