"no crypto isakmp nat-traversal" after reboot

Answered Question

Hello,

With the ASA 8.0 software version, we've noticed that every time we reboot tha appliance, the config line:

no crypto isakmp nat-traversal

appears in the configuration.

This is very annoying, because with this the NAT-T obviously doesn't work.

Someone of you noticed this also?

Ideas?

Thanks a lot.

Marco Pizzi.

I have this problem too.
0 votes
Correct Answer by Radim Jurica about 8 years 11 months ago

Hi Marco,

this is bug in ASA 8.x software version and there is workaround:

CSCsj52581 Bug Details

no crypto isakmp nat-traversal inconsistent configuration after reboot

Symptom:

After a rebooting the ASA the global command "no crypto isakmp

nat-traversal"

appears within the running-config even it is not available within the

startup-config.

Conditions:

none

Steps to reproduce it:

bsns-asa5505-1(config)# crypto isakmp nat-traversal

bsns-asa5505-1(config)# copy run start

bsns-asa5505-1(config)# sh run all | inc nat

crypto isakmp nat-traversal 20

bsns-asa5505-1(config)# sh start | inc nat

bsns-asa5505-1(config)#

After reloading the ASA:

bsns-asa5505-1# sh run all | inc nat

no crypto isakmp nat-traversal

bsns-asa5505-1# sh start | inc nat

bsns-asa5505-1#

Workaround:

1) use a non-default value, for instance, "crypto isakmp nat-traversal 21"

2) enable the "crypto isakmp nat-traversal" after rebooting the ASA if you

need to use the default value. The default value is: crypto isakmp

nat-traversal 20

Radim

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Radim Jurica Fri, 01/04/2008 - 01:44

Hi Marco,

this is bug in ASA 8.x software version and there is workaround:

CSCsj52581 Bug Details

no crypto isakmp nat-traversal inconsistent configuration after reboot

Symptom:

After a rebooting the ASA the global command "no crypto isakmp

nat-traversal"

appears within the running-config even it is not available within the

startup-config.

Conditions:

none

Steps to reproduce it:

bsns-asa5505-1(config)# crypto isakmp nat-traversal

bsns-asa5505-1(config)# copy run start

bsns-asa5505-1(config)# sh run all | inc nat

crypto isakmp nat-traversal 20

bsns-asa5505-1(config)# sh start | inc nat

bsns-asa5505-1(config)#

After reloading the ASA:

bsns-asa5505-1# sh run all | inc nat

no crypto isakmp nat-traversal

bsns-asa5505-1# sh start | inc nat

bsns-asa5505-1#

Workaround:

1) use a non-default value, for instance, "crypto isakmp nat-traversal 21"

2) enable the "crypto isakmp nat-traversal" after rebooting the ASA if you

need to use the default value. The default value is: crypto isakmp

nat-traversal 20

Radim

Tee Chin Poh Wed, 12/14/2011 - 01:24

Hi Radim,

i have cofigured crypto isakmp nat-traversal 20 but it didn't appear in the running configuration. my ASA software version is 8.0(2). when i perform the sh run all | include nat.

cisco# sh run all | in nat

access-list inside_nat0_outbound extended permit ip any xxxx xxxx

no nat-control

nat (inside) 0 access-list inside_nat0_outbound

crypto isakmp nat-traversal 20

  nat-rewrite

  nat-rewrite

cisco#

so this also bug for software version 8.0(2) because i try 7.2(1) it got appear in running configuration. it can working with no issues right?

Regards,

Tee

Actions

This Discussion