10-29-2007 02:49 PM - edited 03-09-2019 07:08 PM
Hello,
With the ASA 8.0 software version, we've noticed that every time we reboot tha appliance, the config line:
no crypto isakmp nat-traversal
appears in the configuration.
This is very annoying, because with this the NAT-T obviously doesn't work.
Someone of you noticed this also?
Ideas?
Thanks a lot.
Marco Pizzi.
Solved! Go to Solution.
01-04-2008 01:44 AM
Hi Marco,
this is bug in ASA 8.x software version and there is workaround:
CSCsj52581 Bug Details
no crypto isakmp nat-traversal inconsistent configuration after reboot
Symptom:
After a rebooting the ASA the global command "no crypto isakmp
nat-traversal"
appears within the running-config even it is not available within the
startup-config.
Conditions:
none
Steps to reproduce it:
bsns-asa5505-1(config)# crypto isakmp nat-traversal
bsns-asa5505-1(config)# copy run start
bsns-asa5505-1(config)# sh run all | inc nat
crypto isakmp nat-traversal 20
bsns-asa5505-1(config)# sh start | inc nat
bsns-asa5505-1(config)#
After reloading the ASA:
bsns-asa5505-1# sh run all | inc nat
no crypto isakmp nat-traversal
bsns-asa5505-1# sh start | inc nat
bsns-asa5505-1#
Workaround:
1) use a non-default value, for instance, "crypto isakmp nat-traversal 21"
2) enable the "crypto isakmp nat-traversal" after rebooting the ASA if you
need to use the default value. The default value is: crypto isakmp
nat-traversal 20
Radim
01-04-2008 01:44 AM
Hi Marco,
this is bug in ASA 8.x software version and there is workaround:
CSCsj52581 Bug Details
no crypto isakmp nat-traversal inconsistent configuration after reboot
Symptom:
After a rebooting the ASA the global command "no crypto isakmp
nat-traversal"
appears within the running-config even it is not available within the
startup-config.
Conditions:
none
Steps to reproduce it:
bsns-asa5505-1(config)# crypto isakmp nat-traversal
bsns-asa5505-1(config)# copy run start
bsns-asa5505-1(config)# sh run all | inc nat
crypto isakmp nat-traversal 20
bsns-asa5505-1(config)# sh start | inc nat
bsns-asa5505-1(config)#
After reloading the ASA:
bsns-asa5505-1# sh run all | inc nat
no crypto isakmp nat-traversal
bsns-asa5505-1# sh start | inc nat
bsns-asa5505-1#
Workaround:
1) use a non-default value, for instance, "crypto isakmp nat-traversal 21"
2) enable the "crypto isakmp nat-traversal" after rebooting the ASA if you
need to use the default value. The default value is: crypto isakmp
nat-traversal 20
Radim
01-04-2008 02:00 AM
Thanks a lot Radim.
Marco.
12-14-2011 01:24 AM
Hi Radim,
i have cofigured crypto isakmp nat-traversal 20 but it didn't appear in the running configuration. my ASA software version is 8.0(2). when i perform the sh run all | include nat.
cisco# sh run all | in nat
access-list inside_nat0_outbound extended permit ip any xxxx xxxx
no nat-control
nat (inside) 0 access-list inside_nat0_outbound
crypto isakmp nat-traversal 20
nat-rewrite
nat-rewrite
cisco#
so this also bug for software version 8.0(2) because i try 7.2(1) it got appear in running configuration. it can working with no issues right?
Regards,
Tee
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide