Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Silver

Unable to connect IPSec-over-UDP (over TCP works) to VPN3000

I am currently unable to connect to our VPN Conc (3.6.1) using IPSec over UDP (although IPSec over TCP works). No configuration changes have occurred since I last connected successfully. The event log shows:

307 09/11/2002 20:49:00.570 SEV=4 IPSEC/7 RPT=42

IPSec ESP Tunnel Inb: invalid direction in security association

308 09/11/2002 20:49:01.570 SEV=4 IPSEC/7 RPT=43

IPSec ESP Tunnel Inb: invalid direction in security association

309 09/11/2002 20:49:09.130 SEV=4 IKEDBG/0 RPT=6

QM FSM error (P2 struct &0x3fec2f4, mess id 0xa25204a2)!

310 09/11/2002 20:49:09.130 SEV=4 IKEDBG/65 RPT=8 80.195.147.83

Group [test] User [matt.melbourne]

IKE QM Responder FSM error history (struct &0x3fec2f4)

<state>, <event>:

QM_DONE, EV_ERROR

QM_WAIT_MSG3, EV_TIMEOUT

QM_WAIT_MSG3, NullEvent

QM_SND_MSG2, EV_SND_MSG

315 09/11/2002 20:49:09.140 SEV=4 IKEDBG/0 RPT=7

QM FSM error (P2 struct &0x3fecda8, mess id 0x9fe32987)!

316 09/11/2002 20:49:09.140 SEV=4 IKEDBG/65 RPT=9 80.195.147.83

Group [test] User [matt.melbourne]

IKE QM Responder FSM error history (struct &0x3fecda8)

<state>, <event>:

QM_DONE, EV_ERROR

QM_WAIT_MSG3, EV_TIMEOUT

QM_WAIT_MSG3, NullEvent

QM_SND_MSG2, EV_SND_MSG

What could be wrong? The VPN Client is 3.6.1.

2 REPLIES
New Member

Re: Unable to connect IPSec-over-UDP (over TCP works) to VPN3000

He I had a similar problem. Please check that your still have marked “Mode Configuration” in IPSec and “Allow IPSec over UDP” -> in Client Config

Silver

Re: Unable to connect IPSec-over-UDP (over TCP works) to VPN3000

Thanks for the suggestion, but after some extensive debugging it turned out to be a transient problem with the ISP. The UDP packets were reaching the Concentrator from the client, but were being blocked (somewhere in the ISPs network) on the way back. I even temporarily hooked up the Public interface to another ISP (through an ISDN router with static NAT translations for UDP 500 and UDP 10000 traffic) and successfully made an IPSec-over-UDP connection.

410
Views
0
Helpful
2
Replies
CreatePlease login to create content