VPN issue ASA 5520

lecarbajalp · ‎10-30-2012

Hello,

Some users have problems to connect by remote VPN to our firewalls

Symptons: internet connection is dropped immediately when they try to open Explorer, Outlook,

We manage 4 profiles for the VPN, they are register in the intern vpn.domain.com

The one having problems is the ipsec over tcp , but its affecting only some users.

I guess it could be something in the .pcf or probably an issue in the Firewall.

Thank you.

Javier Portuguez · ‎10-30-2012

Hi Luis,

So basically, the user looses Internet access once connected?

Please explain this issue in more detail.

Thanks.

Portu.

lecarbajalp · ‎10-30-2012

Yes, that the problem after they connect to the remote VPN it fail the internet and some users can not connect (this is random)

I was reviewing cisco documentation and i found this:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc6d4c.shtml

I dont know if this will be affecting the remote VPN

they use ipsec /tcp , and also ipsec/udp and it works.

Regards,

Javier Portuguez · ‎10-30-2012

I see.

I would recommend to always use NAT-T (UDP 4500) instead of cTCP.

Do NAT-T (IPsec/UDP) users experience the problem as well?

Thanks.

lecarbajalp · ‎10-30-2012

I also noticed some issue with the cTCP but is affecting only a group of users.

the IPSec/UDP are not having problems, do you think the IOS or the same cTCP is having problems in the firewall?

I dont see a problem in the configuration.

Javier Portuguez · ‎10-30-2012

Luis,

As explained in the doc, it may not be an issue with the ASA, but a side effect of cTCP instead. To know what exactly happens we would need to gather further logs, captures and debugs from the ASA and the client side.

I usually set up NAT-T since it is efficient and compatible across the Internet (it has its own RFC).

HTH.

Portu.

Please rate any helpful posts