IPSec VPN traffic fails when NAT-T is enabled on Cisco ASA
search cancel

IPSec VPN traffic fails when NAT-T is enabled on Cisco ASA

book

Article ID: 432035

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Policy based IPSec VPN is on a Cisco ASA appliance
  • Traffic fails when NAT-T is enabled on the Cisco ASA appliance and works when disabled. 
  • DNAT is configured in NSX with the local VPN peer endpoint. 
  • Capturing dropped packets on the Cisco ASA may show similar output

1: 15:12:35.130998        802.1Q vlan#1 P0 <source_ip>.4500 > <destination_ip>/4500:   udp 120 Drop-reason:  (acl-drop) Flow is denied by configured rule, Drop-location: frame  0x############## flow (NA)/NA

Environment

VMware NSX

Cause

Third party appliance may drop packets unexpectedly due to NAT-T being enabled.

Resolution

This is a condition that may occur in a VMware NSX environment.

 

Workaround: 

As the Cisco ASA appliance may not handle NAT-T correctly, disabling the reliance on NAT-T from NSX may be implemented by creating a No-DNAT rule within NSX. 

If there is a DNAT rule in place with the IPSec VPN local endpoint, create a No-DNAT rule with the remote endpoint as the source IP and the local endpoint as the destination IP with a higher priority than the DNAT rule. 

Alternatively, disable NAT-T on the Cisco ASA for this Cryptomap. 

 

If the workaround is not applicable in the current environment, Cisco TAC should be engaged. 

Additional Information

Configure an NSX NAT/DNAT/No SNAT/No DNAT/Reflexive NAT

Troubleshooting NSX IPSEC VPN

Powered by Wolken Software