SA-520 Firewall is blocking QVPN requests

Unanswered Question
Feb 11th, 2010

Hi,

I have 2 SA-520 with the same behaviour, the FW is blocking QVPN requests:

Sat Jan  1 00:25:27 2000(GMT +0000)WARNFIREWALLKERNEL194.65.10.985.88.145.162[firewall] LOG_PACKET[DROP]  IN=WAN  OUT=SELF SRC=194.65.10.9 DST=85.88.145.162 PROTO=TCP SPT=1062 DPT=60443
Sat Jan  1 00:26:48 2000(GMT +0000)WARNFIREWALLKERNEL194.65.10.985.88.145.162[firewall] LOG_PACKET[DROP]  IN=WAN  OUT=SELF SRC=194.65.10.9 DST=85.88.145.162 PROTO=TCP SPT=1064 DPT=60443
Sat Jan  1 00:26:48 2000(GMT +0000)WARNFIREWALLKERNEL194.65.10.985.88.145.162[firewall] LOG_PACKET[DROP]  IN=WAN  OUT=SELF SRC=194.65.10.9 DST=85.88.145.162 PROTO=TCP SPT=1064 DPT=60443
Sat Jan  1 00:26:58 2000(GMT +0000)WARNFIREWALLKERNEL194.65.10.985.88.145.162[firewall] LOG_PACKET[DROP]  IN=WAN  OUT=SELF SRC=194.65.10.9 DST=85.88.145.162 PROTO=TCP SPT=1064 DPT=60443
Sat Jan  1 00:27:18 2000(GMT +0000)WARNFIREWALLKERNEL194.65.10.985.88.145.162[firewall] LOG_PACKET[DROP]  IN=WAN  OUT=SELF SRC=194.65.10.9 DST=85.88.145.162 PROTO=TCP SPT=1066 DPT=60443
Sat Jan  1 00:27:19 2000(GMT +0000)WARNFIREWALLKERNEL194.65.10.985.88.145.162[firewall] LOG_PACKET[DROP]  IN=WAN  OUT=SELF SRC=194.65.10.9 DST=85.88.145.162 PROTO=TCP SPT=1066 DPT=60443
Sat Jan  1 00:27:24 2000(GMT +0000)WARNFIREWALLKERNEL194.65.10.985.88.145.162[firewall] LOG_PACKET[DROP]  IN=WAN  OUT=SELF SRC=194.65.10.9 DST=85.88.145.162 PROTO=TCP SPT=1066 DPT=60443

I have the "Enable Remote Management?                " with a check on it!

In attach is the CFG.

Thanks in advanced.

Mário.

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nmanglik Mon, 04/26/2010 - 09:46

This may be late but in case others may find it useful.

Checked the attached configuration of SA520 and the remote management port is set to port 443. By default the QuickVPN client uses port 443 though the logs attached shows that the Destination port is 60443. Can you please check if the QuickVPN client port is set to 443?

Note: If you want to use port 60443, then set 60443 on the Remote management page of SA500 and also for QuickVPN client.

If the problem still persist and QuickVPN client is behind a NAT router, make sure the Firewall is enabled on the PC where the QuickVPN client is installed.

Also, the latest firmware 1.1.42 has fixed some known QVPN issues. You may want to upgrade to 1.1.42 and here is the link -

tools.cisco.com/support/downloads/go/Redirect.x?imageguid=68F68B2F1F9893C1E1AC99906461BDA7AD7B5F7E

Actions

This Discussion