Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1356
Views
0
Helpful
0
Comments

New Port Address Translation (PAT) breaks the existing IPSec connection on the router

TCC_2
Level 10
Level 10

on ‎06-18-2009 03:53 PM

Core issue

This occurs in an existing LAN-to-LAN connection between a router and a remote IPSec peer, where the IPSec peer address is the crypto map interface. The crypto map interface is also defined for Port Address Translation (PAT). If a VPN Client  connection is made through the crypto map interface to the same remote IPSec peer, then the existing LAN-to-LAN connection is broken because all User Datagram Protocol (UDP) 500 packets are now translated to the new PAT translation. This is a re-occurrance of Cisco bug ID CSCeb31945.

Resolution

This issue is also documented in Cisco bug ID CSCsc80859.

For a workaround, change the IPSec peer source IP address to be a loopback interface. Issue the crypto map xxxx local-address loopback 0 command.

Change the remote IPSec peer address for either the LAN-to-LAN or remote access connection.

Define a static port mapping of UDP 500 to UDP 501 for the VPN Client connection.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents