Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3563
Views
0
Helpful
6
Replies

ipsec-over-tcp not working

kdepijper
Level 1
Level 1

‎10-17-2008 02:16 AM - edited ‎02-21-2020 03:59 PM

Hello,

My ASA 8.0.4 is working fine for UDP-over-IPSEC connectinos. However TCP-over-IPSEC over 443 is not working. I did configure port 443 in the ASA. ASDM error I get:(although i am not sure this has anything to do with it) Duplicate phase 2 packet detected.

Anybody an idea ?

thanks Karien

Labels:
0 Helpful
6 Replies 6

andrew.prince
Level 10
Level 10

‎10-17-2008 02:19 AM

The ASA listens on port 443 for secure ASDM connections. Change this port to the default 10000 and re-test.

Also if the ASA is behind a firewall - allow TCP 10000 thru to the ASA.

HTH>

0 Helpful

kdepijper
Level 1
Level 1
In response to andrew.prince

‎10-17-2008 02:44 AM

Hi Andrew,

Thanks for your reply.

However, I forgot to tell, ASDM is running on port 456. So it should not conflict with IPSEC-over-TCP.

Any other idea?

thx Karien

0 Helpful

andrew.prince
Level 10
Level 10
In response to kdepijper

‎10-17-2008 02:49 AM

Do you have WebVPN enabled, as that also uses 443.

For the sake of testing, I would change the port to 10000

crypto isakmp ipsec-over-tcp port 10000

The re-test, if it works - then the issue is with something else on the ASA trying to use 443. if it does not work - then you also have an issue somewhere else.

Are you actually forcing the VPN client to use IPSEC pver TCP - and the client is configured to use 443??

0 Helpful

kdepijper
Level 1
Level 1
In response to andrew.prince

‎10-17-2008 03:55 AM

Hello Andrew,

Unfortunately the production firewall in front doesn't allow port 10000 in. I would have to make request for a change.

Did anybody else have this issue ?

thx Karien

0 Helpful

AJAZ NAWAZ
Level 5
Level 5
In response to andrew.prince

‎03-15-2010 05:46 AM

Andrew,

Qtn about this command ' crypto isakmp  ipsec-over-tcp port 10000 '

I have an ASA 5520 doing  Cisco client VPN, WebVPN (SSL) and responding to ASDM. So which one of  these services is the above command changing?

thanks

Ajaz

0 Helpful

andrew.prince
Level 10
Level 10
In response to AJAZ NAWAZ

‎03-15-2010 06:31 AM

Ajaz,

It changes any connection via the VPN Remote client/Hardware Client - where the remote end NAT device does not support/understand NAT-T/VPN PassThru.  It also enables you to allow IPSEC connections on ISP/3rd Party/Provider networks, that block the normal RFC NAT-T UDP 4500.

The port can be changed from 10000 to whatever you want, if you have a firewall that sites in front of the VPN device, the TCP port must be allowed thru.

This does not apply Web SSL & ASDM connections.

HTH>

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents