A number of our customers reported me of troubles using the Cisco VPN Client connecting to Cisco 3005 VPN Concentrators in IPSec over TCP mode. The connection can be established, but data transfers (i.e.: smtp, ftp) are very slow and quite impossible because the speed decreases quickly to 0.
I could find that the problem exists only if using a VPN Client behind a PIX Firewall configured for PAT. This seems to be independent from the OS of the client, the Cisco VPN Client version, the Concentrator and the PIX software release (obviously I tested also the latest releases). If I put the same client behind another PATing device, such a Cisco router configured for NAT overload or a Masquerading Linux or FreeBSD BOX, the problem do not arise and file transfers works well and fast.
A workaround seem to be using IPSec over UDP. In such configuration the VPN Client works well behind a PATting PIX.
I could test different PIX OSs ( from 6.1 through the latest 6.2(2)) and different Concentrators in different network configuration (behind a NATting firewall and directly connected to the internet with public IP addresses).
Can someone explain this?
Does anybody know a workaround or have experienced similar troubles?