Solved: Need some help, a problem with IPSec and NAT-T

jimmyc_2 · ‎04-16-2012

We had a successful connection between a remote-access Cisco client, and the ASA. The connection can no longer transfer data, but Phase I and Phase II do complete successfully. There are several hops between seperate networks to get from the remote user to the ASA, including Verizon private lines and Verizon ISP.

Cisco troubleshooting guides strongly suggest this is a NAT-T issue, but when I turn on debug isakmp 254 and debug ipsec 254, I recieve only one modest messages about NAT-T, which is "Recieved NAT-Traversal version 02 VID". This message, and connections, are when I have NAT-T disabled on the ASA.

If I enable NAT-T on the ASA, the remote client can not establish Phase I or II; I haven't been able to collect debugs on that scenerio yet.

The client has a second laptop, both of them exihibit the same problem. We have ensured that Tunneling, UPD 4500 is enabled.

I suspect an intermediate device, or Verizon, has changed something.

What should be my next troubleshooting steps (sadly, I can not post the configs) ?

Regards,

j

IMIC3_support · ‎04-16-2012

In my very limited experience, both sides have to have NAT-T enabled, otherwise the side that doesn't have NAT-T enabled won't be able to read part of the IP header, since it is encrypted.

Good luck!

Pedro

View solution in original post

IMIC3_support · ‎04-16-2012

In my very limited experience, both sides have to have NAT-T enabled, otherwise the side that doesn't have NAT-T enabled won't be able to read part of the IP header, since it is encrypted.

Good luck!

Pedro

jimmyc_2 · ‎04-17-2012

Oddly, the problem cleared the second time I applied NAT-T; unknown why it didn't work the first time.