VPN Client TCP connection behind PIX with PAT to VPNC3000
A number of our customers reported me of troubles using the Cisco VPN Client connecting to Cisco 3005 VPN Concentrators in IPSec over TCP mode. The connection can be established, but data transfers (i.e.: smtp, ftp) are very slow and quite impossible because the speed decreases quickly to 0.
I could find that the problem exists only if using a VPN Client behind a PIX Firewall configured for PAT. This seems to be independent from the OS of the client, the Cisco VPN Client version, the Concentrator and the PIX software release (obviously I tested also the latest releases). If I put the same client behind another PATing device, such a Cisco router configured for NAT overload or a Masquerading Linux or FreeBSD BOX, the problem do not arise and file transfers works well and fast.
A workaround seem to be using IPSec over UDP. In such configuration the VPN Client works well behind a PATting PIX.
I could test different PIX OSs ( from 6.1 through the latest 6.2(2)) and different Concentrators in different network configuration (behind a NATting firewall and directly connected to the internet with public IP addresses).
Can someone explain this?
Does anybody know a workaround or have experienced similar troubles?
Re: VPN Client TCP connection behind PIX with PAT to VPNC3000
I have just run into this same problem. We have a clinet that just setup a VPN3005 using IPSec over tcp. We were getting disconnected while tring to trasfer large files via ftp. We had the client change the group parameters to allow IPSec over udp and it works fine now.
Any idea if this bug will be fixed in the next PIX release?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...