Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ipsec-over-tcp not working


My ASA 8.0.4 is working fine for UDP-over-IPSEC connectinos. However TCP-over-IPSEC over 443 is not working. I did configure port 443 in the ASA. ASDM error I get:(although i am not sure this has anything to do with it) Duplicate phase 2 packet detected.

Anybody an idea ?

thanks Karien


Re: ipsec-over-tcp not working

The ASA listens on port 443 for secure ASDM connections. Change this port to the default 10000 and re-test.

Also if the ASA is behind a firewall - allow TCP 10000 thru to the ASA.


New Member

Re: ipsec-over-tcp not working

Hi Andrew,

Thanks for your reply.

However, I forgot to tell, ASDM is running on port 456. So it should not conflict with IPSEC-over-TCP.

Any other idea?

thx Karien

Re: ipsec-over-tcp not working

Do you have WebVPN enabled, as that also uses 443.

For the sake of testing, I would change the port to 10000

crypto isakmp ipsec-over-tcp port 10000

The re-test, if it works - then the issue is with something else on the ASA trying to use 443. if it does not work - then you also have an issue somewhere else.

Are you actually forcing the VPN client to use IPSEC pver TCP - and the client is configured to use 443??

New Member

Re: ipsec-over-tcp not working

Hello Andrew,

Unfortunately the production firewall in front doesn't allow port 10000 in. I would have to make request for a change.

Did anybody else have this issue ?

thx Karien


Re: ipsec-over-tcp not working


Qtn about this command ' crypto isakmp  ipsec-over-tcp port 10000 '

I have an ASA 5520 doing  Cisco client VPN, WebVPN (SSL) and responding to ASDM. So which one of  these services is the above command changing?



Re: ipsec-over-tcp not working


It changes any connection via the VPN Remote client/Hardware Client - where the remote end NAT device does not support/understand NAT-T/VPN PassThru.  It also enables you to allow IPSEC connections on ISP/3rd Party/Provider networks, that block the normal RFC NAT-T UDP 4500.

The port can be changed from 10000 to whatever you want, if you have a firewall that sites in front of the VPN device, the TCP port must be allowed thru.

This does not apply Web SSL & ASDM connections.