cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6286
Views
0
Helpful
8
Replies

IPsec over UDP - Remote access VPN

mahesh18
Level 6
Level 6

Hi everyone,

On VPN client on user PC IPSEC over UDP option is checked under the transport.

When i check on ASDM IKE phase 1 details of user connection it only shows UDP port 500 not port 4500.

Does this mean that from user PC to VPN ASA there is no device involved which is doing NAT.

What if we have checked the same option under VPN client ---IPSEC over  UDP and now if we see port UDP 4500 under IKE phase 1 connection details

does it mean that now from Client PC to VPN ASA there is a NAT device but it is allowing the IKE phase 1 connection?

Regards

MAhesh

3 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi Mahesh,

I would suggest using the following commands on your ASA have a look at these ports also while testing VPN connections. The command you use depends on your software level as there is minor changes in the command format

show vpn-sessiondb remote detail

show vpn-sessiondb remote detail filter p-ipaddress

Or

show vpn-sessiondb ra-ikev1-ipsec detail

show vpn-sessiondb ra-ikev1-ipsec detail filter p-ipaddress

These will provide information about the type of VPN Client connection.

Here are some outputs from different situations when connecting with VPN Client

Dynamic PAT - No Transparent Tunneling on VPN Client

  • Connections through the VPN do not work as were connecting through PAT without Transparent Tunneling

Username     :                   Index        : 22

Assigned IP  : 10.0.1.2                              Public IP    :

Protocol     : IKEv1 IPsec

IKEv1:

  Tunnel ID    : 22.1

  UDP Src Port : 18451                  UDP Dst Port : 500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys

  Encryption   : AES256                 Hashing      : SHA1

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28551 Seconds

  D/H Group    : 2

  Filter Name  :

  Client OS    : WinNT                  Client OS Ver: 5.0.07.0290

IPsec:

  Tunnel ID    : 22.2

  Local Addr   : 0.0.0.0/0.0.0.0/0/0

  Remote Addr  : 10.0.1.2/255.255.255.255/0/0

  Encryption   : AES256                 Hashing      : SHA1

  Encapsulation: Tunnel

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28551 Seconds

  Idle Time Out: 30 Minutes             Idle TO Left : 25 Minutes

  Bytes Tx     : 0                      Bytes Rx     : 0

  Pkts Tx      : 0                      Pkts Rx      : 0

Dynamic PAT - Transparent Tunneling (NAT/PAT) on VPN Client

  • Connections through VPN work as we are using Transparent Tunneling when we form the VPN Client connection through Dynamic PAT

Username     :                   Index        : 28

Assigned IP  : 10.0.1.2                              Public IP    :

Protocol     : IKEv1 IPsecOverNatT

IKEv1:

  Tunnel ID    : 28.1

  UDP Src Port : 52825                  UDP Dst Port : 4500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys

  Encryption   : AES256                 Hashing      : SHA1

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28784 Seconds

  D/H Group    : 2

  Filter Name  :

  Client OS    : WinNT                  Client OS Ver: 5.0.07.0290

IPsecOverNatT:

  Tunnel ID    : 28.2

  Local Addr   : 0.0.0.0/0.0.0.0/0/0

  Remote Addr  : 10.0.1.2/255.255.255.255/0/0

  Encryption   : AES256                 Hashing      : SHA1

  Encapsulation: Tunnel

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28784 Seconds

  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes

  Bytes Tx     : 360                    Bytes Rx     : 360

  Pkts Tx      : 6                      Pkts Rx      : 6

Dynamic PAT - Transparent Tunneling (IPsec over TCP) on VPN Client

  • Connections through VPN work as we are using Transparent Tunneling when we form the VPN Client connection through Dynamic PAT

Username     :                  Index        : 24

Assigned IP  : 10.0.1.2                             Public IP    :

Protocol     : IKEv1 IPsecOverTCP

IKEv1:

  Tunnel ID    : 24.1

  UDP Src Port : 20343                  UDP Dst Port : 500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys

  Encryption   : AES256                 Hashing      : SHA1

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28792 Seconds

  D/H Group    : 2

  Filter Name  :

  Client OS    : WinNT                  Client OS Ver: 5.0.07.0290

IPsecOverTCP:

  Tunnel ID    : 24.2

  Local Addr   : 0.0.0.0/0.0.0.0/0/0

  Remote Addr  : 10.0.1.2/255.255.255.255/0/0

  Encryption   : AES256                 Hashing      : SHA1

  Encapsulation: Tunnel                 TCP Src Port : 20343

  TCP Dst Port : 10000

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28792 Seconds

  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes

  Bytes Tx     : 180                    Bytes Rx     : 180

  Pkts Tx      : 3                      Pkts Rx      : 3

Static NAT - No Transparent Tunneling on VPN Client

  • Connections from the VPN Client to the LAN work because our VPN Client has a Static NAT configured for its local IP address. This permits forwarding ESP without encapsulation through the device doing the Static NAT. You need to allow the ESP traffic through the NAT device from the direction of the VPN device or configure the inspection of VPN connections if there is an ASA acting as the NAT device.

Username     :                  Index        : 25

Assigned IP  : 10.0.1.2                             Public IP    :

Protocol     : IKEv1 IPsec

IKEv1:

  Tunnel ID    : 25.1

  UDP Src Port : 50136                  UDP Dst Port : 500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys

  Encryption   : AES256                 Hashing      : SHA1

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28791 Seconds

  D/H Group    : 2

  Filter Name  :

  Client OS    : WinNT                  Client OS Ver: 5.0.07.0290

IPsec:

  Tunnel ID    : 25.2

  Local Addr   : 0.0.0.0/0.0.0.0/0/0

  Remote Addr  : 10.0.1.2/255.255.255.255/0/0

  Encryption   : AES256                 Hashing      : SHA1

  Encapsulation: Tunnel

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28791 Seconds

  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes

  Bytes Tx     : 120                    Bytes Rx     : 120

  Pkts Tx      : 2                      Pkts Rx      : 2

Static NAT - Transparent Tunneling (NAT/PAT) on VPN Client

  • Connections from the VPN Client work normally. Even though the Staticly NATed VPN Client host doesnt need the UDP encapsulation it still used if your VPN Client connection profile is configured to use it (In the Transport tab of the client software)

Username     :                  Index        : 26

Assigned IP  : 10.0.1.2                             Public IP    :

Protocol     : IKEv1 IPsecOverNatT

IKEv1:

  Tunnel ID    : 26.1

  UDP Src Port : 60159                  UDP Dst Port : 4500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys

  Encryption   : AES256                 Hashing      : SHA1

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28772 Seconds

  D/H Group    : 2

  Filter Name  :

  Client OS    : WinNT                  Client OS Ver: 5.0.07.0290

IPsecOverNatT:

  Tunnel ID    : 26.2

  Local Addr   : 0.0.0.0/0.0.0.0/0/0

  Remote Addr  : 10.0.1.2/255.255.255.255/0/0

  Encryption   : AES256                 Hashing      : SHA1

  Encapsulation: Tunnel

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28772 Seconds

  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes

  Bytes Tx     : 1200                   Bytes Rx     : 1200

  Pkts Tx      : 20                     Pkts Rx      : 20

Static NAT - Transparent Tunneling (IPsec over TCP) on VPN Client

  • Connections from the VPN Client work normally. Even though the Staticly NATed VPN Client host doesnt need the TCP encapsulation it still used if your VPN Client connection profile is  configured to use it (In the Transport tab of the client software)

Username     :                  Index        : 27

Assigned IP  : 10.0.1.2                             Public IP    :

Protocol     : IKEv1 IPsecOverTCP

IKEv1:

  Tunnel ID    : 27.1

  UDP Src Port : 61575                  UDP Dst Port : 500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys

  Encryption   : AES256                 Hashing      : SHA1

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28790 Seconds

  D/H Group    : 2

  Filter Name  :

  Client OS    : WinNT                  Client OS Ver: 5.0.07.0290

IPsecOverTCP:

  Tunnel ID    : 27.2

  Local Addr   : 0.0.0.0/0.0.0.0/0/0

  Remote Addr  : 10.0.1.2/255.255.255.255/0/0

  Encryption   : AES256                 Hashing      : SHA1

  Encapsulation: Tunnel                 TCP Src Port : 61575

  TCP Dst Port : 10000

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28790 Seconds

  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes

  Bytes Tx     : 120                    Bytes Rx     : 120

  Pkts Tx      : 2                      Pkts Rx      : 2

VPN Device with public IP directly connected (as VPN Client) to an ASA

Username     :       Index        : 491

Assigned IP  : 172.31.1.239           Public IP    :

Protocol     : IKE IPsec

IKE:

  Tunnel ID    : 491.1

  UDP Src Port : 500                    UDP Dst Port : 500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys

  Encryption   : 3DES                   Hashing      : SHA1

  Rekey Int (T): 86400 Seconds          Rekey Left(T): 71016 Seconds

  D/H Group    : 2

  Filter Name  :

IPsec:

  Tunnel ID    : 491.2

  Local Addr   : 0.0.0.0/0.0.0.0/0/0

  Remote Addr  : 172.31.1.239/255.255.255.255/0/0

  Encryption   : AES128                 Hashing      : SHA1

  Encapsulation: Tunnel

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 12123 Seconds

  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607460 K-Bytes

  Idle Time Out: 0 Minutes              Idle TO Left : 0 Minutes

  Bytes Tx     : 3767854                Bytes Rx     : 7788633

  Pkts Tx      : 56355                  Pkts Rx      : 102824

Above are some examples for your reference. I have to also say that I am by no means expert when it comes to VPNs in general. I had to learn both firewall/vpn basically on my own as during my studies we had no courses related to them (which was pretty strange).

While I have learned how to configure VPN and troubleshoot them I feel that I have missed out on the basic theory. I got plans to get the the CCNA/CCNP Security related certifications but at the moment that just is not possible. Dont have time for it.

I guess you are going for the CCNP Security VPN exam already?

Hope this helps and hopefully I have not gotten anything wrong above

- Jouni

View solution in original post

Hi Mahesh,

Notice that you missed the "detail" parameter at the end of the command so the output is not as detailed.

You should use

show vpn-sessiondb remote detail

It seems to me that the first connections user has set in the VPN Client softwares Transport tab the setting to use Transparent tunneling (NAT/PAT) which means to my understanding that he/she is encapsulation the ESP inside UDP/4500

The second connections user seem to have set in the VPN Client softwares Transport tab the setting to use Transparent tunneling over TCP with some certain port number which I guess would be TCP/10000.

I am not quite sure why Transparent tunneling with UDP results in IKEv1 showing UDP/4500 but Transparent tunneling with TCP shows port UDP/500 for IKEv1

As you can see in my above reply, if the user was behind a device which used Dynamic PAT and disable the Transparent tunneling on the host then this would mean that the VPN connection would not work through the PAT translation.

On the other hand when the user is behind Dynamic PAT and enabled Transparent tunneling he/she is able to use UDP/4500 to pass the VPN traffic through the Dynamic PAT translation.

- Jouni

View solution in original post

Hi,

We could check the Command Reference based on the software running on your ASA

Naturally you can also check from the actual CLI of the ASA what options it gives earlier

Maybe it might even be

show vpn-sessiondb detail remote

- Jouni

View solution in original post

8 Replies 8

Jouni Forss
VIP Alumni
VIP Alumni

Hi Mahesh,

I would suggest using the following commands on your ASA have a look at these ports also while testing VPN connections. The command you use depends on your software level as there is minor changes in the command format

show vpn-sessiondb remote detail

show vpn-sessiondb remote detail filter p-ipaddress

Or

show vpn-sessiondb ra-ikev1-ipsec detail

show vpn-sessiondb ra-ikev1-ipsec detail filter p-ipaddress

These will provide information about the type of VPN Client connection.

Here are some outputs from different situations when connecting with VPN Client

Dynamic PAT - No Transparent Tunneling on VPN Client

  • Connections through the VPN do not work as were connecting through PAT without Transparent Tunneling

Username     :                   Index        : 22

Assigned IP  : 10.0.1.2                              Public IP    :

Protocol     : IKEv1 IPsec

IKEv1:

  Tunnel ID    : 22.1

  UDP Src Port : 18451                  UDP Dst Port : 500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys

  Encryption   : AES256                 Hashing      : SHA1

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28551 Seconds

  D/H Group    : 2

  Filter Name  :

  Client OS    : WinNT                  Client OS Ver: 5.0.07.0290

IPsec:

  Tunnel ID    : 22.2

  Local Addr   : 0.0.0.0/0.0.0.0/0/0

  Remote Addr  : 10.0.1.2/255.255.255.255/0/0

  Encryption   : AES256                 Hashing      : SHA1

  Encapsulation: Tunnel

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28551 Seconds

  Idle Time Out: 30 Minutes             Idle TO Left : 25 Minutes

  Bytes Tx     : 0                      Bytes Rx     : 0

  Pkts Tx      : 0                      Pkts Rx      : 0

Dynamic PAT - Transparent Tunneling (NAT/PAT) on VPN Client

  • Connections through VPN work as we are using Transparent Tunneling when we form the VPN Client connection through Dynamic PAT

Username     :                   Index        : 28

Assigned IP  : 10.0.1.2                              Public IP    :

Protocol     : IKEv1 IPsecOverNatT

IKEv1:

  Tunnel ID    : 28.1

  UDP Src Port : 52825                  UDP Dst Port : 4500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys

  Encryption   : AES256                 Hashing      : SHA1

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28784 Seconds

  D/H Group    : 2

  Filter Name  :

  Client OS    : WinNT                  Client OS Ver: 5.0.07.0290

IPsecOverNatT:

  Tunnel ID    : 28.2

  Local Addr   : 0.0.0.0/0.0.0.0/0/0

  Remote Addr  : 10.0.1.2/255.255.255.255/0/0

  Encryption   : AES256                 Hashing      : SHA1

  Encapsulation: Tunnel

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28784 Seconds

  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes

  Bytes Tx     : 360                    Bytes Rx     : 360

  Pkts Tx      : 6                      Pkts Rx      : 6

Dynamic PAT - Transparent Tunneling (IPsec over TCP) on VPN Client

  • Connections through VPN work as we are using Transparent Tunneling when we form the VPN Client connection through Dynamic PAT

Username     :                  Index        : 24

Assigned IP  : 10.0.1.2                             Public IP    :

Protocol     : IKEv1 IPsecOverTCP

IKEv1:

  Tunnel ID    : 24.1

  UDP Src Port : 20343                  UDP Dst Port : 500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys

  Encryption   : AES256                 Hashing      : SHA1

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28792 Seconds

  D/H Group    : 2

  Filter Name  :

  Client OS    : WinNT                  Client OS Ver: 5.0.07.0290

IPsecOverTCP:

  Tunnel ID    : 24.2

  Local Addr   : 0.0.0.0/0.0.0.0/0/0

  Remote Addr  : 10.0.1.2/255.255.255.255/0/0

  Encryption   : AES256                 Hashing      : SHA1

  Encapsulation: Tunnel                 TCP Src Port : 20343

  TCP Dst Port : 10000

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28792 Seconds

  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes

  Bytes Tx     : 180                    Bytes Rx     : 180

  Pkts Tx      : 3                      Pkts Rx      : 3

Static NAT - No Transparent Tunneling on VPN Client

  • Connections from the VPN Client to the LAN work because our VPN Client has a Static NAT configured for its local IP address. This permits forwarding ESP without encapsulation through the device doing the Static NAT. You need to allow the ESP traffic through the NAT device from the direction of the VPN device or configure the inspection of VPN connections if there is an ASA acting as the NAT device.

Username     :                  Index        : 25

Assigned IP  : 10.0.1.2                             Public IP    :

Protocol     : IKEv1 IPsec

IKEv1:

  Tunnel ID    : 25.1

  UDP Src Port : 50136                  UDP Dst Port : 500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys

  Encryption   : AES256                 Hashing      : SHA1

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28791 Seconds

  D/H Group    : 2

  Filter Name  :

  Client OS    : WinNT                  Client OS Ver: 5.0.07.0290

IPsec:

  Tunnel ID    : 25.2

  Local Addr   : 0.0.0.0/0.0.0.0/0/0

  Remote Addr  : 10.0.1.2/255.255.255.255/0/0

  Encryption   : AES256                 Hashing      : SHA1

  Encapsulation: Tunnel

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28791 Seconds

  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes

  Bytes Tx     : 120                    Bytes Rx     : 120

  Pkts Tx      : 2                      Pkts Rx      : 2

Static NAT - Transparent Tunneling (NAT/PAT) on VPN Client

  • Connections from the VPN Client work normally. Even though the Staticly NATed VPN Client host doesnt need the UDP encapsulation it still used if your VPN Client connection profile is configured to use it (In the Transport tab of the client software)

Username     :                  Index        : 26

Assigned IP  : 10.0.1.2                             Public IP    :

Protocol     : IKEv1 IPsecOverNatT

IKEv1:

  Tunnel ID    : 26.1

  UDP Src Port : 60159                  UDP Dst Port : 4500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys

  Encryption   : AES256                 Hashing      : SHA1

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28772 Seconds

  D/H Group    : 2

  Filter Name  :

  Client OS    : WinNT                  Client OS Ver: 5.0.07.0290

IPsecOverNatT:

  Tunnel ID    : 26.2

  Local Addr   : 0.0.0.0/0.0.0.0/0/0

  Remote Addr  : 10.0.1.2/255.255.255.255/0/0

  Encryption   : AES256                 Hashing      : SHA1

  Encapsulation: Tunnel

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28772 Seconds

  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes

  Bytes Tx     : 1200                   Bytes Rx     : 1200

  Pkts Tx      : 20                     Pkts Rx      : 20

Static NAT - Transparent Tunneling (IPsec over TCP) on VPN Client

  • Connections from the VPN Client work normally. Even though the Staticly NATed VPN Client host doesnt need the TCP encapsulation it still used if your VPN Client connection profile is  configured to use it (In the Transport tab of the client software)

Username     :                  Index        : 27

Assigned IP  : 10.0.1.2                             Public IP    :

Protocol     : IKEv1 IPsecOverTCP

IKEv1:

  Tunnel ID    : 27.1

  UDP Src Port : 61575                  UDP Dst Port : 500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys

  Encryption   : AES256                 Hashing      : SHA1

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28790 Seconds

  D/H Group    : 2

  Filter Name  :

  Client OS    : WinNT                  Client OS Ver: 5.0.07.0290

IPsecOverTCP:

  Tunnel ID    : 27.2

  Local Addr   : 0.0.0.0/0.0.0.0/0/0

  Remote Addr  : 10.0.1.2/255.255.255.255/0/0

  Encryption   : AES256                 Hashing      : SHA1

  Encapsulation: Tunnel                 TCP Src Port : 61575

  TCP Dst Port : 10000

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28790 Seconds

  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes

  Bytes Tx     : 120                    Bytes Rx     : 120

  Pkts Tx      : 2                      Pkts Rx      : 2

VPN Device with public IP directly connected (as VPN Client) to an ASA

Username     :       Index        : 491

Assigned IP  : 172.31.1.239           Public IP    :

Protocol     : IKE IPsec

IKE:

  Tunnel ID    : 491.1

  UDP Src Port : 500                    UDP Dst Port : 500

  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys

  Encryption   : 3DES                   Hashing      : SHA1

  Rekey Int (T): 86400 Seconds          Rekey Left(T): 71016 Seconds

  D/H Group    : 2

  Filter Name  :

IPsec:

  Tunnel ID    : 491.2

  Local Addr   : 0.0.0.0/0.0.0.0/0/0

  Remote Addr  : 172.31.1.239/255.255.255.255/0/0

  Encryption   : AES128                 Hashing      : SHA1

  Encapsulation: Tunnel

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 12123 Seconds

  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607460 K-Bytes

  Idle Time Out: 0 Minutes              Idle TO Left : 0 Minutes

  Bytes Tx     : 3767854                Bytes Rx     : 7788633

  Pkts Tx      : 56355                  Pkts Rx      : 102824

Above are some examples for your reference. I have to also say that I am by no means expert when it comes to VPNs in general. I had to learn both firewall/vpn basically on my own as during my studies we had no courses related to them (which was pretty strange).

While I have learned how to configure VPN and troubleshoot them I feel that I have missed out on the basic theory. I got plans to get the the CCNA/CCNP Security related certifications but at the moment that just is not possible. Dont have time for it.

I guess you are going for the CCNP Security VPN exam already?

Hope this helps and hopefully I have not gotten anything wrong above

- Jouni

Hi Jouni,

Yes i am studying for CCNP VPN exam.

Last year i passed CCNA security and CCNP firewall exam.

Was very busy with work stuff so could not reply earlier.

Sometimes its hard to find time to study for exam as we have full time job and there are so many things to learn at job.

when i ran the command below

sh vpn-sessiondb remote

Session Type: IPsec

Username                     Index        : 5055
Assigned IP  : x.x.x.x         Public IP    : 162.
Protocol     : IKE IPsecOverNatT
License      : IPsec
Encryption   : AES256                 Hashing      : SHA1
Bytes Tx     : 148577354              Bytes Rx     : 42816434
Group Policy : corp                   Tunnel Group : corp
Login Time   : 13:55:54 UTC Thu Jan 23 2014
Duration     : 2d 3h:53m:48s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Username     : xy                  Index        : 5063
Assigned IP  : 192.168.x.x          Public IP    : 70.
Protocol     : IKE IPsecOverTCP
License      : IPsec
Encryption   : AES256                 Hashing      : SHA1
Bytes Tx     : 101346616              Bytes Rx     : 29178845
Group Policy :  corp                      Tunnel Group : corp
Login Time   : 15:56:41 UTC Thu Jan 23 2014
Duration     : 2d 1h:53m:02s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A    

it does not show me port number here.

but when i go to ASDM and check the RA vpn user sessions there it shows me port numbers which are

Connection 1 is using Port number UDP destination 4500

Connection 2 is using UDP destination 500.

So does this mean that 2nd user connection which is using UDP port 500 is Dynamic PAT - No Transparent Tunneling on VPN Client?

Also first user connection is  IKE IPsecOverNatT?

Also whats the difference between Dynamic PAT - No Transparent Tunneling and Dynamic PAT -  Transparent Tunneling

on VPN client?

Regards

MAhesh

Hi Mahesh,

Notice that you missed the "detail" parameter at the end of the command so the output is not as detailed.

You should use

show vpn-sessiondb remote detail

It seems to me that the first connections user has set in the VPN Client softwares Transport tab the setting to use Transparent tunneling (NAT/PAT) which means to my understanding that he/she is encapsulation the ESP inside UDP/4500

The second connections user seem to have set in the VPN Client softwares Transport tab the setting to use Transparent tunneling over TCP with some certain port number which I guess would be TCP/10000.

I am not quite sure why Transparent tunneling with UDP results in IKEv1 showing UDP/4500 but Transparent tunneling with TCP shows port UDP/500 for IKEv1

As you can see in my above reply, if the user was behind a device which used Dynamic PAT and disable the Transparent tunneling on the host then this would mean that the VPN connection would not work through the PAT translation.

On the other hand when the user is behind Dynamic PAT and enabled Transparent tunneling he/she is able to use UDP/4500 to pass the VPN traffic through the Dynamic PAT translation.

- Jouni

Hi Jouni,

There was no option for detail just sort or filter options was there might be due to IOS which we are using.

Will go through your post now  to understand the things.

Best Regards

MAhesh

Hi,

We could check the Command Reference based on the software running on your ASA

Naturally you can also check from the actual CLI of the ASA what options it gives earlier

Maybe it might even be

show vpn-sessiondb detail remote

- Jouni

Hi Jouni,

You were spot on above command shows the Source and destination port numbers of the user connection.

Regards

Mahesh

Hi everyone,

 

This topic has been for a long time, hope some one still following and help me!

I can connect by IPSec over TCP but can not over UDP, then I can connect to any host inside event though I can not ping to inside interface.

Regards,

NTQ

 

 

@truongquyen please provide more details about what you are asking.

For instance:

- client software and version,

- vpn headend type and software version,

- what is showing you a tcp-based connection?

- when you say inside interface, which inside interface are you referring to?