Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


Question regarding IPsec over TCP


I've been trying to convert all of our VPN sites to EasyVPN for easy of management etc, but a few of them I have not been able to successfully get working.

My Central ASA5520 is the EasyVPN server and all of the remote firewalls are ASA5505s (7.2(3)-7.2(4)) or PIX501s (various flavors of 6.3(x).

The ones I have not been able to get working are ones that sit behind someone's home router, like a little linksys or D-link or somthing, that doesn't seem to handle NAT-T properly and I'm guessing it has to do with UDP being stateless. Two Questions:

1. Could IPsec over TCP solve this issue

2. If I enable IPsec over TCP on my central firewall, does that impact ALL of the client? I have about 140 connected right now. Or is it similar to NAT-T where it will be used if necessary? Thanks.


Re: Question regarding IPsec over TCP

As far as I know, IPSEC over TCP is only used for vpn clients and not for ezvpn clients who happen to be other ASA devices. In some cases indeed thoes devices D-link and stuff have issues with handling UDP 4500, can you try maybe to leave those sites to use the standard UDP 500/ESP IPSec traffic. In most cases this solves the issue