Core issue

This issue occurs when Internet Security Association and Key Management Protocol (ISAKMP) is enabled on an interface and there is also a global defined command that uses the interface IP address for PAT.

This issue is due to the presence of Cisco bug ID CSCsd08170.

In PIX/ASA version 7.0(4), all VPN connections to the security device fail because there is already an existing translation slot (xlate) for the interface IP address on User Datagram Protocol (UDP) port 500. This is seen in the low port range if an xlate is built and the PIX uses UDP 500 as the Port Address Translation (PAT) port on the outside interface. When VPN is used, UDP port 500 must be removed from the pool of available ports for PAT.

Use the show xlate command, which displays this output:

(e.g) fw1(config)#show xlate  local 10.1.1.1
63 in use, 735 most used
PAT Global 2.2.2.2(500) Local 10.1.1.1(123)  <<< Problem translation

Resolution

The temporary workaround is to replace the global command with an IP address that is not in the interface with ISAKMP enabled.

For a permanent workaround, upgrade the ASA software to any of these ASA software versions:

• 7.2(1)
  
  
• 7.2(0.75)
  
  
• 7.1(2.5)

Refer to the Software Center in order to download the latest version.

Frequency

Intermittently

VPN Tunnel End Points

Any end point

ASA

Protocol / Ports

UDP

VPN Protocols

IPSec

VPN Tunnel Initialization

IPSec session is not established

Bug ID

Bug ID not listed