Solved: "no crypto isakmp nat-traversal" after reboot

marco · ‎10-29-2007

Hello,

With the ASA 8.0 software version, we've noticed that every time we reboot tha appliance, the config line:

no crypto isakmp nat-traversal

appears in the configuration.

This is very annoying, because with this the NAT-T obviously doesn't work.

Someone of you noticed this also?

Ideas?

Thanks a lot.

Marco Pizzi.

Radim Jurica · ‎01-04-2008

Hi Marco,

this is bug in ASA 8.x software version and there is workaround:

CSCsj52581 Bug Details

no crypto isakmp nat-traversal inconsistent configuration after reboot

Symptom:

After a rebooting the ASA the global command "no crypto isakmp

nat-traversal"

appears within the running-config even it is not available within the

startup-config.

Conditions:

none

Steps to reproduce it:

bsns-asa5505-1(config)# crypto isakmp nat-traversal

bsns-asa5505-1(config)# copy run start

bsns-asa5505-1(config)# sh run all | inc nat

crypto isakmp nat-traversal 20

bsns-asa5505-1(config)# sh start | inc nat

bsns-asa5505-1(config)#

After reloading the ASA:

bsns-asa5505-1# sh run all | inc nat

no crypto isakmp nat-traversal

bsns-asa5505-1# sh start | inc nat

bsns-asa5505-1#

Workaround:

1) use a non-default value, for instance, "crypto isakmp nat-traversal 21"

2) enable the "crypto isakmp nat-traversal" after rebooting the ASA if you

need to use the default value. The default value is: crypto isakmp

nat-traversal 20

Radim

View solution in original post

Radim Jurica · ‎01-04-2008

Hi Marco,

this is bug in ASA 8.x software version and there is workaround:

CSCsj52581 Bug Details

no crypto isakmp nat-traversal inconsistent configuration after reboot

Symptom:

After a rebooting the ASA the global command "no crypto isakmp

nat-traversal"

appears within the running-config even it is not available within the

startup-config.

Conditions:

none

Steps to reproduce it:

bsns-asa5505-1(config)# crypto isakmp nat-traversal

bsns-asa5505-1(config)# copy run start

bsns-asa5505-1(config)# sh run all | inc nat

crypto isakmp nat-traversal 20

bsns-asa5505-1(config)# sh start | inc nat

bsns-asa5505-1(config)#

After reloading the ASA:

bsns-asa5505-1# sh run all | inc nat

no crypto isakmp nat-traversal

bsns-asa5505-1# sh start | inc nat

bsns-asa5505-1#

Workaround:

1) use a non-default value, for instance, "crypto isakmp nat-traversal 21"

2) enable the "crypto isakmp nat-traversal" after rebooting the ASA if you

need to use the default value. The default value is: crypto isakmp

nat-traversal 20

Radim

marco · ‎01-04-2008

Thanks a lot Radim.

Marco.

Tee Chin Poh · ‎12-14-2011

Hi Radim,

i have cofigured crypto isakmp nat-traversal 20 but it didn't appear in the running configuration. my ASA software version is 8.0(2). when i perform the sh run all | include nat.

cisco# sh run all | in nat

access-list inside_nat0_outbound extended permit ip any xxxx xxxx

no nat-control

nat (inside) 0 access-list inside_nat0_outbound

crypto isakmp nat-traversal 20

nat-rewrite

cisco#

so this also bug for software version 8.0(2) because i try 7.2(1) it got appear in running configuration. it can working with no issues right?

Regards,

Tee