We have a site to site VPN set up using the PIX 506e. The IKE and IPSec tunnel set up and work great; TCP and ICMP traffic flows through them wonderfully! UDP traffic, however, is a different story.

On the "far" end, we have software that sends a UDP packet to a "near" end server. The server receives it and sends a UDP reply (I know this by using tcpdump). However, that UDP reply never seems to make it back to the far end. This is my problem.

I can respond with various configuration information as needed.

The PIX on the far/client end logs the outgoing UDP packet:

Aug 28 17:16:38 021 %PIX-0-302015: Built outbound UDP connection 5508355 for outside:192.168.0.3/5093 (192.168.0.3/5093) to inside:192.168.4.5/4533 (192.168.4.5/4533)

The PIX on the near/server end logs that UDP packet:

Aug 28 17:16:38 %PIX-0-302015: Built inbound UDP connection 408810 for outside:192.168.4.5/4533 (192.168.4.5/4533) to inside:192.168.0.3/5093 (192.168.0.3/5093)

The near/server PIX never seems to build an outbound connection -- is that because it uses the original incoming one? Maybe I'm barking up the wrong tree there.

Anyway, they both eventually tear down the connection after the timeout:

Far/client PIX:

Aug 28 17:19:27 021 %PIX-0-302016: Teardown UDP connection 5508355 for outside:192.168.0.3/5093 to inside:192.168.4.5/4533 duration 0:02:49 bytes 8640

Near/server PIX:

Aug 28 17:19:28 %PIX-0-302016: Teardown UDP connection 408810 for outside:192.168.4.5/4533 to inside:192.168.0.3/5093 duration 0:02:49 bytes 17424

I notice that the near/server PIX registers almost double the bytes than the far/client PIX, which could account for the replies. They never seem to reach the far/client side though.

Any thoughts would be appreciated. Thanks.