cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12763
Views
0
Helpful
4
Replies

VPN Settings - TCP vs UDP

munawar.zeeshan
Level 1
Level 1

What your thoughts are on changing the PCF file from a UDP connection to a TCP connection? Currently we are using UDP in enable transport tunneling section of Cisco VPN Client. 

If we do move them to TCP for the VPN connection, Would we consider changing the port from the standard 10000 to .. . .. 25001? If we did that,what would the impact be on the ASA’s (hosting all VPN connection termination at HO)?

I am talking about remote user VPN connectoin here.

i will appreciate if anybody can share some knoweledge on it.

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

Before changing the port on user's PCF, you would also need to configure the ASA to listen on the TCP port. By default, it uses TCP/10000, however, you can change it to any other ports. One thing to make sure is you don't use overlapping TCP port that is used by other applications.

PS: with TCP, there could be slight latency purely due to the nature of TCP protocol.

Hope that helps.

Thanks for the prompt reply. For UDP, on which port it hits on firewall ?

Could you share some document regarding this. I want some indepth study before migrating from UDP to TCP.

For UDP, by default it is UDP/4500.

Encapsulation to either UDP or TCP is required when the VPN traffic (by default it's ESP protocol) passes through PAT device which is normal when users are connecting from home, etc.

Here is more information on default NAT-T (UDP/4500), and option to use NAT-T with TCP:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ike.html#wp1120836

Hope that helps.

What is your reasoning for moving to IPSec over TCP?

UDP is, for obvious reasons, more efficient in tunneling situations.  With IPSec over TCP (IPSec Client) or TLS (Anyconnect), you have to give consideration to the fact that in cases of lost or missing packets, not only will the tunneled tcp traffic send retrans, the encrypted packet will do the same.

Best,

Christopher

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: