Core issue
This issue occurs when Internet Security Association and Key Management Protocol (ISAKMP) is enabled on an interface and there is also a global defined command that uses the interface IP address for PAT.
This issue is due to the presence of Cisco bug ID CSCsd08170.
In PIX/ASA version 7.0(4), all VPN connections to the security device fail because there is already an existing translation slot (xlate) for the interface IP address on User Datagram Protocol (UDP) port 500. This is seen in the low port range if an xlate is built and the PIX uses UDP 500 as the Port Address Translation (PAT) port on the outside interface. When VPN is used, UDP port 500 must be removed from the pool of available ports for PAT.
Use the show xlate command, which displays this output:
(e.g) fw1(config)#show xlate local 10.1.1.1
63 in use, 735 most used
PAT Global 2.2.2.2(500) Local 10.1.1.1(123) <<< Problem translation
Resolution
The temporary workaround is to replace the global command with an IP address that is not in the interface with ISAKMP enabled.
For a permanent workaround, upgrade the ASA software to any of these ASA software versions:
- 7.2(1)
- 7.2(0.75)
- 7.1(2.5)
Refer to the Software Center in order to download the latest version.
Frequency
Intermittently
VPN Tunnel End Points
Any end point
ASA
Protocol / Ports
UDP
VPN Protocols
IPSec
VPN Tunnel Initialization
IPSec session is not established
Bug ID
Bug ID not listed