Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ESP - protocol 50 dropped by ISPs. Workaround?

I'm seeing more and more ISPs have trouble with IPsec. Typical scenario is:

Pix 501/506 <---ipsec tunnel mode, ESP---> 3030 concentrator

When troubleshooing the tunnel is formed yet can't pass traffic. You can see packets being encrypted and decrypted at the pix end, but only encrypted on the 3030 end. Traces on the internet router on 3030 end show that indeed the udp500 traffic is flowing fine between pix/3030, but ESP frames (ip protocol 50) are one way only.

I've searched and it seems like this is a common occurance and in my experience it is happening more often. Is there any recommendation for a workaround for LAN-2-LAN ipsec tunnel mode to bypass the blocking or nat that may be happening within ISPs? Are ISPs indeed starting to frown on IPsec and VPNs?

6 REPLIES
New Member

Re: ESP - protocol 50 dropped by ISPs. Workaround?

You could always go with AH and try it that way. Although you not have the security you want. GET THE STUPID ISP TO PERMIT ESP!!!! That is about it.

New Member

Re: ESP - protocol 50 dropped by ISPs. Workaround?

So no other work around?

I guess if NAT was the reason the ESP frames weren't making it to their destination some kind of nat traversal other esp in udp would work. But I'm guessing at this point and trying to get more folks to chime in with their experience in solving this growing problem.

Thanks for the replies!

John Royster

New Member

Re: ESP - protocol 50 dropped by ISPs. Workaround?

John,

This is a lan to lan between the PIX and the concentrator right? Is there NAT going on? NAT/PAT can kill ESP, but from the topo map you put on here it looked like there was no NAT/PAT.

Rob

New Member

Re: ESP - protocol 50 dropped by ISPs. Workaround?

Rob,

Thanks for the reply. In that simple-topo map the middle is the Internet. I can't be for sure there is no NAT. As far as our gear is concerned we avoide NAT at all costs with VPNs. I don't know if one of the providers or their upstream is natting somewhere or simply dropping ESP frames. The ISP in question is in Taiwan, but I've seen this problem in other ISP services as well with it being more common outside of the states.

The PIX does indeed have a public IP range.

Thanks again for the assistance. I've had TAC verify my configurations and they have checked everything. Sniffer traces confirm ESP frames flow only one way from the states to Taiwan, but do not return.

New Member

Re: ESP - protocol 50 dropped by ISPs. Workaround?

If you can not be sure if it has NAT/PAT in the middle, try this feature to see if it work.

Now we can implement the IPSec through NAT function both in our IOS router ( "IPSec NAT Transparency" )

and PIX firewall ("VPN NAT Transparency"), the following is their URL:

IOS:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bca.html

PIX OS:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_data_sheet09186a0080148714

New Member

Re: ESP - protocol 50 dropped by ISPs. Workaround?

You must be using the same ISP we are in Taiwan. I still have not been able to convince our office personnel out there that the problem is with the ISP. We have over 70 Lan to Lan connections in the world and Taiwan is our biggest headache.

1408
Views
0
Helpful
6
Replies
CreatePlease login to create content