July 26, 2004
Devices running Cisco IOS Release® 12.3(8.3) thru 12.3(9) or Cisco IOS Release 12.3(8.3)T thru 12.3(9.2)T will not interoperate with other devices that support NAT-T. Any device running IOS prior to 12.2(13)T with an affected IOS release will not be impacted by this defect.
An update to the Cisco IOS support for NAT-Transparency (UDP-encaps) in CSCed21558 (registered customers only) led to the problem that unless both peers were running the version of code that contained this enhancement, IKE negotiation would fail. The reason for this is that the new functionality contained support for the new version-7 vendor-ID. An error in the vendor-ID handling caused devices to misinterpret the NAT-T vendor-IDs in such a way that negotiations would break down. The problem first occurred in IOS Release 12.3(8.3) and 12.3(8.3)T.
IKE SAs will fail to be created if the two peers are not running the same version of Cisco IOS software. This effects both main mode and aggressive mode negotiations. This defect impacts devices negotiating IKE regardless of whether a NAT devices exists in the mix or not. Router to router and router to client negotiations are impacted. PIX501 or 3002 software clients used in conjunction with the affected IOS will be impacted.
Put another way, the problem exists if one peer is running an affected release and the other is not.
For software clients connecting to Cisco IOS 12.3(8.3) thru 12.3(9) OR 12.3(8.3)T thru 12.3(9.2)T gateways, there is no workaround. Use the same version of Cisco IOS on peers negotiating with each other.
The problem is resolved in the following releases:
12.3(9.4) or later
12.3(9.3)T or later
To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.
CSCee50311 (registered customers only)
Support for NAT-T v7 impacts interoperability
Cisco IOS Versions Affected
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.