Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
793
Views
0
Helpful
1
Replies

Deny TCp (no connection)

tulo
Level 1
Level 1

‎01-03-2002 02:40 AM - edited ‎03-08-2019 09:29 PM

Hi !

i have configured L2TP IPSec VPN on PIX 515,

on the other side is WinXP native client.

I can ping from client to the inside hosts, UDP

services are working (dns resolving) but TCP connections are denied. Here is output from pix log:

302005: Built UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53

302006: Teardown UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53

302005: Built UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53

302006: Teardown UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53

302005: Built UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53

106015: Deny TCP (no connection) from 10.82.99.5/139 to 10.82.100.1/1487 flags SYN ACK on interface inside

302006: Teardown UDP connection for faddr 10.82.100.1/1056 gaddr 10.82.99.10/53 laddr 10.82.99.10/53

106015: Deny TCP (no connection) from 10.82.99.5/139 to 10.82.100.1/1487 flags SYN ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/445 to 10.82.100.1/1486 flags RST ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/139 to 10.82.100.1/1487 flags SYN ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/445 to 10.82.100.1/1486 flags RST ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1490 flags SYN ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1491 flags SYN ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1490 flags SYN ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1491 flags SYN ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1490 flags SYN ACK on interface inside

106015: Deny TCP (no connection) from 10.82.99.5/80 to 10.82.100.1/1491 flags SYN ACK on interface inside

So TCP packets from client to inside host are allowed, but no xlate is created and SYN ACK or RST ACK packets are denied (my explanation).

Can anybody help ?

thanks for your time

robert

Labels:
0 Helpful
1 Reply 1

tulo
Level 1
Level 1

‎01-04-2002 02:48 AM

I'll answer myself - don't use

sysopt ipsec pl-compatible

with

sysopt connection permit-ipsec

sysopt connection permit-l2tp

:-(

0 Helpful
Customers Also Viewed These Support Documents