Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

does IPSec over TCP work on VPN 3030 external (3.) interface?

I configured the third, external interface and can connect with ESP, and UDP tunnel, but not with IPsec over TCP.

The client says:

Unexpected TCP control packet received from a.b.c.d, src port 10000, dst port 4408, flags 14h

the concentrator doesn't say anything although I tried several event classes

the docu says "IPSec over TCP works with both the VPN software client and the VPN 3002 hardware client. It works only on the public interface. It is a client to Concentrator feature only. It does not work for LAN-to-LAN connections. "

does this mean it works only on the real, physical public interface?

or should it work on the external interface if I click it's public interface checkbox?

Thanks for any advice,

Martin

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: does IPSec over TCP work on VPN 3030 external (3.) interface

IPSec over TCP was design to work only on the real public interface #2.

There were a few technical reasons behind this, among them:

1) some customers terminate their tunnels on the Private interface (one-arm-config) and this would cause a major headache when trying to HTTP browse the VPN 3000 if IPSec/TCP was setup for Port 80/443. So we decided to yank it out of the Private Interface.

2) As far as the External interface#3, we chose not to enable the dynamic IPSec/over TCP fielterso n it mainly because of Load Balancing.

Since LB only works on the real public interface#2, again we chose to leave

IPSec/TCP out of it.

Nelson

2 REPLIES
Silver

Re: does IPSec over TCP work on VPN 3030 external (3.) interface

Hi Martin,

To use IPSec over TCP, both the VPN Concentrator and the client must:

Be running version 3.5 or later software.

Enable IPSec over TCP.

Configure the same port for IPSec over TCP on both the Concentrator and the client.

Ensure that you configure the same port, I think currently it should be in different ports, thats why the error message is being received.

However after checking the configuration, if it still doesn't work, it could mean that what you are saying is true.i.e it only works on real public interfaces only and not on external interfaces converted to public.

Cisco Employee

Re: does IPSec over TCP work on VPN 3030 external (3.) interface

IPSec over TCP was design to work only on the real public interface #2.

There were a few technical reasons behind this, among them:

1) some customers terminate their tunnels on the Private interface (one-arm-config) and this would cause a major headache when trying to HTTP browse the VPN 3000 if IPSec/TCP was setup for Port 80/443. So we decided to yank it out of the Private Interface.

2) As far as the External interface#3, we chose not to enable the dynamic IPSec/over TCP fielterso n it mainly because of Load Balancing.

Since LB only works on the real public interface#2, again we chose to leave

IPSec/TCP out of it.

Nelson

114
Views
0
Helpful
2
Replies