Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

"no crypto isakmp nat-traversal" after reboot

Hello,

With the ASA 8.0 software version, we've noticed that every time we reboot tha appliance, the config line:

no crypto isakmp nat-traversal

appears in the configuration.

This is very annoying, because with this the NAT-T obviously doesn't work.

Someone of you noticed this also?

Ideas?

Thanks a lot.

Marco Pizzi.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: "no crypto isakmp nat-traversal" after reboot

Hi Marco,

this is bug in ASA 8.x software version and there is workaround:

CSCsj52581 Bug Details

no crypto isakmp nat-traversal inconsistent configuration after reboot

Symptom:

After a rebooting the ASA the global command "no crypto isakmp

nat-traversal"

appears within the running-config even it is not available within the

startup-config.

Conditions:

none

Steps to reproduce it:

bsns-asa5505-1(config)# crypto isakmp nat-traversal

bsns-asa5505-1(config)# copy run start

bsns-asa5505-1(config)# sh run all | inc nat

crypto isakmp nat-traversal 20

bsns-asa5505-1(config)# sh start | inc nat

bsns-asa5505-1(config)#

After reloading the ASA:

bsns-asa5505-1# sh run all | inc nat

no crypto isakmp nat-traversal

bsns-asa5505-1# sh start | inc nat

bsns-asa5505-1#

Workaround:

1) use a non-default value, for instance, "crypto isakmp nat-traversal 21"

2) enable the "crypto isakmp nat-traversal" after rebooting the ASA if you

need to use the default value. The default value is: crypto isakmp

nat-traversal 20

Radim

3 REPLIES
New Member

Re: "no crypto isakmp nat-traversal" after reboot

Hi Marco,

this is bug in ASA 8.x software version and there is workaround:

CSCsj52581 Bug Details

no crypto isakmp nat-traversal inconsistent configuration after reboot

Symptom:

After a rebooting the ASA the global command "no crypto isakmp

nat-traversal"

appears within the running-config even it is not available within the

startup-config.

Conditions:

none

Steps to reproduce it:

bsns-asa5505-1(config)# crypto isakmp nat-traversal

bsns-asa5505-1(config)# copy run start

bsns-asa5505-1(config)# sh run all | inc nat

crypto isakmp nat-traversal 20

bsns-asa5505-1(config)# sh start | inc nat

bsns-asa5505-1(config)#

After reloading the ASA:

bsns-asa5505-1# sh run all | inc nat

no crypto isakmp nat-traversal

bsns-asa5505-1# sh start | inc nat

bsns-asa5505-1#

Workaround:

1) use a non-default value, for instance, "crypto isakmp nat-traversal 21"

2) enable the "crypto isakmp nat-traversal" after rebooting the ASA if you

need to use the default value. The default value is: crypto isakmp

nat-traversal 20

Radim

New Member

Re: "no crypto isakmp nat-traversal" after reboot

Thanks a lot Radim.

Marco.

New Member

"no crypto isakmp nat-traversal" after reboot

Hi Radim,

i have cofigured crypto isakmp nat-traversal 20 but it didn't appear in the running configuration. my ASA software version is 8.0(2). when i perform the sh run all | include nat.

cisco# sh run all | in nat

access-list inside_nat0_outbound extended permit ip any xxxx xxxx

no nat-control

nat (inside) 0 access-list inside_nat0_outbound

crypto isakmp nat-traversal 20

  nat-rewrite

  nat-rewrite

cisco#

so this also bug for software version 8.0(2) because i try 7.2(1) it got appear in running configuration. it can working with no issues right?

Regards,

Tee

5617
Views
0
Helpful
3
Replies