Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN troubles as of 12.4

I recently upgraded the IOS on our 1751 router to 12.4(5) and consequently broke the remote access VPN that I set up about 2 years ago. I noticed that for some reason I lost all the stored passwords for the vpn group and radius. After putting those back in, I can connect to the vpn successfully, but once connected I can't seem to pass any traffic across the tunnel. I can't even ping the client from the router. I've compared the running config with old backups and another currently working config, but I can't see any problems. In testing I also noticed that split tunneling is no longer working...

I've been staring at this config too long. Please tell me I'm just overlooking something simple.

5 REPLIES
Gold

Re: VPN troubles as of 12.4

It looks like nat traversal issue

try command "isakmp nat-traversal" on the router

Hope that helps

M.

New Member

Re: VPN troubles as of 12.4

"isakmp nat-traversal" isn't accepted as a valid command. isn't that a pix command?

Re: VPN troubles as of 12.4

Hi

Milan was rite in quoting the command but you need to try with seconds followed by the command

isakmp nat-traversal 20 ---- (20 seconds)

do refer this link for more info..

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/gl.htm#wp1575273

regds

New Member

Re: VPN troubles as of 12.4

When I enter that command this is what happens:

1751ESA(config)#isakmp nat-traversal 20

^

% Invalid input detected at '^' marker.

If I type "i?":

1751ESA(config)#i?

identity interface ip ixi

so isakmp doesn't seem to be a valid command on my 1751 router, but I just fired up an old Pix-520 and typed "isakmp ?" and it DID list 'isakmp nat-transersal'. which is good to know, but doesn't help me any.

however I found this quote in the Cisco IOS Security Configuration Guide, Release 12.4:

"NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router running Cisco IOS Release 12.2(13)T. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated." (from http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455c72.html#wp1049093)

and on that page it mentioned the command "crypto isakmp nat keepalive 20" which seems to be equivalent to the pix "isakmp nat-traversal 20" commmand. but i tried that and it didn't help.

any other ideas?

New Member

Re: VPN troubles as of 12.4

i just upgraded from 12.4-5 to 12.4-7 and it works just perfectly.

147
Views
0
Helpful
5
Replies