VPN-Client V5 uses other Port than UDP 500 for isakmp

MBeppler · ‎11-05-2007

We have a ASA 5540 with SW Ver. 7.2(2).

If I try to connect with VPN-Client 4.8, it will work. But with VPN-Client 5 it doesn't work.

After Capturing the Inital Packets from the Client, I see only one difference. VPNC V4.8 used as Source Port UDP 500 (isakmp), while VPNC V5 used Port UDP 1501.

In the ASA Logfile I see the following message:

7 Nov 05 2007 10:47:03 710005 172.30.225.253 vpn-oedatdos UDP request discarded from 172.30.225.253/1756 to Oedatdos:vpn-oedatdos/500

As explanation I get the following text:

This message appears when the security appliance does not have a UDP server that services the UDP request.

Is this a configuration problem in the ASA, or must I upgrade on SW Ver 8.0(2)?

Thanks

Michael

irisrios · ‎11-12-2007

Make sure that the port number 1501 is not blocked in the path between the client and the server. If port is not blocked you can upgrade the client software to version 8.0(2).

MBeppler · ‎11-13-2007

The Port 1501 is not blocked. But we have no entry for this port in the Access Rules on the ASA. Can this be the problem?

In the meantime, I have the ASA upgraded to software version 8.0(3). The problem is the same as before.

Michael

guibarati · ‎11-13-2007

This is the source port of the connection, it does not matter, it can be any port, as you can see the destination port is correct, it's 500.

When you mark the box "allow ipsec traffic to passtrhough access list" it allow all needed port.

maybe you need to enable nat-t on it