From: Andrew Larkins (Andrew.Larkins@btgroup.co.za)
Date: Mon Feb 04 2008 - 16:29:44 ARST
Route print is 100% correct with the network that need to tunnel....
Strange thing is that it works tonight....will try when the network is
under a bit of load and see
From: Andrew Shin [mailto:mr.dude@gmail.com]
Sent: 04 February 2008 16:08 PM
To: Andrew Larkins
Cc: mdestienne@yahoo.com; ccielab@groupstudy.com; cisco@groupstudy.com;
security@groupstudy.com
Subject: Re: VPN - IPSec over TCP on PIX vs ASA - both ver 8.03 -
strange problem only working on PIX and not ASA - UDP works on both!
Hi, when you say you see packets being encrypted but nothing coming back
are you referring to your PC? What do you see coming into the ASA? It
sounds like it could be that your PC perhaps is not sending the traffic
to your internal 172.20.4.0 network over the tunnel? Try doing a "route
print" on your PC and see what that shows after you connect.
-Andrew
On Feb 3, 2008 12:29 AM, Andrew Larkins <Andrew.Larkins@btgroup.co.za>
wrote:
Thanks,
But I am able to VPN successfully using UDP but not TCP so that already
proves the config for the pool. It is only when I enable IPSec over TCP
on default port 10000 that no data passes. I get an IP address and see
packets being encrypted but nothing comes back...
Andrew
-----Original Message-----
From: mdestienne@yahoo.com [mailto:mdestienne@yahoo.com]
Sent: 01 February 2008 14:59 PM
To: Andrew Larkins; ccielab@groupstudy.com; cisco@groupstudy.com;
security@groupstudy.com
Subject: Re: VPN - IPSec over TCP on PIX vs ASA - both ver 8.03 -
strange problem only working on PIX and not ASA - UDP works on both!
The first thing comes to mind is the only difference between your
configs, the dhcp pool. Verify that your inside network has a path to
your asa vpn pool.
-----Original Message-----
From: "Andrew Larkins" <Andrew.Larkins@btgroup.co.za>
Date: Fri, 1 Feb 2008 10:19:06
To:<ccielab@groupstudy.com>, <cisco@groupstudy.com>,
<security@groupstudy.com>
Subject: VPN - IPSec over TCP on PIX vs ASA - both ver 8.03 - strange
problem only working on PIX and not ASA - UDP works on both!
Good day all,
I have a full working remote access VPN on both firewalls (PIX515E and
ASA5540). ASA is replacing the PIX at a new location.
Bother work perfectly with IPSec over UDP (nat-traversal UDP 4500) and
only the PIX515E works with TCP 10000. I can however connect the VPN up
& authenticate successfully on the ASA using IPSec over TCP, but I am
absolutely unable to pass any data through the tunnel. Change the
profile back to IPSec over UDP and it works perfectly.
My understanding here is that short of the IPSec setup to establish the
tunnel, all configuration is the same. If the port was blocked somewhere
the VPN would never connect
Any reason's you can think of why this does not work before I log the
case on TAC? Any pointers on where to look further? Again, the ASA and
PIX are identical in config (all aspects) & software except to local IP
pool being different so I can test parallel and being different hardware
platforms
Regards
Andrew
The information contained in this message and or attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended
recipient
is prohibited. If you received this in error, please contact the sender
and
delete the material from any system and destroy any copies.
The information contained in this message and or attachments is intended
only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of, or taking of any action in reliance upon,
this information by persons or entities other than the intended
recipient
is prohibited. If you received this in error, please contact the sender
and
delete the material from any system and destroy any copies.
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2008 - 16:54:47 ARST