04-07-2008 03:31 AM
Hi
I am having real problems getting some users onto our VPN. UDP 500, UDP 4500 and ESP are all being allowed through our firewall and we have existing users coming through fine and authenticating to the VPN Conc. However, some users, with the same client profile etc are being prevented. I got some logs last week which showed the following (non-Cisco firewall)
04/04/2008,13:34:31 +0100,81.x.x.x,10.200.x.x,UDP,5454,500,-,0,12,8,-,-,OUTBOUND
with the 81.x.x.x being the source IP and 10.200.x.x being destination. What I don't understand is why UDP 5454 is showing when other users - that connect fine show this (UDP 4500 etc)see below
04/04/2008,13:34:31 +0100,81.x.x.x,10.200.x.x,UDP,4500,4500,-,1,12,8,-,-,OUTBOUND
Is the destination address (10.200.x.x) blocking the packets for the users that are having problems?
Any help much appreciated.
Thanks
M
04-11-2008 10:47 AM
check if the cleint credetials are correct?
06-20-2008 11:56 AM
This may have been related to NAT discovery.
Note that the "destination" port was UDP 500, and not UDP 4500 (non500-isakmp, IPSec-over-UDP).
06-22-2008 11:49 PM
as alternative
try to use ipsec over tcp
04/04/2008,13:34:31 +0100,81.x.x.x,10.200.x.x,UDP,5454,500,-,0,12,8,-,-,OUTBOUND
you should check on the client which UDP port was used as a source port. It possible some device chandge the source port.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: