cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7851
Views
0
Helpful
3
Replies

"no crypto isakmp nat-traversal" after reboot

marco
Level 1
Level 1

Hello,

With the ASA 8.0 software version, we've noticed that every time we reboot tha appliance, the config line:

no crypto isakmp nat-traversal

appears in the configuration.

This is very annoying, because with this the NAT-T obviously doesn't work.

Someone of you noticed this also?

Ideas?

Thanks a lot.

Marco Pizzi.

1 Accepted Solution

Accepted Solutions

Radim Jurica
Level 1
Level 1

Hi Marco,

this is bug in ASA 8.x software version and there is workaround:

CSCsj52581 Bug Details

no crypto isakmp nat-traversal inconsistent configuration after reboot

Symptom:

After a rebooting the ASA the global command "no crypto isakmp

nat-traversal"

appears within the running-config even it is not available within the

startup-config.

Conditions:

none

Steps to reproduce it:

bsns-asa5505-1(config)# crypto isakmp nat-traversal

bsns-asa5505-1(config)# copy run start

bsns-asa5505-1(config)# sh run all | inc nat

crypto isakmp nat-traversal 20

bsns-asa5505-1(config)# sh start | inc nat

bsns-asa5505-1(config)#

After reloading the ASA:

bsns-asa5505-1# sh run all | inc nat

no crypto isakmp nat-traversal

bsns-asa5505-1# sh start | inc nat

bsns-asa5505-1#

Workaround:

1) use a non-default value, for instance, "crypto isakmp nat-traversal 21"

2) enable the "crypto isakmp nat-traversal" after rebooting the ASA if you

need to use the default value. The default value is: crypto isakmp

nat-traversal 20

Radim

View solution in original post

3 Replies 3

Radim Jurica
Level 1
Level 1

Hi Marco,

this is bug in ASA 8.x software version and there is workaround:

CSCsj52581 Bug Details

no crypto isakmp nat-traversal inconsistent configuration after reboot

Symptom:

After a rebooting the ASA the global command "no crypto isakmp

nat-traversal"

appears within the running-config even it is not available within the

startup-config.

Conditions:

none

Steps to reproduce it:

bsns-asa5505-1(config)# crypto isakmp nat-traversal

bsns-asa5505-1(config)# copy run start

bsns-asa5505-1(config)# sh run all | inc nat

crypto isakmp nat-traversal 20

bsns-asa5505-1(config)# sh start | inc nat

bsns-asa5505-1(config)#

After reloading the ASA:

bsns-asa5505-1# sh run all | inc nat

no crypto isakmp nat-traversal

bsns-asa5505-1# sh start | inc nat

bsns-asa5505-1#

Workaround:

1) use a non-default value, for instance, "crypto isakmp nat-traversal 21"

2) enable the "crypto isakmp nat-traversal" after rebooting the ASA if you

need to use the default value. The default value is: crypto isakmp

nat-traversal 20

Radim

Thanks a lot Radim.

Marco.

Hi Radim,

i have cofigured crypto isakmp nat-traversal 20 but it didn't appear in the running configuration. my ASA software version is 8.0(2). when i perform the sh run all | include nat.

cisco# sh run all | in nat

access-list inside_nat0_outbound extended permit ip any xxxx xxxx

no nat-control

nat (inside) 0 access-list inside_nat0_outbound

crypto isakmp nat-traversal 20

  nat-rewrite

  nat-rewrite

cisco#

so this also bug for software version 8.0(2) because i try 7.2(1) it got appear in running configuration. it can working with no issues right?

Regards,

Tee

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: