[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] OpenVPN client using TCP fails to connect through Cisco ASA 5520

  • Subject: [Openvpn-users] OpenVPN client using TCP fails to connect through Cisco ASA 5520
  • From: "Jeff Myers" <jeffage@xxxxxxxxx>
  • Date: Wed, 20 Jun 2007 09:26:20 -0700

Good day all,
I have a bit of a crisis this morning and I'm hoping someone has some advice.  We had several VPN clients go down this morning as their IT group replaced the firewall with a new Cisco ASA 5520 unit.  The new firewall appears to be killing the OpenVPN connection 'handshake" in the middle somewhere.  Just so you know, we run OpenVPN 2.0.9 and use TCP as the connection method.  This has worked at many other sites with several different firewalls.
According to their IT group it looks like the Cisco firewall is blocking a packet coming back to them at port 2000/tcp.  However, as we all know the connections are started from the client side, so this just doesn't make sense.
Here is my config on the client end:
dev tun
proto tcp
remote xx.xx.xx.xx 2000
resolv-retry infinite
port 2000
ca ca.crt
ns-cert-type server
verb 3
mute 20
route-delay 5
By the way, I tried switching to "proto udp" and the connection does work.  However, I'd rather not run a separate UDP service for this one site as it would actually be a big pain to reconfigure everything else that would go along with switching them.  It's a long story....  I just would like to know if there's any way to get this old connection back up and running.