ipsec-over-tcp not working

Unanswered Question
Oct 17th, 2008

Hello,

My ASA 8.0.4 is working fine for UDP-over-IPSEC connectinos. However TCP-over-IPSEC over 443 is not working. I did configure port 443 in the ASA. ASDM error I get:(although i am not sure this has anything to do with it) Duplicate phase 2 packet detected.

Anybody an idea ?

thanks Karien

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kdepijper Fri, 10/17/2008 - 02:44

Hi Andrew,

Thanks for your reply.

However, I forgot to tell, ASDM is running on port 456. So it should not conflict with IPSEC-over-TCP.

Any other idea?

thx Karien

Do you have WebVPN enabled, as that also uses 443.

For the sake of testing, I would change the port to 10000

crypto isakmp ipsec-over-tcp port 10000

The re-test, if it works - then the issue is with something else on the ASA trying to use 443. if it does not work - then you also have an issue somewhere else.

Are you actually forcing the VPN client to use IPSEC pver TCP - and the client is configured to use 443??

kdepijper Fri, 10/17/2008 - 03:55

Hello Andrew,

Unfortunately the production firewall in front doesn't allow port 10000 in. I would have to make request for a change.

Did anybody else have this issue ?

thx Karien

AJAZ NAWAZ Mon, 03/15/2010 - 05:46

Andrew,

Qtn about this command ' crypto isakmp  ipsec-over-tcp port 10000 '

I have an ASA 5520 doing  Cisco client VPN, WebVPN (SSL) and responding to ASDM. So which one of  these services is the above command changing?

thanks

Ajaz

Ajaz,

It changes any connection via the VPN Remote client/Hardware Client - where the remote end NAT device does not support/understand NAT-T/VPN PassThru.  It also enables you to allow IPSEC connections on ISP/3rd Party/Provider networks, that block the normal RFC NAT-T UDP 4500.

The port can be changed from 10000 to whatever you want, if you have a firewall that sites in front of the VPN device, the TCP port must be allowed thru.

This does not apply Web SSL & ASDM connections.

HTH>

Actions

This Discussion