10-29-2007 02:49 PM - edited 03-09-2019 07:08 PM
Hello,
With the ASA 8.0 software version, we've noticed that every time we reboot tha appliance, the config line:
no crypto isakmp nat-traversal
appears in the configuration.
This is very annoying, because with this the NAT-T obviously doesn't work.
Someone of you noticed this also?
Ideas?
Thanks a lot.
Marco Pizzi.
Solved! Go to Solution.
01-04-2008 01:44 AM
Hi Marco,
this is bug in ASA 8.x software version and there is workaround:
CSCsj52581 Bug Details
no crypto isakmp nat-traversal inconsistent configuration after reboot
Symptom:
After a rebooting the ASA the global command "no crypto isakmp
nat-traversal"
appears within the running-config even it is not available within the
startup-config.
Conditions:
none
Steps to reproduce it:
bsns-asa5505-1(config)# crypto isakmp nat-traversal
bsns-asa5505-1(config)# copy run start
bsns-asa5505-1(config)# sh run all | inc nat
crypto isakmp nat-traversal 20
bsns-asa5505-1(config)# sh start | inc nat
bsns-asa5505-1(config)#
After reloading the ASA:
bsns-asa5505-1# sh run all | inc nat
no crypto isakmp nat-traversal
bsns-asa5505-1# sh start | inc nat
bsns-asa5505-1#
Workaround:
1) use a non-default value, for instance, "crypto isakmp nat-traversal 21"
2) enable the "crypto isakmp nat-traversal" after rebooting the ASA if you
need to use the default value. The default value is: crypto isakmp
nat-traversal 20
Radim
01-04-2008 01:44 AM
Hi Marco,
this is bug in ASA 8.x software version and there is workaround:
CSCsj52581 Bug Details
no crypto isakmp nat-traversal inconsistent configuration after reboot
Symptom:
After a rebooting the ASA the global command "no crypto isakmp
nat-traversal"
appears within the running-config even it is not available within the
startup-config.
Conditions:
none
Steps to reproduce it:
bsns-asa5505-1(config)# crypto isakmp nat-traversal
bsns-asa5505-1(config)# copy run start
bsns-asa5505-1(config)# sh run all | inc nat
crypto isakmp nat-traversal 20
bsns-asa5505-1(config)# sh start | inc nat
bsns-asa5505-1(config)#
After reloading the ASA:
bsns-asa5505-1# sh run all | inc nat
no crypto isakmp nat-traversal
bsns-asa5505-1# sh start | inc nat
bsns-asa5505-1#
Workaround:
1) use a non-default value, for instance, "crypto isakmp nat-traversal 21"
2) enable the "crypto isakmp nat-traversal" after rebooting the ASA if you
need to use the default value. The default value is: crypto isakmp
nat-traversal 20
Radim
01-04-2008 02:00 AM
Thanks a lot Radim.
Marco.
12-14-2011 01:24 AM
Hi Radim,
i have cofigured crypto isakmp nat-traversal 20 but it didn't appear in the running configuration. my ASA software version is 8.0(2). when i perform the sh run all | include nat.
cisco# sh run all | in nat
access-list inside_nat0_outbound extended permit ip any xxxx xxxx
no nat-control
nat (inside) 0 access-list inside_nat0_outbound
crypto isakmp nat-traversal 20
nat-rewrite
nat-rewrite
cisco#
so this also bug for software version 8.0(2) because i try 7.2(1) it got appear in running configuration. it can working with no issues right?
Regards,
Tee
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: