Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
4
Replies

Cisco Router to VPN Concentrator IPSec tunnel issue

shijogeorge
Level 1
Level 1

‎10-13-2004 11:52 PM - edited ‎02-21-2020 01:23 PM

I have been trying to establish an IPSec tunnel between Cisco 3030 VPN concentrator and Cisco 2611XM router.

The problem I am facing is that I am able to establish the tunnel in one direction only i.e from router to concentrator. If I initiate traffic in the other direction first, then this also is not happening.

I am attaching the error messages I am getting on both the devices.

Router:

*Mar 1 02:31:43.322: ISAKMP: Error: payload length of VENDOR 0 < 4

*Mar 1 02:31:43.322: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 1.1.1.1 failed its sanity check or is malformed

VPN Concentrator:

62134 10/14/2004 13:44:57.070 SEV=8 IKEDBG/0 RPT=29427 2.2.2.2

RECEIVED Message (msgid=0) with payloads :

HDR + SA (1) + VENDOR (13) + UNKNOWN (89), *** ERROR ***

total length : 84

62136 10/14/2004 13:44:57.070 SEV=6 IKE/0 RPT=64955 2.2.2.2

Invalid packet detected!

Thanks in advance for your help.

Labels:
0 Helpful
4 Replies 4

ehirsel
Level 6
Level 6

‎10-15-2004 07:22 PM

The first item to check is to insure that you have a matching isakmp policy on both peers that have an exact match for all vlaues, even for lifetime ones. That is if one peer can negotiate 3des encrpt with an md5 hash, pre-share key, no pfs, DH Group 2 and a lifetime in sec. of 28800, then the other peer has an exact match in one of its policies.

The next item to do is to run a debug crypto isakmp command on the 2611XM. Then while debug is running, initiate a IPSec conn from conc-to-2611, then clear the SA's (clear cry isa sa, and clear cry sa - run them both to clear phase 1 and 2), and then initiate a connection from 2611-to-conc. Post the logs here if you are still having a problem after you validated the isakmp policies.

Please post the level of code are you running on the vpn concentrator and 2611XM devices too.

0 Helpful

shijogeorge
Level 1
Level 1
In response to ehirsel

‎10-18-2004 02:36 AM

I have crosschecked the isakmp policy on both peers. They are matching infact. I have attached the logs from the 2611.

One more thing I noticed is that eventhough the tunnel is getting established from 2611 to Conc, it is getting automatically disconnected in an intreval of about 1 to 2 minutes. I have attached the logs at the time of disconnection too.

The code I am running is

2611-->12.3(9) Advanced Enterprise

Conc-->4.0.1

26968-2611 to Conc.log
0 Helpful

ehirsel
Level 6
Level 6
In response to shijogeorge

‎10-24-2004 06:00 PM

Are there any firewalls between the 2611 and the vpn concentrator?

Can you post the relevant parts of the configs of the 2611 and the concentrator that pertains to the VPN connections?

0 Helpful

shijogeorge
Level 1
Level 1
In response to ehirsel

‎10-25-2004 04:04 AM

I had raised a TAC case for the same.

This was as IOS issue in 2611. Once I changed the IOS to newer version, it worked fine.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents