Thanks for your response. The 3rd party (i.e. not our company) is using the latest Cisco VPN client. And it sometimes works fine. It is an intermittent problem. We are using IPSEC over UDP. Could it be due to a firewall (Cisco or other) that sits in between (at the 3rd party's location) and is messing with the sequence numbers?

Hi,

That might be possible, depedning how you config your firewall to filtering the traffic.

Please double check the routing, specially when you have load-balancing routes from same site to another, sometimes it will cause problem.

Make sure you are using one route coming in and going out from the 3rd party site to your VPN 3000 concentrator.

One more thing worth to try is turn on the "IPSEC over TCP" on the concentrator and client end, see things are better or not.

Because the TCP is reliable tranport protocol, if UDP messing up with hte sequence number, TCP should be able to use retransmit mechanism to adjust it.

Best Regards,

Paul Qiu

Paul, thanks for your help. I will try TCP. One final question - UDP doesn't use sequence numbers so how can the VPN box detect duplicate packets?

Regards,

Michael

Hi Michael,

That error message actually is talking about the ISAKMP exchange process.

If you put a sniffer in front of the VPN 3000, that might be more clear about what happening there:

What is happening is this (probably :) the innitating box sends an IKE (UDP 500) request, this box gets it.... then responds with the appropriate IKE response (also UDP 500). This packet does not make it back to the other side some how.... thus, it decides to resend the request... this side gets that duplicate 'first' packet and displays this message. The other side just keeps sending the IKE request.....

Best Regards,

Paul Qiu

Hi Paul

That makes sense. Thanks for your help.

Regards,

Michael

Hello Paul,

I have tried to use TCP. I enabled it on the 3005 in the Configuration/System/Tunneling Protocols/IPSec menu, and also on the client. The client then failed to connect (message "unable to connect to security gateway" and the 3005 showed following logs:

1387 08/23/2002 11:34:33.980 SEV=5 IP/49 RPT=1

Headend transmitting TCP SYN-ACK pkt to client 1.2.3.4, TCP dest port 3122

1388 08/23/2002 11:34:34.060 SEV=5 IP/50 RPT=1

Headend received TCP ACK pkt from client 1.2.3.4, TCP source port 3122

1389 08/23/2002 11:34:43.990 SEV=5 IP/49 RPT=2

Headend transmitting TCP SYN-ACK pkt to client 1.2.3.4, TCP dest port 3122

(note I changes the IP addresses to 1.2.3.4 for security)

Have I forgotten to do something?

Rgds,

Michael

Hi Michael,

From the log you sent , it looks the TCP three-way handshake is ok.

"SYN, SYN-ACK and ACK"

It does not give a clue what might be wrong.

Please double check following URL for troubleshooting part:

http://www.cisco.com/warp/customer/471/vpn3k_ipsec_tcp.html#troubleshoot

Compare your log and the good debugs in the sample config, it might help you to resolve your issue.

Best Regards,

Paul Qiu