Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

IPsec VPN tunnel fails to come up on PIX/ASA version 7.0(4)

Core issue

This issue occurs when Internet Security Association and Key Management Protocol (ISAKMP) is enabled on an interface and there is also a global defined command that uses the interface IP address for PAT.

This issue is due to the presence of Cisco bug ID CSCsd08170.

In PIX/ASA version 7.0(4), all VPN connections to the security device fail because there is already an existing translation slot (xlate) for the interface IP address on User Datagram Protocol (UDP) port 500. This is seen in the low port range if an xlate is built and the PIX uses UDP 500 as the Port Address Translation (PAT) port on the outside interface. When VPN is used, UDP port 500 must be removed from the pool of available ports for PAT.

Use the show xlate command, which displays this output:

(e.g) fw1(config)#show xlate  local
63 in use, 735 most used
PAT Global Local  <<< Problem translation


The temporary workaround is to replace the global command with an IP address that is not in the interface with ISAKMP enabled.

For a permanent workaround, upgrade the ASA software to any of these ASA software versions:

  • 7.2(1)

  • 7.2(0.75)

  • 7.1(2.5)

Refer to the Software Center in order to download the latest version.



VPN Tunnel End Points

Any end point


Protocol / Ports


VPN Protocols


VPN Tunnel Initialization

IPSec session is not established

Bug ID

Bug ID not listed

Version history
Revision #:
1 of 1
Last update:
‎06-17-2009 10:20 PM
Updated by:
Labels (1)