Showing results for 
Search instead for 
Did you mean: 

Cisco Router to VPN Concentrator IPSec tunnel issue

I have been trying to establish an IPSec tunnel between Cisco 3030 VPN concentrator and Cisco 2611XM router.

The problem I am facing is that I am able to establish the tunnel in one direction only i.e from router to concentrator. If I initiate traffic in the other direction first, then this also is not happening.

I am attaching the error messages I am getting on both the devices.


*Mar 1 02:31:43.322: ISAKMP: Error: payload length of VENDOR 0 < 4

*Mar 1 02:31:43.322: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from failed its sanity check or is malformed

VPN Concentrator:

62134 10/14/2004 13:44:57.070 SEV=8 IKEDBG/0 RPT=29427

RECEIVED Message (msgid=0) with payloads :

HDR + SA (1) + VENDOR (13) + UNKNOWN (89), *** ERROR ***

total length : 84

62136 10/14/2004 13:44:57.070 SEV=6 IKE/0 RPT=64955

Invalid packet detected!

Thanks in advance for your help.

Frequent Contributor

The first item to check is to insure that you have a matching isakmp policy on both peers that have an exact match for all vlaues, even for lifetime ones. That is if one peer can negotiate 3des encrpt with an md5 hash, pre-share key, no pfs, DH Group 2 and a lifetime in sec. of 28800, then the other peer has an exact match in one of its policies.

The next item to do is to run a debug crypto isakmp command on the 2611XM. Then while debug is running, initiate a IPSec conn from conc-to-2611, then clear the SA's (clear cry isa sa, and clear cry sa - run them both to clear phase 1 and 2), and then initiate a connection from 2611-to-conc. Post the logs here if you are still having a problem after you validated the isakmp policies.

Please post the level of code are you running on the vpn concentrator and 2611XM devices too.


I have crosschecked the isakmp policy on both peers. They are matching infact. I have attached the logs from the 2611.

One more thing I noticed is that eventhough the tunnel is getting established from 2611 to Conc, it is getting automatically disconnected in an intreval of about 1 to 2 minutes. I have attached the logs at the time of disconnection too.

The code I am running is

2611-->12.3(9) Advanced Enterprise


Frequent Contributor

Are there any firewalls between the 2611 and the vpn concentrator?

Can you post the relevant parts of the configs of the 2611 and the concentrator that pertains to the VPN connections?


I had raised a TAC case for the same.

This was as IOS issue in 2611. Once I changed the IOS to newer version, it worked fine.


Content for Community-Ad
This widget could not be displayed.