I've been working with many techs from various companys trying to get members of our company running over their LAN using a Cisco 3.5.1c client connecting to our 3030 concentrator. Most of them we are able to get to work by simply opening UDP ports 500 and 10000 both ways, however we have some problems with this at times. In one case a user is making the connection (IKE), but for some reason no data will pass thru the tunnel. We also have a couple of other members on other LANs (various firewalls) that we have setup using IPSec over TCP instead of UDP. They like only having to open one TCP port instead of both UDP ports for access. Anyway, some of those users are having the same type of problem. Either they connect and for a short period of time are able to transfer data or they connect and can only encrypt the data and never receive anything. If I connect to the concentrator I can't even ping them, but the tunnel stays up... Anyway, if anyone has run into this or can help me with this it would be GREATLY appreciated.
Understood.. In every case I'm speaking to, the users are behind a firewall or another PAT device over a LAN. We like to stick with the default configuration of UDP 500 and 10000 just to keep it straight forward and not require and changes to the client, though we've had the issue with both IPSec over UDP and IPSec over TCP. In this situation we have three or four clients making connections accross the LAN, but for some reason no data is being decrypted or recieved. If I look at the statistics of the connection is shows that there is data being sent from the client, but nothing is recieved. If I go to the concentrator and attempt a ping to that client they are unavailable. Typically all I can see in the logs on the concentrator is something with the SA timeout and the session being disconnected. However, our SA timeout is set for 8 hours and the group timeout is set for 4 hours so the SA should never timeout before the group.
I've had the users dialup and connect and everything works fine then so its for sure something with the LAN setup or maybe lag on the net or something..
Has anyone had issues with lag causing SA's to timeout? Sometimes it doesn't work right from the start, but other times it will work for about 15min and then stop responding. At first I thought it maybe a MTU issue, but have explored that path and have still had the same issues.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...