04-07-2008 03:31 AM
Hi
I am having real problems getting some users onto our VPN. UDP 500, UDP 4500 and ESP are all being allowed through our firewall and we have existing users coming through fine and authenticating to the VPN Conc. However, some users, with the same client profile etc are being prevented. I got some logs last week which showed the following (non-Cisco firewall)
04/04/2008,13:34:31 +0100,81.x.x.x,10.200.x.x,UDP,5454,500,-,0,12,8,-,-,OUTBOUND
with the 81.x.x.x being the source IP and 10.200.x.x being destination. What I don't understand is why UDP 5454 is showing when other users - that connect fine show this (UDP 4500 etc)see below
04/04/2008,13:34:31 +0100,81.x.x.x,10.200.x.x,UDP,4500,4500,-,1,12,8,-,-,OUTBOUND
Is the destination address (10.200.x.x) blocking the packets for the users that are having problems?
Any help much appreciated.
Thanks
M
04-11-2008 10:47 AM
check if the cleint credetials are correct?
06-20-2008 11:56 AM
This may have been related to NAT discovery.
Note that the "destination" port was UDP 500, and not UDP 4500 (non500-isakmp, IPSec-over-UDP).
06-22-2008 11:49 PM
as alternative
try to use ipsec over tcp
04/04/2008,13:34:31 +0100,81.x.x.x,10.200.x.x,UDP,5454,500,-,0,12,8,-,-,OUTBOUND
you should check on the client which UDP port was used as a source port. It possible some device chandge the source port.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide