03-02-2006 02:52 PM
I recently upgraded the IOS on our 1751 router to 12.4(5) and consequently broke the remote access VPN that I set up about 2 years ago. I noticed that for some reason I lost all the stored passwords for the vpn group and radius. After putting those back in, I can connect to the vpn successfully, but once connected I can't seem to pass any traffic across the tunnel. I can't even ping the client from the router. I've compared the running config with old backups and another currently working config, but I can't see any problems. In testing I also noticed that split tunneling is no longer working...
I've been staring at this config too long. Please tell me I'm just overlooking something simple.
03-02-2006 11:43 PM
It looks like nat traversal issue
try command "isakmp nat-traversal" on the router
Hope that helps
M.
03-07-2006 01:12 PM
"isakmp nat-traversal" isn't accepted as a valid command. isn't that a pix command?
03-07-2006 11:54 PM
Hi
Milan was rite in quoting the command but you need to try with seconds followed by the command
isakmp nat-traversal 20 ---- (20 seconds)
do refer this link for more info..
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/gl.htm#wp1575273
regds
03-08-2006 12:51 PM
When I enter that command this is what happens:
1751ESA(config)#isakmp nat-traversal 20
^
% Invalid input detected at '^' marker.
If I type "i?":
1751ESA(config)#i?
identity interface ip ixi
so isakmp doesn't seem to be a valid command on my 1751 router, but I just fired up an old Pix-520 and typed "isakmp ?" and it DID list 'isakmp nat-transersal'. which is good to know, but doesn't help me any.
however I found this quote in the Cisco IOS Security Configuration Guide, Release 12.4:
"NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router running Cisco IOS Release 12.2(13)T. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated." (from http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455c72.html#wp1049093)
and on that page it mentioned the command "crypto isakmp nat keepalive 20" which seems to be equivalent to the pix "isakmp nat-traversal 20" commmand. but i tried that and it didn't help.
any other ideas?
03-08-2006 01:35 PM
i just upgraded from 12.4-5 to 12.4-7 and it works just perfectly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide