IP Sec problem for *some* users

Unanswered Question

Hi


I am having real problems getting some users onto our VPN. UDP 500, UDP 4500 and ESP are all being allowed through our firewall and we have existing users coming through fine and authenticating to the VPN Conc. However, some users, with the same client profile etc are being prevented. I got some logs last week which showed the following (non-Cisco firewall)


04/04/2008,13:34:31 +0100,81.x.x.x,10.200.x.x,UDP,5454,500,-,0,12,8,-,-,OUTBOUND


with the 81.x.x.x being the source IP and 10.200.x.x being destination. What I don't understand is why UDP 5454 is showing when other users - that connect fine show this (UDP 4500 etc)see below


04/04/2008,13:34:31 +0100,81.x.x.x,10.200.x.x,UDP,4500,4500,-,1,12,8,-,-,OUTBOUND


Is the destination address (10.200.x.x) blocking the packets for the users that are having problems?


Any help much appreciated.


Thanks


M

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
thomas.chen Fri, 04/11/2008 - 10:47
User Badges:
  • Silver, 250 points or more

check if the cleint credetials are correct?

michael.leblanc Fri, 06/20/2008 - 11:56
User Badges:
  • Silver, 250 points or more

This may have been related to NAT discovery.


Note that the "destination" port was UDP 500, and not UDP 4500 (non500-isakmp, IPSec-over-UDP).


a.alekseev Sun, 06/22/2008 - 23:49
User Badges:
  • Gold, 750 points or more

as alternative

try to use ipsec over tcp


04/04/2008,13:34:31 +0100,81.x.x.x,10.200.x.x,UDP,5454,500,-,0,12,8,-,-,OUTBOUND

you should check on the client which UDP port was used as a source port. It possible some device chandge the source port.

Actions

This Discussion