Cisco Cisco ASA 5540 Adaptive Security Appliance 문제 해결 가이드
IPsec over TCP Fails when Traffic Flows through
ASA
ASA
Document ID: 113578
Contributed by Jay Johnston, Cisco TAC Engineer.
Jun 26, 2012
Jun 26, 2012
Contents
Introduction
Before You Begin
Requirements
Components Used
Conventions
Problem
Solution
Related Information
Before You Begin
Requirements
Components Used
Conventions
Problem
Solution
Related Information
Introduction
Cisco VPN Clients that connect to a VPN headend using IPsec over TCP might connect to the headend fine,
but then the connection fails after some time. This document describes how to switch to IPsec over UDP or
native ESP IPsec encapsulation in order to resolve the issue.
but then the connection fails after some time. This document describes how to switch to IPsec over UDP or
native ESP IPsec encapsulation in order to resolve the issue.
Before You Begin
Requirements
In order to encounter this specific problem, Cisco VPN Clients must be configured to connect to a VPN
headend device using IPsec over TCP. In most instances, network administrators configure the ASA to accept
Cisco VPN Client connections over TCP Port 10000.
headend device using IPsec over TCP. In most instances, network administrators configure the ASA to accept
Cisco VPN Client connections over TCP Port 10000.
Components Used
The information in this document is based on Cisco VPN Client.
Conventions
For more information on document conventions, refer to Cisco Technical Tips Conventions.
Problem
When the VPN client is configured for IPsec over TCP (cTCP), the VPN client software will not respond if a
duplicate TCP ACK is received asking for the VPN client to re−transmit data. A duplicate ACK might be
generated if there is packet loss somewhere between the VPN client and the ASA headend. Intermittent packet
loss is a fairly common reality on the Internet. However, since the VPN endpoints are not using the TCP
protocol (recall that they are using cTCP), the endpoints will continue transmitting and the connection will
continue.
duplicate TCP ACK is received asking for the VPN client to re−transmit data. A duplicate ACK might be
generated if there is packet loss somewhere between the VPN client and the ASA headend. Intermittent packet
loss is a fairly common reality on the Internet. However, since the VPN endpoints are not using the TCP
protocol (recall that they are using cTCP), the endpoints will continue transmitting and the connection will
continue.
In this scenario, a problem occurs if there is another device such as a firewall tracking the TCP connection
statefully. Since the cTCP protocol does not fully implement a TCP client and server duplicate ACKs do not
statefully. Since the cTCP protocol does not fully implement a TCP client and server duplicate ACKs do not