New Port Address Translation (PAT) breaks the existing IPSec connection on the router


Wed, 07/22/2009 - 19:37
Jun 18th, 2009

Core issue

This occurs in an existing LAN-to-LAN connection between a router and a remote IPSec peer, where the IPSec peer address is the crypto map interface. The crypto map interface is also defined for Port Address Translation (PAT). If a VPN Client  connection is made through the crypto map interface to the same remote IPSec peer, then the existing LAN-to-LAN connection is broken because all User Datagram Protocol (UDP) 500 packets are now translated to the new PAT translation. This is a re-occurrance of Cisco bug ID CSCeb31945.


This issue is also documented in Cisco bug ID CSCsc80859.

For a workaround, change the IPSec peer source IP address to be a loopback interface. Issue the crypto map xxxx local-address loopback 0 command.

Change the remote IPSec peer address for either the LAN-to-LAN or remote access connection.

Define a static port mapping of UDP 500 to UDP 501 for the VPN Client connection.



This Document

Related Content