Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
448
Views
0
Helpful
5
Replies

VPN troubles as of 12.4

donny
Level 1
Level 1

‎03-02-2006 02:52 PM

I recently upgraded the IOS on our 1751 router to 12.4(5) and consequently broke the remote access VPN that I set up about 2 years ago. I noticed that for some reason I lost all the stored passwords for the vpn group and radius. After putting those back in, I can connect to the vpn successfully, but once connected I can't seem to pass any traffic across the tunnel. I can't even ping the client from the router. I've compared the running config with old backups and another currently working config, but I can't see any problems. In testing I also noticed that split tunneling is no longer working...

I've been staring at this config too long. Please tell me I'm just overlooking something simple.

Labels:
Preview file
5 KB
0 Helpful
5 Replies 5

m.sir
Level 7
Level 7

‎03-02-2006 11:43 PM

It looks like nat traversal issue

try command "isakmp nat-traversal" on the router

Hope that helps

M.

0 Helpful

donny
Level 1
Level 1
In response to m.sir

‎03-07-2006 01:12 PM

"isakmp nat-traversal" isn't accepted as a valid command. isn't that a pix command?

0 Helpful

spremkumar
Level 9
Level 9
In response to donny

‎03-07-2006 11:54 PM

Hi

Milan was rite in quoting the command but you need to try with seconds followed by the command

isakmp nat-traversal 20 ---- (20 seconds)

do refer this link for more info..

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/cref_txt/gl.htm#wp1575273

regds

0 Helpful

donny
Level 1
Level 1
In response to spremkumar

‎03-08-2006 12:51 PM

When I enter that command this is what happens:

1751ESA(config)#isakmp nat-traversal 20

^

% Invalid input detected at '^' marker.

If I type "i?":

1751ESA(config)#i?

identity interface ip ixi

so isakmp doesn't seem to be a valid command on my 1751 router, but I just fired up an old Pix-520 and typed "isakmp ?" and it DID list 'isakmp nat-transersal'. which is good to know, but doesn't help me any.

however I found this quote in the Cisco IOS Security Configuration Guide, Release 12.4:

"NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a router running Cisco IOS Release 12.2(13)T. If both VPN devices are NAT-T capable, NAT Traversal is auto detected and auto negotiated." (from http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455c72.html#wp1049093)

and on that page it mentioned the command "crypto isakmp nat keepalive 20" which seems to be equivalent to the pix "isakmp nat-traversal 20" commmand. but i tried that and it didn't help.

any other ideas?

0 Helpful

donny
Level 1
Level 1
In response to donny

‎03-08-2006 01:35 PM

i just upgraded from 12.4-5 to 12.4-7 and it works just perfectly.

0 Helpful
Customers Also Viewed These Support Documents