Is there a way that anyone knows of for testing to see if protocol 50 is being blocked? We have a number of users who connect over remote LAN's and are going through mom and pop ISP's before getting to us and in some of these cases the tunnel is being created, but once any true (pings work) data starts being passed they lose the connection. The tunnel stays up, but no data will pass.
There is no easy way to tell. Since the connection is established using ISAKMP (UDP protocol 500), the connection may establish even if IP protocols other than TCP/UDP/ICMP are blocked. Smaller ISPs may use NAT, and may not support NAT of IP/ESP (aha IP protocol 50). A workaround is to use the NAT traversal option of the VPN which uses UDP prot 10000 (I am assuming you are using VPN 3000 here).
Another thing to try is to lower the ethernet MTU of the PC , for fragmentation unfriendly ISPs. Try 1300.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...