Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Regular Translation created failed for protocol 50

Hello,

I have tried 'inspect ipsec-pass-thru' as well as enabling NAT-T but it still has not helped.

Scenario:

VPN Client -> Local Network ASA 1 -> Local Network Network ASA 2 -> Internet -> Remote Network ASA (VPN Server)

From outside internet, I can successfully connect to remote ASA VPN server via the Cisco VPN client and pass traffic successfully.

However, when I initiate VPN Client connection from local network, it connects sucessfully but on passing the traffic I see 'Regular translation created failed for protocol 50' in 'Local Network ASA 2' logs.

I have enabled 'inspect ipsec-pass-thru' and NAT-T on both ASA's in the local network but it hasn't worked. The problem has to be with our local ASA devices because the VPN connection works fine from outside.

Please suggest what could be the problem. All the forums just talk about enabling the above mentioned two features to make it work (which I have already done).

Thanks.

6 REPLIES
Cisco Employee

Re: Regular Translation created failed for protocol 50

You would need to enable NAT-T on the Remote Network ASA (VPN Server) itself to allow ESP packet to be encapsulated into UDP/4500 packet because you are dynamically NATing your VPN Client when you are connected to the local LAN and "inspect ipsec-pass-thru" does not support PAT.

Here is the command reference for "inspect ipsec-pass-thru" for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721168

Community Member

Re: Regular Translation created failed for protocol 50

Ok. But as I stated if I were to use VPN Client from outside internet network it works perfectly fine with the same remote VPN Server configurations. Why is it so ? Is the NAT-Traversal not required from external networks.

The problem only seems to be when there are ASA's in the middle. So the change should be in intermediate ASA's. Is that correct understanding.

Thanks.

Cisco Employee

Re: Regular Translation created failed for protocol 50

From outside, it is capable of using ESP protocol to connect, hence it does not fail.

ESP is a protocol, and it does not have a port number. Therefore, if you PAT outbound traffic, that is why it fails because ESP can't be PATed because it does not have a port number. Hence the requirement to enable NAT-T on the remote VPN server, so when it detects that the path uses PAT, it can negotiate to use the UDP/4500 encapsulated ESP packet.

From the logs, it clearly states that it fails on 'Regular translation created failed for protocol 50'.

ESP is protocol 50, and protocol 50 does not have port number, therefore it fails on PAT.

Community Member

Re: Regular Translation created failed for protocol 50

Thanks.

Is there any other way of getting it work without asking the remote VPN Server support team to do any configuration changes on their end.

Community Member

Re: Regular Translation created failed for protocol 50

Possibly static NAT or something else.

Thanks.

Cisco Employee

Re: Regular Translation created failed for protocol 50

Yes, definitely. You can configure static NAT for your host ip address which is running the vpn client.

Hope that helps.

509
Views
0
Helpful
6
Replies
CreatePlease to create content