Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Protocol 50

Is there a way that anyone knows of for testing to see if protocol 50 is being blocked? We have a number of users who connect over remote LAN's and are going through mom and pop ISP's before getting to us and in some of these cases the tunnel is being created, but once any true (pings work) data starts being passed they lose the connection. The tunnel stays up, but no data will pass.

Thanks.

4 REPLIES
New Member

Re: Protocol 50

Also, is it correct that if we're using IPSec over UDP protocol 50 isn't used anyway?

Cisco Employee

Re: Protocol 50

Hi,

Yes, you are right!!

If IPSec Over UDP Option is used, then protocol 50 is wrapped in UDP Port 10000 (Default, which is configurable).

Regards,

Arul

Cisco Employee

Re: Protocol 50

Hi,

You can define an access-list on your edge routers based on the vpn server's ip address and do a debug on it or you can run a sniffer to look at the ESP packets.

Regards,

Arul

Cisco Employee

Re: Protocol 50

There is no easy way to tell. Since the connection is established using ISAKMP (UDP protocol 500), the connection may establish even if IP protocols other than TCP/UDP/ICMP are blocked. Smaller ISPs may use NAT, and may not support NAT of IP/ESP (aha IP protocol 50). A workaround is to use the NAT traversal option of the VPN which uses UDP prot 10000 (I am assuming you are using VPN 3000 here).

Another thing to try is to lower the ethernet MTU of the PC , for fragmentation unfriendly ISPs. Try 1300.

545
Views
0
Helpful
4
Replies