Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Settings - TCP vs UDP

What your thoughts are on changing the PCF file from a UDP connection to a TCP connection? Currently we are using UDP in enable transport tunneling section of Cisco VPN Client. 

If we do move them to TCP for the VPN connection, Would we consider changing the port from the standard 10000 to .. . .. 25001? If we did that,what would the impact be on the ASA’s (hosting all VPN connection termination at HO)?

I am talking about remote user VPN connectoin here.

i will appreciate if anybody can share some knoweledge on it.

Cisco Employee

Re: VPN Settings - TCP vs UDP

Before changing the port on user's PCF, you would also need to configure the ASA to listen on the TCP port. By default, it uses TCP/10000, however, you can change it to any other ports. One thing to make sure is you don't use overlapping TCP port that is used by other applications.

PS: with TCP, there could be slight latency purely due to the nature of TCP protocol.

Hope that helps.

Community Member

Re: VPN Settings - TCP vs UDP

Thanks for the prompt reply. For UDP, on which port it hits on firewall ?

Could you share some document regarding this. I want some indepth study before migrating from UDP to TCP.

Cisco Employee

Re: VPN Settings - TCP vs UDP

For UDP, by default it is UDP/4500.

Encapsulation to either UDP or TCP is required when the VPN traffic (by default it's ESP protocol) passes through PAT device which is normal when users are connecting from home, etc.

Here is more information on default NAT-T (UDP/4500), and option to use NAT-T with TCP:

Hope that helps.

Community Member

Re: VPN Settings - TCP vs UDP

What is your reasoning for moving to IPSec over TCP?

UDP is, for obvious reasons, more efficient in tunneling situations.  With IPSec over TCP (IPSec Client) or TLS (Anyconnect), you have to give consideration to the fact that in cases of lost or missing packets, not only will the tunneled tcp traffic send retrans, the encrypted packet will do the same.



CreatePlease to create content