Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
IPsec VPN tunnel fails to come up on PIX/ASA version 7.0(4)
This issue occurs when Internet Security Association and Key Management Protocol (ISAKMP) is enabled on an interface and there is also a global defined command that uses the interface IP address for PAT.
This issue is due to the presence of Cisco bug ID CSCsd08170.
In PIX/ASA version 7.0(4), all VPN connections to the security device fail because there is already an existing translation slot (xlate) for the interface IP address on User Datagram Protocol (UDP) port 500. This is seen in the low port range if an xlate is built and the PIX uses UDP 500 as the Port Address Translation (PAT) port on the outside interface. When VPN is used, UDP port 500 must be removed from the pool of available ports for PAT.
Use the show xlate command, which displays this output:
(e.g) fw1(config)#show xlate local 10.1.1.1 63 in use, 735 most used PAT Global 188.8.131.52(500) Local 10.1.1.1(123) <<< Problem translation
The temporary workaround is to replace the global command with an IP address that is not in the interface with ISAKMP enabled.
For a permanent workaround, upgrade the ASA software to any of these ASA software versions: