Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS]Possible Issues with NAT-Traversal Draft-02



Article ID: KB7813 KB Last Updated: 12 Aug 2013Version: 5.0
Beginning with ScreenOS 5.1.0, NAT Traversal Draft-02, which uses UDP port 4500, is supported. This could cause an issue in some NAT-T environments.
  • Aggressive mode
  • NAT-T  / NAT Traversal
  • UDP port 4500
  • Dial-Up VPN
  • Remote Client / NSR / NetScreen-Remote Client

Symptoms & Errors:

  • Upgrading to ScreenOS 5.1.0 breaks aggressive mode VPNs with NAT-Traversal

In ScreenOS 5.1.0 and higher, when ScreenOS detects a NAT Traversal packet, it forces the IKE Negotiation packet to use UDP port 4500, instead of UDP port 500.  If the upstream router has an access list that blocks UDP port 4500, this breaks any NAT Traversal VPN from establishing.  The resolution is to add an access list policy on the upstream router to allow UDP port 4500 for NAT Traversal IKE packets.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search