Regular Translation created failed for protocol 50

Unanswered Question
Apr 17th, 2010

Hello,

I have tried 'inspect ipsec-pass-thru' as well as enabling NAT-T but it still has not helped.

Scenario:

VPN Client -> Local Network ASA 1 -> Local Network Network ASA 2 -> Internet -> Remote Network ASA (VPN Server)

From outside internet, I can successfully connect to remote ASA VPN server via the Cisco VPN client and pass traffic successfully.

However, when I initiate VPN Client connection from local network, it connects sucessfully but on passing the traffic I see 'Regular translation created failed for protocol 50' in 'Local Network ASA 2' logs.

I have enabled 'inspect ipsec-pass-thru' and NAT-T on both ASA's in the local network but it hasn't worked. The problem has to be with our local ASA devices because the VPN connection works fine from outside.

Please suggest what could be the problem. All the forums just talk about enabling the above mentioned two features to make it work (which I have already done).

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sat, 04/17/2010 - 06:17

You would need to enable NAT-T on the Remote Network ASA (VPN Server) itself to allow ESP packet to be encapsulated into UDP/4500 packet because you are dynamically NATing your VPN Client when you are connected to the local LAN and "inspect ipsec-pass-thru" does not support PAT.

Here is the command reference for "inspect ipsec-pass-thru" for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721168

dedra_live Sat, 04/17/2010 - 06:24

Ok. But as I stated if I were to use VPN Client from outside internet network it works perfectly fine with the same remote VPN Server configurations. Why is it so ? Is the NAT-Traversal not required from external networks.

The problem only seems to be when there are ASA's in the middle. So the change should be in intermediate ASA's. Is that correct understanding.

Thanks.

Jennifer Halim Sat, 04/17/2010 - 06:31

From outside, it is capable of using ESP protocol to connect, hence it does not fail.

ESP is a protocol, and it does not have a port number. Therefore, if you PAT outbound traffic, that is why it fails because ESP can't be PATed because it does not have a port number. Hence the requirement to enable NAT-T on the remote VPN server, so when it detects that the path uses PAT, it can negotiate to use the UDP/4500 encapsulated ESP packet.

From the logs, it clearly states that it fails on 'Regular translation created failed for protocol 50'.

ESP is protocol 50, and protocol 50 does not have port number, therefore it fails on PAT.

dedra_live Sat, 04/17/2010 - 06:44

Thanks.

Is there any other way of getting it work without asking the remote VPN Server support team to do any configuration changes on their end.

Jennifer Halim Sat, 04/17/2010 - 15:41

Yes, definitely. You can configure static NAT for your host ip address which is running the vpn client.

Hope that helps.

Actions

This Discussion