VPN Settings - TCP vs UDP

Unanswered Question
Sep 29th, 2010

What your thoughts are on changing the PCF file from a UDP connection to a TCP connection? Currently we are using UDP in enable transport tunneling section of Cisco VPN Client. 

If we do move them to TCP for the VPN connection, Would we consider changing the port from the standard 10000 to .. . .. 25001? If we did that,what would the impact be on the ASA’s (hosting all VPN connection termination at HO)?

I am talking about remote user VPN connectoin here.

i will appreciate if anybody can share some knoweledge on it.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Wed, 09/29/2010 - 23:44

Before changing the port on user's PCF, you would also need to configure the ASA to listen on the TCP port. By default, it uses TCP/10000, however, you can change it to any other ports. One thing to make sure is you don't use overlapping TCP port that is used by other applications.

PS: with TCP, there could be slight latency purely due to the nature of TCP protocol.

Hope that helps.

munawar.zeeshan Wed, 09/29/2010 - 23:51

Thanks for the prompt reply. For UDP, on which port it hits on firewall ?

Could you share some document regarding this. I want some indepth study before migrating from UDP to TCP.

Jennifer Halim Thu, 09/30/2010 - 00:04

For UDP, by default it is UDP/4500.

Encapsulation to either UDP or TCP is required when the VPN traffic (by default it's ESP protocol) passes through PAT device which is normal when users are connecting from home, etc.

Here is more information on default NAT-T (UDP/4500), and option to use NAT-T with TCP:


Hope that helps.

Christopher.Hayre Thu, 09/30/2010 - 19:09

What is your reasoning for moving to IPSec over TCP?

UDP is, for obvious reasons, more efficient in tunneling situations.  With IPSec over TCP (IPSec Client) or TLS (Anyconnect), you have to give consideration to the fact that in cases of lost or missing packets, not only will the tunneled tcp traffic send retrans, the encrypted packet will do the same.




This Discussion