Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1047
Views
0
Helpful
0
Replies

ISP Blocks IPSEC (ESP) - Force Nat-T on ASA5500-X

jacobhoegh
Level 1
Level 1

‎03-30-2017 03:08 AM - edited ‎03-12-2019 02:09 AM

Some ISP's may block (seen in Bangladesh and China) ESP. Or you might suspect that the ISP limits the BW for ESP. But you dont see the same for AnyConnect clients or vpn tunnels using NAT-Traversal.

Normally NAT-T is auto negotiated, and this is in general the best way since its the default and supported 

But you can force the ASA to used NAT-T for all ikev2 tunnels. The setting is not kept in nvram, so reboot clears the setting. Also you need to configured all peers with the same setting since the peers will not used NAT-T unless you force it on both sides. Or if one side is behind a NAT ip.

 

debug menu ikev2 4 1

 

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card