Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA: disable ipsec over udp


I have a question,

How can I configure on the ASA that vpn users (with cisco vpn client) cannot connect to the it with udp.

Cisco says, By default the ipsec over udp is disabled.

But not. I can connect ipsec over udp.

I tried the ipsec-udp disable command on the group policy but nothing changed.

what is the solution?

is it a bug? or I forgot something?

pls help,

thank you


Community Member

Re: ASA: disable ipsec over udp

sorry for my english I'm pretty tired :)

but I think you know what I want...

(disable the udp vpn connections)

Cisco Employee

Re: ASA: disable ipsec over udp


By default, if there is a UDP device in the middle, ASA will use IPsec over NAT-T, which is UDP 4500, and using the ipsec-udp disable command will not disable that. It will only disable IPSec over UDP over any other port, which is different from NAT-T, though the functionality is essentially the same.

Do you want to use IPSec over TCP instead? If yes, then you could enable that. The document below shows how that can be done. To disable nat-t, you do:

no crypto isakmp nat-t

Please rate if this was helpful

Community Member

Re: ASA: disable ipsec over udp


Yes I want allow just "IPSec over TCP" in the client for the connection.

but still not works.

I tried "no crypto isakmp nat-t" but not works.

I set the "ipsec-udp disable" on the group policy too but not helped,- i know this is not what I need-

The user still can connect to the vpn, not depend on the transport (I mean enable or disable Transparent tunneling, and udp(NAT/PAT) or TCP is checked.)

in the cisco vpn client.

What is the solution?

Thank you.

Cisco Employee

Re: ASA: disable ipsec over udp


Please can you paste the output of the following here:

show run all crypto

show run all group-policy

show run all tunnel-group

In addition to that, please can you attach the profile file from the VPN client as well?

Community Member

Re: ASA: disable ipsec over udp


all settings is in the attachment.

This is an asa5520 device.

The user with this configuration can connect but I want that the user can connect only with this configuration:

[client file]





Community Member

Re: ASA: disable ipsec over udp

Now it works, not let user use ipsec over udp, but I change nothing, what is important.

I think there is something problem with the refreshing.

now, I set the "crypto isakmp nat-traversal 20" and not let the user use ipsec over udp (NAT/PAT), but would have had to..


CreatePlease to create content