Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

VPN Client 4.8 NAT-T Problem

I'm having trouble making NAT-T connections from a 4.8 client behind a Checkpoint FW-1 to any PIXes, ASAs, or 3000 series concentrators on the Internet.

The IKE SA comes up fine, NAT detection and NAT-T negotiation works fine (the IKE SA is moved to udp/4500) and it even appears that the ESP/NAT-T SA is negotiated properly; IKE mode config configures my client IP address and DNS servers, the virtual adapter is activated, etc. However, as soon as I attempt to pass any traffic over the SA, I get the following messages in the client's log:

1986 13:16:05.364 02/23/06 Sev=Info/4 IPSEC/0x63700019

Activate outbound key with SPI=0x149cf1eb for inbound key with SPI=0xfdc0dd6c

1987 13:16:05.364 02/23/06 Sev=Warning/3 IPSEC/0xA3700016

IPSec over UDP port incorrect

I get a pair of these for every packet I attempt to pass over the tunnel.

Does anyone have any idea what that second error message even means? I can't find it documented anywhere.

If I sniff traffic on the Ethernet interface of the local client, I don't see it even attempting to send any ESP/NAT-T traffic to the remote VPN server; all I see are occasional IKE Informational messages with the Non-ESP marker exchanged between the client and server, and eventually, the server stops responding and the connection is dropped (i.e. the SAs are deleted by the client).

I'm sure it has something to do with the FW-1 munging something in the IKE NAT-T packets so that the client won't even attempt to send the traffic, but I need to be able to explain the problem to the people that manage the firewall in excruciating detail, and I don't understand it myself at this point. Thanks for any help in advance.

New Member

Re: VPN Client 4.8 NAT-T Problem

Follow-up question: Is there anywhere on Cisco's website I can look up the VPN Client Event Log error messages and what they really mean? The User Guide indicates that the last part of each event log entry is EventClass/MessageID (e.g. IPSEC/0xA3700016 in the second log entry quoted in my post), but I haven't found a reference for these anywhere.

New Member

Re: VPN Client 4.8 NAT-T Problem

Update: I opened a case with TAC to troubleshoot this and found that the client is, in fact, transmitting ESP/NAT-T traffic to the VPN server (PIX). I was attempting to sniff the traffic from the client itself, and apparently a driver was hiding the ESP/NAT-T packets from the packet filter. I redid the sniff from another PC plugged into the same hub as the VPN client and was able to see the ESP/NAT-T traffic, and encaps/decaps counters increase on ESP SA on the PIX end.

The problem, as it turns out, is that the NAT/PAT process on the Checkpoint firewall is not properly translating the UDP destination port on the return packets (i.e. it's not getting translated back from a high port to UDP/4500). That's what the error message "IPSec over UDP port incorrect" indicates; that the ESP/NAT-T traffic from the remote VPN server is being sent to a port other than UDP/4500 on the VPN client. This is especially weird, since it only happens for the ESP/NAT-T traffic, and NAT is performed properly for the IKE/NAT-T traffic.

Anyway, the case is still open, but it's most likely a bug in the Firewall-1 NAT code, IMO.

New Member

Re: VPN Client 4.8 NAT-T Problem

Private e-mail from another reader of this forum confirms that this is probably a bug in the Firewall-1 NAT/PAT code. He has a ticket open with Checkpoint for the exact same problem; I'll post back when he hears back from Checkpoint.

CreatePlease to create content