Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
689
Views
0
Helpful
4
Replies

VPN ports issue?

charles.manley
Level 1
Level 1

‎12-11-2002 08:54 AM - edited ‎02-21-2020 12:13 PM

I've been working with many techs from various company’s trying to get members of our company running over their LAN using a Cisco 3.5.1c client connecting to our 3030 concentrator. Most of them we are able to get to work by simply opening UDP ports 500 and 10000 both ways, however we have some problems with this at times. In one case a user is making the connection (IKE), but for some reason no data will pass thru the tunnel. We also have a couple of other members on other LANs (various firewalls) that we have setup using IPSec over TCP instead of UDP. They like only having to open one TCP port instead of both UDP ports for access. Anyway, some of those users are having the same type of problem. Either they connect and for a short period of time are able to transfer data or they connect and can only encrypt the data and never receive anything. If I connect to the concentrator I can't even ping them, but the tunnel stays up... Anyway, if anyone has run into this or can help me with this it would be GREATLY appreciated.

Labels:
0 Helpful
4 Replies 4

ajagadee
Cisco Employee
Cisco Employee

‎12-11-2002 10:42 AM

Hi,

General Comments:

When establishing an IPSec tunnel between Cisco VPN Client (Unity) and VPN3000, there are a couple of scenarios:

1. Using UDP Port 500 and Protocol 50:

This connection is from users who are not sitting behind a PAT device and in this case you need to make sure that UDP Port 500 and Protocol 50 is not being blocked anywhere.

2. Using UDP Port 500 and UDP Port 10000(Default) -- IPSec Over UDP

This is when you have users sitting behind a PAT device and in this case you need to make sure that UDP Port 500 and UDP Port 10000 is not being blocked.

In the above setup the IKE packet is in UDP Port 500 and the IPSec packet is wrapped in UDP Port 1000.

The default value of IPSec Over UDP is 10000, which is configurable.

3. Using TCP 10000 -- IPSec Over TCP

This is when you have users sitting behind a PAT device and in this case you need to make sure that TCP Port 10000 is not being blocked.

In the above set up both the IKE and IPSec packet using TCP Port 10000.

The default value of IPSec Over TCP is 10000, which is configurable.

Specific Comments:

If you having issues with your remote access connections after following the above steps, then we need to look in detail to see what is going on.

And the problem that you have described looks like IKE is working fine and you are having issues only when it comes to ESP where the packets are encrypted and sent across to the VPN Server.

Regards,

Arul

0 Helpful

charles.manley
Level 1
Level 1
In response to ajagadee

‎12-11-2002 10:53 AM

Understood.. In every case I'm speaking to, the users are behind a firewall or another PAT device over a LAN. We like to stick with the default configuration of UDP 500 and 10000 just to keep it straight forward and not require and changes to the client, though we've had the issue with both IPSec over UDP and IPSec over TCP. In this situation we have three or four clients making connections accross the LAN, but for some reason no data is being decrypted or recieved. If I look at the statistics of the connection is shows that there is data being sent from the client, but nothing is recieved. If I go to the concentrator and attempt a ping to that client they are unavailable. Typically all I can see in the logs on the concentrator is something with the SA timeout and the session being disconnected. However, our SA timeout is set for 8 hours and the group timeout is set for 4 hours so the SA should never timeout before the group.

I've had the users dialup and connect and everything works fine then so its for sure something with the LAN setup or maybe lag on the net or something..

Has anyone had issues with lag causing SA's to timeout? Sometimes it doesn't work right from the start, but other times it will work for about 15min and then stop responding. At first I thought it maybe a MTU issue, but have explored that path and have still had the same issues.

Thanks,

Charley

0 Helpful

charles.manley
Level 1
Level 1
In response to ajagadee

‎12-12-2002 05:55 AM

Also, how can one open up protocol 50? What is protocol 50? Is that like IPSec or something?

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to charles.manley

‎12-12-2002 05:03 PM

In an access-list, you do this:

access-list permit 50

0 Helpful
Customers Also Viewed These Support Documents