Cisco Support Community
Community Member

Problem esablishing VPN using IPsec over TCP

We have a PIX 520 (ver 6.2.2) and using Cisco VPN Client 5.3.2. VPN connections using IPsec over UDP works fine. When using TCP, the PIX firewall rejects any connections (it returns a packet with RST flag set).

How can we fix this problem?

Community Member

Re: Problem esablishing VPN using IPsec over TCP

I tnink there might some configuration in your PIX make it not working.

Are you using IP inspect in the PIX ?

Would you please upload the PIX config (delete the passowrd and true ip address) and we will have look with that ?

Best Regards,

Community Member

Re: Problem esablishing VPN using IPsec over TCP

Hi! Tanks for your answer.

Below you can read our PIX config. We have used PDM ver 2.0.2 to configure VPN. We used VPN wizard.

We are using interface named VPN for our tests.

Best regards

PIX config:

pixfirewall# show runn

: Saved


PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

nameif ethernet3 vpn security15

enable password L4oiKMFqu295Ts2J encrypted

passwd L4oiKMFqu295Ts2J encrypted

hostname pixfirewall


clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no names

access-list CSM-acl-inside permit icmp any any echo-reply




access-list CSM-acl-inside permit ip

access-list CSM-acl-outside permit icmp any any echo-reply




access-list CSM-acl-outside permit udp host host

access-list CSM-acl-dmz permit udp host eq syslog




access-list CSM-acl-dmz permit tcp host eq smtp

access-list inside_outbound_nat0_acl permit ip any

access-list vpn_cryptomap_dyn_20 permit ip any

access-list vpn_cryptomap_dyn_40 permit ip any

pager lines 24

logging on

logging timestamp

logging buffered warnings

logging trap warnings

logging history warnings

logging host inside

interface ethernet0 100full

interface ethernet1 100full

interface ethernet2 auto

interface ethernet3 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu vpn 1500

ip address outside

ip address inside

ip address dmz

ip address vpn

ip audit info action alarm

ip audit attack action alarm

ip local pool IT-ip-pool

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside

failover ip address inside

failover ip address dmz

failover ip address vpn

pdm location inside




pdm location vpn

pdm logging warnings 100

pdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 0 0 0

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

static (inside,dmz) netmask 0 0

static (inside,dmz) netmask 0 0

static (inside,outside) netmask 0 0

static (inside,dmz) netmask 0 0

access-group CSM-acl-outside in interface outside

access-group CSM-acl-inside in interface inside

access-group CSM-acl-dmz in interface dmz

route vpn 1




route dmz 1

timeout xlate 3:00:00

timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute uauth 0:04:00 inactivity

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http inside

snmp-server host inside

no snmp-server location

no snmp-server contact

snmp-server community ******

no snmp-server enable traps

no floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map vpn_dyn_map 20 match address vpn_cryptomap_dyn_20

crypto dynamic-map vpn_dyn_map 20 set transform-set ESP-DES-MD5

crypto dynamic-map vpn_dyn_map 40 match address vpn_cryptomap_dyn_40

crypto dynamic-map vpn_dyn_map 40 set transform-set ESP-DES-SHA

crypto map vpn_map 65535 ipsec-isakmp dynamic vpn_dyn_map

crypto map vpn_map interface vpn

isakmp enable vpn

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup IT address-pool IT-ip-pool

vpngroup IT dns-server

vpngroup IT default-domain

vpngroup IT idle-time 1800

vpngroup IT max-time 3600

vpngroup IT password ********

vpngroup IT-TEST address-pool IT-ip-pool

vpngroup IT-TEST idle-time 1800

vpngroup IT-TEST password ********

telnet inside

telnet timeout 20

ssh timeout 5

terminal width 80


: end


Community Member

Re: Problem esablishing VPN using IPsec over TCP

I have checked your config,

"access-group CSM-acl-outside in interface outside "

IPSEC over TCP default using TCP port 10000.

In CSM-acl-outside, where is the permit tcp port 10000 for the outside interface of your pix outside interface ip address ( ) ?

Without allowing tcp 10000 for your PIX outside interface, IPSEC over TCP will not be working.

Best Regards,

Community Member

Re: Problem esablishing VPN using IPsec over TCP

We are using interface named VPN for vpn termination (iinterface outside is not connected to Internet), and we have already tried access-lists according to following:

access-list CSM-acl-vpn permit tcp any host eq 10000

access-group CSM-acl-vpn in interface vpn

It doesn't work.

Why do you not have to define access lists for VPN over UDP? This works fine.

If it would work with IPsec over TCP, how do you change TCP port number in the PIX firewall?

When we are trying to connect using Cisco VPN client 3.5.2 with option IPsec over TCP we get the following error message in the client Log viewer regardless if we have defined access-lists or not.

78 10:41:01.250 07/23/02 Sev=Warning/2 IPSEC/0x6370001E

Unexpected TCP control packet received from, src port 10000, dst port 4654, flags 14h

79 10:41:06.187 07/23/02 Sev=Warning/3 DIALER/0xE3300015

GI VPN start callback failed "CM_CTCP_FAIL" (1Dh).


Best regards

Community Member

Re: Problem esablishing VPN using IPsec over TCP

without permit udp 10000, the IPSEC over UDP will not be working fine.

You still can get connection, but after that, you check the status of the VPN client, you might see "IPSEC over UDP" or NAT tranparency is inactive.

That means it is still using normal IPSEC ports.

"sysopt connection permit IPSEC" open UDP 500, protocol ESP and AH for you on the PIX. So you do not need extra access-list with it.

IPSEC over TCP can pass PIX without a problem for sure.

Please do further tests as be below:

1 Directly connect your PC to the concentrator outside interface, bypass PIX, see "IPSEC over TCP" working or not.

2 If above working fine, add "permit ip host x.x.x.x host y.y.y.y" from your PC to the concentrator translated ip address, (wide open for all ip traffic between each other).

3 Check anything else blocking TCP 10000 or not.

Any further issues, please open a TAC case, we will help you to make it working.

Best Regards,

CreatePlease to create content