Cisco – VPN Issues From A 6509
I’m doing IPSec tunnels from a 6509 at a remote facility to an ASA. The tunnel would establish, traffic would send from the 6500 to the remote client, the remote client would answer, but it would never go back through the 6500…strange.
I noticed that the ASA said that the connection was using NAT traversal, which it shouldn’t…both of these devices were sitting on public address space. I also notice the following message in my logs:
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection
I tried many things, but the fix turned out to be disabling NAT-T on the 6500… apparently it is buggy. Issue the following command for happiness:
1 | no crypto ipsec nat-transparency udp-encapsulation |
Hi Greg,
Is it possible that a 6509 that I am trying to tunnel an IPSec connection through is potentially causing phase 2 issues because of the NAT-T bug you mentioned in your post? I have a PIX-2821 tunnel I am trying to get working and the 2821 claims the phase 2 proposal is unacceptable and is not forming the tunnel. The configuration on both devices definitely matches for the proposal so there should be no reason for phase 2 to fail.
Do you have a link to where you read that NAT-T on the 6509 is buggy? If I can match it to the IOS on the box then I can plan alternatives.
Thanks in advance,
John
@John
There wasn’t anywhere I read about the bug, I just looked at the debug output from the router and worked from there. Be sure to run debug on both sides and see if you are getting anything that might point to a resolution.
Well, the ISAKMP debugs suggested a phase 2 problem. We never performed a debug on the 6509 as all it should be doing is the one-to-one NAT and then routing the packet. The equipment is no longer in place as the 6509 is on a customer network so we brought the PIX back to try to resolve the issue out of the live network. My main query is that, if there is a definite problem with NAT-T on the 6509 are we wasting our time trying to use it to tunnel IPSec and I rather hoped you might still have the link to such a statement.
Thanks for your prompt response. It’s definitely something to bear in mind should we still have problems once we place the PIX back behind the 6509 having proved it outside of that network.
@John
It sounds like you aren’t terminating the IPSec tunnels on the 6509. If this is the case, NAT-T only applies to a device that is doing tunnel termination.