https://community.cisco.com/t5/network-security/expect-hash-payload-got-payload-11/m-p/760035#M980308 <HTML><HEAD></HEAD><BODY><P> it seems that phase 1 negotiation is failing. </P><P>The logs show that after the PIX sends out the first MM isakmp packet, it never sees anything back from the remote peer. </P><P></P><P>Possible reasons:</P><P> </P><P>1. make sure the isakmp policy is matching the other side.</P><P>2. make sure the preshared key is set correctly.</P><P>3. make sure there is no device in the middle blocking UDP/500 packets.</P><P></P></BODY></HTML> Fri, 25 May 2007 20:55:09 GMT mchin345 2007-05-25T20:55:09Z https://community.cisco.com/t5/network-security/expect-hash-payload-got-payload-11/m-p/760034#M980306 <P>I have numerous IPSec VPNs via my PIX Version 6.3(5)working.</P><P>A new tunnel is being set up and the connection is not being made.</P><P>What is a payload # 11 ?</P><P>The pertinent debug messages are</P><P></P><P>ISAKMP (0): beginning Main Mode exchange</P><P>throw: mess_id 0x0</P><P>send_response:</P><P>isakmp_send: ip xx.xx.xx.xx, port 500</P><P></P><P>ISAKMP msg received</P><P>crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:500 dpt:500</P><P>gen_cookie:</P><P>fill_sa_key:isadb_search returned sa = 0x38045ac</P><P></P><P>validate_payload: len 212</P><P>valid_payload:</P><P>ISAKMP_INFO exchange</P><P>process_isakmp_info:</P><P>expect hash payload, got payload#: 11</P><P>error - IKMP_MODE_FAILURE</P><P>return status is IKMP_NO_ERR_NO_TRANS </P><P></P><P></P><P>Thanks.</P><P>Jacob</P> Mon, 11 Mar 2019 10:17:49 GMT https://community.cisco.com/t5/network-security/expect-hash-payload-got-payload-11/m-p/760034#M980306 jvanwa1 2019-03-11T10:17:49Z https://community.cisco.com/t5/network-security/expect-hash-payload-got-payload-11/m-p/760035#M980308 <HTML><HEAD></HEAD><BODY><P> it seems that phase 1 negotiation is failing. </P><P>The logs show that after the PIX sends out the first MM isakmp packet, it never sees anything back from the remote peer. </P><P></P><P>Possible reasons:</P><P> </P><P>1. make sure the isakmp policy is matching the other side.</P><P>2. make sure the preshared key is set correctly.</P><P>3. make sure there is no device in the middle blocking UDP/500 packets.</P><P></P></BODY></HTML> Fri, 25 May 2007 20:55:09 GMT https://community.cisco.com/t5/network-security/expect-hash-payload-got-payload-11/m-p/760035#M980308 mchin345 2007-05-25T20:55:09Z https://community.cisco.com/t5/network-security/expect-hash-payload-got-payload-11/m-p/760036#M980309 <HTML><HEAD></HEAD><BODY><P>Thanks.</P><P>I will check the settings on the other end.</P><P></P><P>Jacob</P></BODY></HTML> Fri, 25 May 2007 21:05:06 GMT https://community.cisco.com/t5/network-security/expect-hash-payload-got-payload-11/m-p/760036#M980309 jvanwa1 2007-05-25T21:05:06Z https://community.cisco.com/t5/network-security/expect-hash-payload-got-payload-11/m-p/760037#M980311 <HTML><HEAD></HEAD><BODY><P>hello,</P><P></P><P>also beside as suggested check the acl's on both FW, both side acl's should match in a reverse order form. </P><P></P><P>HTH, please rate it </P></BODY></HTML> Sat, 26 May 2007 12:13:03 GMT https://community.cisco.com/t5/network-security/expect-hash-payload-got-payload-11/m-p/760037#M980311 zulqurnain 2007-05-26T12:13:03Z