Issues with multiple users connecting to cisco IPSEC vpn from same location?
Recently, several of our clients have had issues when multiple staff members are working off-site at third-party locations. While on-site the users all connect back to our their vpn gateway via the Cisco IPSEC vpn client.
-Only 1 user at a time can connect to the Cisco IPSEC vpn client service.
-If a second user connects the first user’s vpn client is disconnected….
The Technical explanation of the problem:
By default, the Cisco IPSEC VPN Client uses ipsec over nat with UDP port 10000 as its transport. Many firewalls effect udp traffic (checkpoint, netscreen to name a few). Technically multiple users should be able to connect at the same time. Each user while inside the third-party network has a unique Private IP address and the firewall should be able to use UDP checksums and its flow table to keep track of sessions… However, often it appears the third-party’s firewall was getting confused, as the on-site users are all connecting via UDP 10000 to the same gateway IP on the internet (i.e. vpnny1.company.com)… Perhaps the third-party firewalls are unable to handle multiple simultaneous internal IP’s natting to the same external destination IP while using UDP, etc.?
As neither us or our client can do much to change the firewall configuration at another company’s offices or data centers (especially at Price Waterhouse LLP or Bank of America), here is a solution to the problem we can implement to quickly resolve the issue.
1. Configure the vpn gateway to accept ipsec over nat TCP connections (instead of UDP)!
(Example: ASA firewall)
crypto isakmp ipsec-over-tcp port 10000
2. Configure the user vpn client profiles to connect over TCP transport
-Open VPN Client
-Right click the vpn connection entry
-On Transport Tab, change UDP to TCP (radio button)
-Set port number to the port number you configured on your vpn gateway.
This fixes the issue in most circumstances. (Of course the port you choose will have to be allowed for use in the third-party company’s outbound firewall policies).
(Note: You can try to use TCP 443 if your supported users are at a very restrictive location, however you will lose the ability to manage the firewall on the default ASDM https port, TCP 443 due to conflict, however for management purposes the ASDM https port number can be changed as follows)
http server enable 4444