Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1208
Views
0
Helpful
0
Comments

The IPSec tunnel does not come up on the PIX Firewall 525 when configured with AES 256-bit encryption. The IPSECmanual_key_stuffing): not enough auth keymat, 20 bytes needed for addr /prot 50/spi debug message is received

TCC_2
Level 10
Level 10

on ‎06-22-2009 06:14 PM

Core issue

This issue is due to the presence of Cisco bug ID CSCsb48916.

When there is an attempt to configure IPSec LAN-to-LAN tunnels with manual keys and specify the Advanced Encryption Standard (AES) with a 256-bit encryption (esp-aes-256) in the transform set, the encapsulation fails.

Resolution

To resolve this issue, perform one of these steps:

  • Change the IPSec keying method from IPSec to Internet Security Association and Key Management Protocol (ISAKMP).

  • Change the transform set to use an encryption type other than esp-aes-256 (such as esp-aes), or use ISAKMP for tunnel negotiation.

  • Upgrade to PIX Firewall version 6.3(5.103)  or the latest available version.

For more information, refer to the crypto ipsec transform-set command.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents