[c-nsp] ASA "NEM" tunnel problems

Peter Rathlev peter at rathlev.dk
Mon Feb 25 15:53:49 EST 2013

On Thu, 2013-02-21 at 16:47 +0100, Peter Rathlev wrote:
> What we see by debugging is that the ones failing never seem to send
> the "ID_IPV4_ADDR_SUBNET" ID payload with their remote LAN network.

We tried using an IPsec-over-TCP tunnel on one of the affected devices
for some days and it seems to have helped. This makes me suspect again
that it might have something to do with some kind of protocol
inspection. OTOH we see them sending "ID_IPV4_ADDR" which many of the
working ones don't.

I guess if TCP solves the problem it's good enough for me. :-)


More information about the cisco-nsp mailing list