Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSec over TCP on ASA5510 not connecting


I?ve got an issue trying to get IPSec over TCP working on an ASA5510 with a remote VPN client. The ASA is running 7.2(2) and the Cisco client is The initial TCP connection works (I can see the 3-way handshake complete), but then the client sends a ISAKMP OAK AG, which the ASA discards. I?m configuring via the ASDM (version 5.2) as my PIX skills are a bit rusty ! I have an access rule on the external interface of the ASA to allow connections on port 10000, but I?ve set the ASA to allow inbound IPsec sessions to bypass the interface ACLS so don?t think this is the problem.

Any help would be greatly appreciated.


UPDATE : Debug output from the ASA when running debug crypto isakmp, debug crypto ipsec, debug ipsec-over-tcp, shows :-

# INFO: ctcp_punt_flow_drop_callback - NP dropped flow (could be idle flow)

It's invoked at 71f0c4

Protocol: 6

Flags: 0x00100000

Src addr: 164.x.x.x

Dst addr: 81.x.x.x

Src port: 10000

Dst port: 1187

INFO: ctcp_punt_flow_drop_callback: Sending a message to IKE to delete if any IKE SAs, IPSec SAs and IPSec/TCP record that associated with this session:

peer ip addr: 81.x.x.x, peer ctcp port: 1187

This seems to indicate that after the initial TCP 3-way handshake is completed, the connection is dropped and the subsequent ISAKMP packets get dropped by the ASA.

Any ideas why ??



Re: IPSec over TCP on ASA5510 not connecting

did you check whether all the destinations used in port-forwarding are permitted in the web type ACL

New Member

Re: IPSec over TCP on ASA5510 not connecting

I assume you mean the ACL for the internet side of the ASA ? If so then, yes - the traffic is permitted.

New Member

Re: IPSec over TCP on ASA5510 not connecting

Did you ever find a reslolution?

CreatePlease to create content