04-16-2012 08:56 AM - edited 02-21-2020 06:00 PM
We had a successful connection between a remote-access Cisco client, and the ASA. The connection can no longer transfer data, but Phase I and Phase II do complete successfully. There are several hops between seperate networks to get from the remote user to the ASA, including Verizon private lines and Verizon ISP.
Cisco troubleshooting guides strongly suggest this is a NAT-T issue, but when I turn on debug isakmp 254 and debug ipsec 254, I recieve only one modest messages about NAT-T, which is "Recieved NAT-Traversal version 02 VID". This message, and connections, are when I have NAT-T disabled on the ASA.
If I enable NAT-T on the ASA, the remote client can not establish Phase I or II; I haven't been able to collect debugs on that scenerio yet.
The client has a second laptop, both of them exihibit the same problem. We have ensured that Tunneling, UPD 4500 is enabled.
I suspect an intermediate device, or Verizon, has changed something.
What should be my next troubleshooting steps (sadly, I can not post the configs) ?
Regards,
j
Solved! Go to Solution.
04-16-2012 09:52 AM
In my very limited experience, both sides have to have NAT-T enabled, otherwise the side that doesn't have NAT-T enabled won't be able to read part of the IP header, since it is encrypted.
Good luck!
Pedro
04-16-2012 09:52 AM
In my very limited experience, both sides have to have NAT-T enabled, otherwise the side that doesn't have NAT-T enabled won't be able to read part of the IP header, since it is encrypted.
Good luck!
Pedro
04-17-2012 10:29 AM
Oddly, the problem cleared the second time I applied NAT-T; unknown why it didn't work the first time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide