×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN Client TCP connection behind PIX with PAT to VPNC3000

Unanswered Question
Jul 19th, 2002
User Badges:

A number of our customers reported me of troubles using the Cisco VPN Client connecting to Cisco 3005 VPN Concentrators in IPSec over TCP mode. The connection can be established, but data transfers (i.e.: smtp, ftp) are very slow and quite impossible because the speed decreases quickly to 0.

I could find that the problem exists only if using a VPN Client behind a PIX Firewall configured for PAT. This seems to be independent from the OS of the client, the Cisco VPN Client version, the Concentrator and the PIX software release (obviously I tested also the latest releases). If I put the same client behind another PATing device, such a Cisco router configured for NAT overload or a Masquerading Linux or FreeBSD BOX, the problem do not arise and file transfers works well and fast.

A workaround seem to be using IPSec over UDP. In such configuration the VPN Client works well behind a PATting PIX.

I could test different PIX OSs ( from 6.1 through the latest 6.2(2)) and different Concentrators in different network configuration (behind a NATting firewall and directly connected to the internet with public IP addresses).

Can someone explain this?

Does anybody know a workaround or have experienced similar troubles?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
edadios Fri, 07/19/2002 - 20:53
User Badges:
  • Silver, 250 points or more

It seems like there is a bug raised for this issue already.

The work around is ipsec over udp, and it would seem like the fix would be on the code 3.6.

CSCdx03837.

Regards,


dennis@tibinc.com Sat, 09/21/2002 - 22:01
User Badges:

I have just run into this same problem. We have a clinet that just setup a VPN3005 using IPSec over tcp. We were getting disconnected while tring to trasfer large files via ftp. We had the client change the group parameters to allow IPSec over udp and it works fine now.


Any idea if this bug will be fixed in the next PIX release?

Actions

This Discussion