Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1510
Views
0
Helpful
4
Replies

ASA 5510 not recognizing/responding to incoming IKE

dino55088
Level 1
Level 1

‎11-01-2017 06:42 PM - edited ‎03-12-2019 04:41 AM

HI we have an ASA 5510 with 8.4(7)  with many working IPsec VPNS.

 

We have one new peer we are trying to connect but when they initiate VPN we do n ot respond.

 

I can see incoming IKE with destination UDP port 500 but SOURCE PORT is a high port eq 50223.

 

This is the only thing I can see differently from other VPNs that are working.

 

We see this IKE traffic come in via capture but debug ikev1 255 or any other crypto debug outputs nothing from this peer indicating ASA is not triggering IKE negotiation (crypto map setup correctly with peer etc) .

 

Do both incoming UDP ports need to be 500 for initial communication to work?

Labels:
0 Helpful
4 Replies 4

Flavio Miranda
VIP
VIP

‎11-01-2017 07:26 PM

Hello @dino55088

Should be 500 source and destination. However, if there is as PAT in place, the source port is changed to a random port.

 Make sure you don't have PAT acting on the VPN flow.

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

dino55088
Level 1
Level 1
In response to Flavio Miranda

‎11-01-2017 09:20 PM

OK the remote end does have PAT- their VPN device is sitting behind a router 

0 Helpful

Patrick Moubarak
Level 4
Level 4

‎11-01-2017 07:55 PM

From memory UDP source and destination are both 500. But then what about NAT-Traversal...

Looked up the RFC :

https://tools.ietf.org/html/rfc3947#section-3

The detection of support for NAT-Traversal and detection of NAT along
   the path between the two IKE peers occurs in IKE [RFC2409] Phase 1.

   The NAT may change the IKE UDP source port, and recipients MUST be
   able to process IKE packets whose source port is different from 500.

Do you support nat-t on your ASA? Enabled by default as of 8.0(2)

crypto isakmp nat-traversal

Hope that helps! Patrick

0 Helpful

dino55088
Level 1
Level 1
In response to Patrick Moubarak

‎11-01-2017 09:18 PM

hi Patrick,

thanks for your responses.

 

Yes we turned on crypto isakmp nat-t last week. I thought that was going to fix but did not.

 

I saw this bug below but our match address is a public IP and matched vpn traffic acl are 192.168 addresses so not sure if it applies...

 

crypto map with match address command cause IKE negotiation failure
CSCsm35737
 
Description
Symptom:
ASA may not process received IKE packet with dynamic source port if crypto map configuration contains match address command.

Conditions:
-crypto map with match address command
-access-list for the match address command matches IKE traffic
-received IKE packet uses other than 500 as source port

Workaround:
remove match address command
Preview file
63 KB
0 Helpful
Customers Also Viewed These Support Documents