"no nat-traversal crypto isakmp" after restart

Hello

With the version of the Software ASA 8.0, we noticed that whenever restart us tha device, the configuration line:

No encryption isakmp nat-traversal

appears in the configuration.

It is very annoying, because this NAT - T obviously does not work.

Any of you noticed that too?

Ideas?

Thank you very much.

Marco Pizzi.

Hi Marco,.

This is a bug in the version of the ASA 8.x software and there are workarounds:

CSCsj52581 Details of bug

No inconsistent configuration of nat-traversal isakmp crypto after reboot

Symptom:

After a restart of the ASA at the global order "no isakmp encryption".

NAT-traversal.

appears in the running-config even it is not available in the

startup-config.

Conditions:

None

Steps to reproduce:

BSNs-ASA5505-1 (config) # nat-traversal crypto isakmp

BSNs-ASA5505-1 (config) # copy run start

BSNs-ASA5505-1 (config) # sh run all | NAT Inc

Crypto isakmp nat-traversal 20

BSNs-ASA5505-1 (config) # sh start | NAT Inc

BSNs-ASA5505-1 (config) #.

After reloading of the ASA:

BSNs-asa5505-1 # sh run all | NAT Inc

No encryption isakmp nat-traversal

BSNs-asa5505-1 # sh start | NAT Inc

asa5505-BSNs-1 #.

Workaround solution:

(1) use a default value, for example, "crypto isakmp nat-traversal 21.

(2) to activate the "crypto isakmp nat-traversal" after the restart of the ASA if you

You can use the default value. The default value is: crypto isakmp

NAT-traversal 20

Radim

Tags: Cisco Security

Similar Questions

  • ASA 5505 - crypto isakmp nat-traversal is missing?

    I can't understand it. I have an ASA5505 at home that I use for VPN access. Sometimes when I connect I can't ping anything. I check the config and it shows:

    No encryption isakmp nat-traversal

    I have configured "crypto isakmp nat-traversal" so many times before, and somehow it is still deleted. Seems to happen at random, as well as when the device is restarted. (Yes, the config has been saved). I would say that what is happening at least 2 - 3 times a week.

    Any ideas? I am running the 8.0.2 version code.

    This is a bug. Set the value on something other than the default value of 20. This will fix the problem.

    Cryto isakmp nat-traversal 21

  • NAT traversal broken after upgrade to 7.04

    We had the work of nat crossing very well on our PIX

    Bundle of 515e run worm 6.3.4

    For ah, esp, iskmp, in the port udp 500.

    crossing of nat enabled. Sysopt permit-ipsec.

    behind the pix, users can estrablish vpn connections, but traffic does not pass. users can establish vpn & pass traffic very well when they are in front of the pix. Users connect to different devices vpn as we have no control or access to

    Hi Eric,.

    If I understand correctly, the error only occurs for users behind your pix for an upgrade to 704?

    Check if the following statements are present in your pix config:

    ISAKMP nat-traversal 20

    ISAKMP ipsec-over-tcp port 10000

    ISAKMP allows outside

    Also, the error can occur because of some missing list access for users behind the pix.

    HTH

    Mike

  • PERSONAL CRYPTO ISAKMP - General Question

    Here's the ISAKMPS on my firewall. How is it when I add a new policy it is not? I have a 51 policy which does not appear?

    crypto ISAKMP policy 10
    preshared authentication
    aes-192 encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 20
    preshared authentication
    aes-256 encryption
    md5 hash
    Group 2
    life 86400
    crypto ISAKMP policy 30
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 50
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    life 86400

    The number after the card statement Cryptography is simply the sequence number that identifies a card encryption on the other, it's how you can have several tunnels associated with a single interface that also do not necessarily map encryption policy isakmp (actually nothing lie).

    So basically what happens, is that if you change the encryption from 54 to 100 map, it will move down on the list of existing tunnels and most likely you would just duplicate this entries.

  • invalid-spi-recovery crypto isakmp command worked well in the case of DMVPN

    Hello

    I did the Setup for Hub/spoke in th DMVPN case and it worked fine. But after reloading Hub and I saw an output of error below, well I added the command invalid-spi-recovery isakmp crypto in the Hub & spokes:

    * 7 Oct 03:10:03.175: CRYPTO-4-RECVD_PKT_INV_SPI %: decaps: rec would be package IPSEC a bad spi to destaddr = 150.1.1.1, prot = 50, spi = 0 x 72662541 (1919296833), port = 150.3.1.3

    * 7 Oct 03:10:03.175: CRYPTO-4-RECVD_PKT_INV_SPI %: decaps: rec would be package IPSEC a bad spi to destaddr = 150.1.1.1, prot = 50, spi = 0 x 72662541 (1919296833), port = 150.2.1.2

    Note: spoke1 IP address: 150.2.1.2/spoke2's IP address:150.3.1.3/Hub's IP address: 150.1.1.1

    My temporary solution for the same problem, I need to erase SPI by manually and it worked fine again.

    Everyone has the same problem, please let me know

    Kind regards

    TRAN

    Hello

    There is a common misconception of what the invalid-spi-recovery crypto isakmp command does. Even without this command IOS already performs a kind of recovery invalid SPI feature by sending a DELETION notify for the SA has received send peer If she already has an IKE SA with this peer. Still once, this happens regardless of whether the order invalid-spi-recovery crypto isakmp is enabled or not.

    With the order of isakmp crypto invalid-spi-recovery , he tries to regulate the condition where a router receives the IPSec traffic with invalid SPI and

    It doesn't have an IKE SA with this peer. In this case, it will try to put in place a new IKE session with the peer and then send a DELETION notification on the newly created HIS IKE. However, this command does not work in all configurations of crypto. Are the only configurations that this command works cryptographic instantiated, for example, Asit, and peer static maps from static cryptographic cards where the peer is defined explicitly. Here is a summary of commonly used configurations of crypto and know if invalid spi recovery works with this configuration or not:

    Crypto config Not valid-spi-recovery?
    Static crypto map YES
    Dynamic crypto map NO.
    P2P GRE with TP YES
    using love TP w / static PNDH mapping YES
    using love TP w / dynamic PNDH mapping NO.
    ASIT YES
    EzVPN client N/A

    For help with your scenario, you can enable DPD (isakmp crypto keepalive) on the shelf to help the recovery tunnel.

    Thank you

    Wen

  • Show crypto isakmp/ipsec that his shows nothing

    Dear all,

    I have installed ipsec VPN in my router C2811 but when "show crypto isakmp/ipsec his" shows nothing.

    End point distance is a "ASA5520.  Is it indicates that the remote ASA5520 not yet configured?

    Here is my configuration of the router:

    crypto ISAKMP policy 1

    BA aes

    preshared authentication

    Group 2

    lifetime 28800

    ISAKMP crypto key address 202.70.53.xx

    !

    !

    Crypto ipsec transform-set esp - aes esp-sha-hmac ipsec

    !

    cisco 1-isakmp ipsec crypto map

    the value of 202.70.53.xx peer

    Set ipsec transform-set

    match the vpn address

    !

    !

    !

    !

    interface FastEthernet0/0

    WAN description

    IP address 202.55.8.zzz 255.255.255.252 secondary

    IP address 202.55.8.yy 255.255.255.224

    NAT outside IP

    IP virtual-reassembly

    full duplex

    Speed 100

    Cisco card crypto

    elboukri #sh crypto isakmp his

    status of DST CBC State conn-id slot

    elboukri #sh crypto ipsec his

    Interface: FastEthernet0/0

    Tag crypto map: cisco, local addr 202.55.8.yy

    protégé of the vrf: (none)

    local ident (addr, mask, prot, port): (192.168.13.0/255.255.255.0/0/0)

    Remote ident (addr, mask, prot, port): (10.17.91.190/255.255.255.255/0/0)

    current_peer 202.70.53.xx port 500

    LICENCE, flags is {origin_is_acl},

    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

    compressed #pkts: 0, unzipped #pkts: 0

    #pkts uncompressed: 0, #pkts compr. has failed: 0

    #pkts not unpacked: 0, #pkts decompress failed: 0

    Errors #send 0, #recv 0 errors

    local crypto endpt. : 202.55.8.yy, remote Start crypto. : 202.70.53.xx

    Path mtu 1500, mtu 1500 ip, ip mtu IDB FastEthernet0/0

    current outbound SPI: 0x0 (0)

    SAS of the esp on arrival:

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    outgoing ah sas:

    outgoing CFP sas:

    Ping the peer is normal:

    elboukri #ping 202.70.53.xx 202.55.8.yy Yes

    Type to abort escape sequence.

    Send 5, echoes ICMP 100 bytes to 202.70.53.1, wait time is 2 seconds:

    Packet sent with a source address of 202.55.8.yy

    !!!!!

    Success rate is 100 per cent (5/5), round-trip min/avg/max = 64/64/68 ms

    Expand the tar IP access list

    10 deny ip 192.168.13.0 0.0.0.255 host 10.17.91.190

    20 permit ip 192.168.13.0 0.0.0.255 all (1356 matches)

    Extended IP access list vpn

    10 permit ip 192.168.13.0 0.0.0.255 host 10.17.91.190

    Lai

    The fact that there is no match in the vpn access list seems to mean that it was not all traffic from your end (192.168.13.0./24) who would go through the VPN. Is there has not been any traffic that matches the access list then there is nothing that would engage the ISAKMP negotiation or negotiation of IPSec. And that's probably why your original show had empty result commands.

    Can arrange for someone in 192.168.13.0 to send traffic to 10.17.91.190? Who should initiate the ISAKMP negotiation.

    HTH

    Rick

  • Firefox unresponsive after restarting my computer after having made changes in the settings of the history and cookies

    I have some changes to cookies and erased my story for today... and then restarted my computer... now that firefox does not open... will not respond... should I uninstall firefox and then reinstall?

    If I uninstall firefox will be reversed the changes I made with cookies and my story?

    If I was to uninstall and reinstall firefox will lose my bookmarks if I do this? or firefox remembers them... so when I reinstall the previous bookmark is too reinstalled?

    Is - this Firefox starts when you open first after the computer restarts, but crashes the next time that you try to start? If Yes, then there is a bug in Firefox 29 where Firefox crashes out when the parameter ' delete history closing Firefox "is selected, so that you get an error" running but not responding do not "next time you ttry to launch. In this case, end the firefox.exe process in Windows Task Manager (or restart the computer) and then reset your Firefox Privacy options and UNCHECK the option «Clear history of Firefox closing» See this article for more details:
    Privacy, historical settings of navigation and-no-track

    If this isn't the problem and Firefox still open even after restarting the computer, then try to boot mode safe of Firefox by holding down the SHIFT key when you start Firefox. If Firefox starts then read Troubleshooting extensions, themes and problems of hardware acceleration to resolve common Firefox problems to narrow down the cause.

  • Bluetooth works only after restart

    I got my new iMac a few months ago, and since then, I had this annoying problem.
    My bluetooth mouse and keyboard don't work after a reboot, in fact all bluetooth doesn't work after reboot.

    When I start my computer and connect with a second mouse and plugged in the bluetooth keyboard is "not found" and there is not in the system of care either in bluetooth. But I googled and tried different things and makes the SMC reset and after restarting the bluetooth is rising and running after the connection...

    Do I need to restart my computer everytime I want to use it?

    Hi Anna,.

    You have an imac 27 "?

    I bought a new one and spent a total of more than 20 hours on the phone to apple care. After a month, I return two different imacs and am now on the third.

    After giving me bad suggestions a month, apple now care, it is true, now, not a month before, tell me that they have discovered a 'known problem' by which the new iMac 27 "with some configurations loses their bluetooth connectivity if an update of the BONE is made up of el capitan!  I don't see any other product you would have a problem with, even if you bought it new.

  • After restart some apps not full screen more

    Hello

    Why did after a reboot and by selecting the check box which says reopened windows after restart open before restarting applications are open, but many of them have lost being mode full screen, even if they were before the reboot.  Any ideas?

    A reboot opens only the previous windows in the default position, not full-screen.

    Control-command + F after reboot will change the view Mode to full screen.

  • Hi, I installed an Alfred Workflow (see code below) that will mark all my mails as read. After you run it for a minute, the mail has crashed and I had to forcequit. However, now, when you open the Mail it crashes instantly, even after restart and repair o

    Hello

    I installed an Alfred Workflow (see code below) that will mark all my mails as read. After you run it for a minute, the mail has crashed and I had to forcequit. However, now, when you open the Mail it crashes instantly, even after restart and repair the permissions. I also used the Ctrl + C and CTRL-Z commands in the Terminal to leave the alfred_script, but nothing helped. I'm running out of ideas here, so I hope you could help me either reinstall the mail.app. I could always just switch to a different mail application, but it's kind of a last resort.

    Code:

    Tell application "Mail".

    Define allAccounts on each account name

    Repeat with currAccount in allAccounts

    the unreadMboxes value (each mailbox to the account currAccount the unread number is not 0)

    Repeat with currMbox in unreadMboxes

    (read status of each message to currMbox including the playback State is set to false) true value

    end repeat

    end repeat

    tell the end

    Any input would be greatly appreciated. Can post the report of crash on demand.

    Not sure that Alfred's, but it's just an Applescript script and it would not cause Mail to be planted.

    However, when running through all the messages, it is possible Mail database has been corrupted and it crashes because of this.

    I'll probably get anything out of the accident report, but others might.

    My first instinct would be to rebuild the mailbox. Because you can't do that with him crashing, you can simply delete the databases and it will rebuild them.

    Navigate to this folder:

    ~/Library/Mail/v3/MailData/

    You can either manually through the files, or copy the full path and paste it into go the folder in the menu go to the Finder.

    Remove the envelope Index files. Open Mail and see if it works well.

    If your library does not appear in your folder, hold down the Option key and select library in the menu go to in the Finder.

  • When the function customize the toolbar of the new brand of open tab which is the + sign next to the tab in the tab bar finally disappears and it remains so, even after restarting Firefox.

    Every time I have customize the toolbar, it open new tab sign which is the + sign next to the tab in the tab bar finally disappears and it remains so, even after restarting Firefox. This happens only after the update to the new version 4.0.1 it's never happened in older versions 3.x.xx - checked three times. Think it might be a bug and I didn't know where to report is not time and patience to find the appropriate page, so I'm here to improve my favorite browser.

    Did you move the button tab of the palette or another toolbar?

    You can try to click on 'Restore Default Set', which should bring back this button on the tab bar.

    See also:

  • Satellite L40 - Wi - Fi connection after restart problem

    Hello

    My sister had a Toshiba Satellite L40 (PSL40E - 04501DDU) and a few days ago I installed a wireless router at home.
    Wi - Fi worked within 2 minutes, but when I restarted the laptop he couldn't find any Wi - Fi networks (whereas before I restarted, I found 4).

    It took me about an hour to make it work again
    -Turn off/on Wi - Fi
    -several reboots
    -deletion of a Wi - Fi connection - configs
    -switching between Vista Wi-Fi-tool and without configuration by Toshiba
    -updated drivers
    -etcetera...

    I don't know which of them did the trick, but after going through all these actions it seemed to work again.
    I thought I had conquered the problem, but only today (after only 1.5 days) my sister contacted me saying that the Wi - Fi 'fell down' again.

    Does anyone know what could be the problem?

    When I look in this forum I see about 1200-forum topics on the problems of Wifi on Toshiba laptops, so I guess it's a recurring problem with several models of Toshiba.
    Most of the subjects also speaks a Wifi works very well and doesn't work anymore after restart/sleep/hibernation.

    Laptop: PSL40E - 04501DDU
    OS: Windows Vista 32-bit (latest updates + latest drivers)

    (Please, no answers like: "is your DHCP on?") or "the router is compatible with the Wi - Fi device?")

    Hi crazysoul,.

    I understand that you don't know the answer to that, because you are not always there when the Wi - Fi fails, but if the laptop is not looking upwards * all * networks, the same as before?

    What WLAN driver version is installed on this laptop? The most recent is 7.6.0.164.1, it can be interesting to update. Also, forgive me if you already checked, but under network adapters Device Manager, find the device wireless and in the Properties window, if there is a power management make tab you unchecked the checkbox to turn off the device to save power.

  • do not proceed with the installation even after restart of firefox add-ons

    Add-ons - do not proceed with the installation even after restarting firefox, I deleted the files of 3 extensions (several times) in the other suggestions and rebooted. Still don't work yet saying will be installed when you restart.

    This has happened

    Each time Firefox opened

    == after update to 3.5 and continued to 3.6.3

    Hey even once, I did a complete uninstall and reinstall Firefox and it fixed the problem for me.

  • There is no volume after restarting the device. Need urgent help

    Hello.

    Our ReadyNAS RN31600 iSCSI target device. We have (had) two LUNS of 8 terabytes each built on X - RAID 5, which are presented on a Windows Server.

    This device is less than a year, and he began to have problems today. First two LUNS disappeared from the iSCSI (WS 2008 R2) client. When we tried to restart the NAS server, he's hanging on "restart now, see you soon."

    We power off of the switch and after restarting, two LUNS seem to have disappeared, and the unit is empty somehow? How to solve this problem? Or is it quite normal on the Netgear devices to suddenly lose 16 terabytes of data?

    The GUI shows "there is no volume" and also "delete inactive volumes using disk. Disc # 1,2,3,4,5,6 ". This means that all the disks.

    Firmware is 6.4.0.

    And no, we don't have backups, because this device is used to a backup unit.

    I suggest you to contact support (support.netgear.com), because I think it will be faster than from here.

  • KB973687 - msxml3.dll msxml6.dll - services.exe uses excessive virtual memory, the performance impact on the first logon after restart

    Since the installation of fix KB973687, I had several SP2 and SP3 systems exhibit behavior that makes them unusable until after the first logon is completed, which can take up to 20 minutes.   I've identified the patch (KB973687) and DLLs, that it will update the origin of the problem, but uninstalling the patch does NOT return to normal operation.

    I need to understand how to upgrade these systems WindowsXP SP2 and SP3 to restore normal operation, reinstalling Windows, programs, and settings is an expensive solution.

    The performance problem is caused by services.exe slowly consumes about 1.5 GB of virtual memory, and then slowly releasing.  This seems to be triggered by the first logon after restart, this connection is very slow, the screen is blank for most of it, there might be failures of allocation memory during logon.  Once complete this opening of session and memory usage returns to normal levels, recording and return to work normally as do other operations until the system is restarted.

    Spent a lot of time working with SysInternals Process Explorer, trying to find what specific service might be involved, lightweight system for bare essential services with no luck.

    KB973687 seems to offer only two files msxml3.dll and msxml6.dll.  Uninstalling this patch, resettlement V3 and V6 of the XML parser fail to restore normal operation.

    Not all systems seem to have place still restrict the differences.  Systems that are appear to be the oldest, with Windows XP has been installed for at least a year, installed Microsoft Office and Adobe Acrobat.

    Looking for these forums and the Internet, I believe that many have encountered this problem, but have not is it this level of analysis, seem most attribute it to a virus, I see several start explorer.exe manually, I didn't know all the alternatives before reinstalling Windows.

    Found the solution, the following has been fixed in System Cleaner of Comodo 2.2.129172.4:

    "For some strange reason, after changing some settings of the system with the CSC LastGood.tmp Directoy began to constantly be read from my hard drive. This would occur up to about 90 to 99% of my memory was used and then stopped, begin to free the memory, and the system began to slowly to function normally.
    I used the process explore from sysinternals to help diagnose the problem with any process other than services.exe using memory.

    I used sysinterals filemonitor to see LastGood.tmp directory has been read repeatedly.
    After you have uninstalled CSC the problem has been resolved. »

    Even with the effort to find the solution, it was better to reinstall.  Hope this solution helps others.

Maybe you are looking for

  • Switch boot SSD on PCI slot

    Crucial startup 2006 Mac Pro Tower 2.1 with a 525 GB SSD drive I replaced my HARD drive. Can I move the Crucial SSD on the PCI slot and get the same results or better?

  • Error - Local only by trying to connect to the Internet

    Original title: Local only solution! Ive had this problem of 'local only' with vista for months and evryone think they know how to fix it. Ive tried everything and finally found the fix perament! IM, buying a mac. Microsoft even has not addressed thi

  • CAP LOCK SYMBOL, gateway with windows 7

    I have a gateway with windows 7 and my Cap lock button to view a pop up symbol (, a lock that was locked when the hats was on) when I pushed, it shows nothing now and I liked it when he did. How can I get that back?...

  • where can I download PCI device Acer laptop with win7 64 bit driver

    where can I download PCI device Acer laptop with win7 64 bit driver

  • TANDBERG MCU TTC2-01 ADMIN GUIDE

    Anyone out there have a guide to the administrator for the MCU TTC2-01?  16 x 16 D3.9 fireware? Also need the CLI guide for this MCU... Cannot find a site via google or CISCO. Any help is appreciated. Thank you.