We have ipsec vpn tunnel between cisco 2850 ipsec router and cisco 3015 concentrator. we used citrix traffic on this tunnel and it is working fine. When we replaced cisco 3020 concentrator for cisco 2850 router we have problem with citrix connectivity over the vpn.
Could you please some one clarify
is there any bug in the vpn between hardware based encryption model 3020 and software based encryption model 3015?
Many thanks for the reply. Please find the brief of history of our problem.
Earlier we used cisco 3005 at our end and the destination end peer device is cisco 3015 vpn concentrator. Normaly users vpn connection traffic alone passing though this ipsec tunnel and rest of network traffic routed company's firewall. Users connected to the destination end citrix servers over this ipsec vpn tunnel. Due to heavy usage (eventhough we have 12mbps bandwidth) of citix server activity the cpu usage of 3005 is always high.
We ordered cisco 3020 vpn concentrator and mean while we used cisco 2850 series router for this ipsec vpn tunnel.
We got a new 3020 vpn concentrator (hardware based SEP encryption) and when replaced this new 3020 concentrator we experience users unable to login to citrix servers but the same time tunnel is up and we can able to ping the cirix servers. If we reboot the vpn contrator then it started working fine. But some time later we experience same kind of problem.
After some trouble shooting we replaced another 3020 new vpn concentrator and again we have same issue.
Now we are running with cisco 2850 series router and we dont have any problem.
Sounds like you have a bouncey tunnel. I would compare your local encryption domain with the opposite peer. So make sure your local encryption domain matches their remote encryption domain and vice versa. Concentrators are picky, if one side has hosts defined in the ACL then the otherside must do the same. If you are defining a subnet then the other side must do so as well.
Normaly if we used 3020 concentrator for this ipsec tunnel after some time we got received malformed packets from the destination contineously. This we can see that ipsec inbound authentication failure counts are increased on monitoring-->Ipsec traffic.
We believe due to this the citrix connection dropped and we got a authentication failure to citrix connection. Same time tunnel is up and we can able to ping the citrix server.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...