Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
408
Views
0
Helpful
4
Replies

strange problem with ipsec nat transparent over udp

raydark
Level 1
Level 1

‎07-18-2002 02:32 AM - edited ‎02-21-2020 11:56 AM

my vpn 3005 concentrator is located in the dmz zone of the firewall ,with firewall rule for ike,esp and ipsec nat transparency udp 10000 .

i can authenicate and connect successfully to this box but after that i cannot do anything ,cannot ping at all ,cannot surf....(client configure to allow ipsec over udp)

next i change the ipsec nat transparency from udp to tcp 10000 in the firewall rule then eveything is work fine.(change also the client to use ipsec over tcp)

note: i have enable udp over nat in this vpn box too.

any idea ?

how can we enable debug for icmp or other ip packet for this box?

Labels:
0 Helpful
4 Replies 4

paqiu
Level 1
Level 1

‎07-18-2002 05:39 AM

When your client get connection with "ipsec over UDP", from the statistics of the VPN client window, "nat transparency" is active or inactive?

If it is inactive, that means UDP 10000 is still being blocked.

IPSEC over UDP using UDP 500 (ISAKMP) for phase 1 authentication and UDP 10000 for real traffic.

When you pass authentication, that means UDP 500 is opend, not passing any traffic, most of the time, UDP 10000 is blocked.

I have seen many these kinds of cases from our customers.

IPSEC over TCP only use TCP 10000.

As far as you open TCP 10000, you pass authentication, you can pass traffic as well.

Please double check the PIX config for the access-list permit and group settings in the concentrator for the UDP port is default 10000.

Best Regards,

0 Helpful

raydark
Level 1
Level 1
In response to paqiu

‎07-18-2002 05:23 PM

from my client "nat transparency" is active .

After connection i try to ping to a cisco router in my network with debug ip icmp on.

my client ip is x.x.x.52

my router ip is x.x.x.1

2w2d: ICMP: echo reply sent, src x.x.x.1, dst x.x.x.52

it mean the client send icmp packet to the router and the router got the request and reply back to the client .

It look like the concentrator 3005 box did not get the reply , the packet is loss

note:i have double check the udp port is 10000 and firewall allow udp 10000 too

0 Helpful

edadios
Cisco Employee
Cisco Employee
In response to raydark

‎07-18-2002 05:45 PM

You have a route or more likely a proxy arp issue.

Try providing the cient a different ip pool of address (defined on the concentrator), then on the router, set a static route for that ip pool to be sent back to the private interface of the concentrator. If this works, it confirms the proxy arp or route issue.

On the pix, you can turn off proxy arp for the interface that migth be causing the issue by doing " no sysopt proxyarp (interfacename)" .

Regards,

0 Helpful

raydark
Level 1
Level 1
In response to edadios

‎07-18-2002 11:38 PM

is it proxy arp issue , why eveything is working when I change the potocol to TCP 10000 ?

Try your method ,still the same problem ...

note: i using symantec firewall .

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents