[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN client using TCP fails to connect through Cisco ASA 5520

  • Subject: Re: [Openvpn-users] OpenVPN client using TCP fails to connect through Cisco ASA 5520
  • From: Thomas Pedoussaut <thomas@xxxxxxxxxxxxxx>
  • Date: Wed, 20 Jun 2007 17:55:00 +0100

Jeff Myers wrote:
> Good day all,
> I have a bit of a crisis this morning and I'm hoping someone has some
> advice.  We had several VPN clients go down this morning as their IT
> group replaced the firewall with a new Cisco ASA 5520 unit.  The new
> firewall appears to be killing the OpenVPN connection 'handshake" in
> the middle somewhere.  Just so you know, we run OpenVPN 2.0.9 and use
> TCP as the connection method.  This has worked at many other sites
> with several different firewalls.
> According to their IT group it looks like the Cisco firewall is
> blocking a packet coming back to them at port 2000/tcp.  However, as
> we all know the connections are started from the client side, so this
> just doesn't make sense.
I've seen the same problem on any connection on port 2000 with cisco
devices. There is a Cisco protocol called SCCP using port 2000.


As it's Voice Over IP stuff, the firewall tries to protect it by rate
limiting and other methods.
Have a look there on the ASA config and deactivate the protection of
this port (it's usually protected by default). Or allocate them another

Hope this help

Openvpn-users mailing list