HI we have an ASA 5510 with 8.4(7) with many working IPsec VPNS.
We have one new peer we are trying to connect but when they initiate VPN we do n ot respond.
I can see incoming IKE with destination UDP port 500 but SOURCE PORT is a high port eq 50223.
This is the only thing I can see differently from other VPNs that are working.
We see this IKE traffic come in via capture but debug ikev1 255 or any other crypto debug outputs nothing from this peer indicating ASA is not triggering IKE negotiation (crypto map setup correctly with peer etc) .
Do both incoming UDP ports need to be 500 for initial communication to work?
The detection of support for NAT-Traversal and detection of NAT along
the path between the two IKE peers occurs in IKE [RFC2409] Phase 1.
The NAT may change the IKE UDP source port, and recipients MUST be
able to process IKE packets whose source port is different from 500.
Do you support nat-t on your ASA? Enabled by default as of 8.0(2)