cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
507
Views
0
Helpful
1
Replies

New IOSes - PIX IPSec compatibility problem

ovt
Level 4
Level 4

Hi!

Are the new 12.3 IOSes compatible with the older ones and the PIX OS?

When I trying to establish IPSec tunnel from the PIX 6.3(4) to the 12.3(9) IOS I constantly gets:

702208: ISAKMP Phase 1 exchange started (local 172.16.1.10 (initiator), remote 172.16.2.1)

702206: ISAKMP malformed payload received (local 172.16.1.10 (initiator), remote 172.16.2.1)

on the PIX side and:

*Mar 7 02:07:17.985 MSK: ISAKMP (0:3): atts are acceptable. Next payload is 0

*Mar 7 02:07:18.146 MSK: ISAKMP (0:3): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 7 02:07:18.146 MSK: ISAKMP (0:3): Old State = IKE_R_MM1 New State = IKE_R_MM1

*Mar 7 02:07:18.150 MSK: ISAKMP: Error: payload length of VENDOR 0 < 4

*Mar 7 02:07:18.150 MSK: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.1.10 failed its sanity check or is malformed

on the IOS side. When the tunnel is initiated from the IOS side everything is ok. Also, I saw the same behaviour between 12.2(8)T and 12.3(9). Could anybody explain this?

Thx.

1 Reply 1

llascare
Level 1
Level 1

There's a bug on the 12.3.9 IOS regarding this. To solve the issue, upgrade the IOS to 12.3.9a, which is already available on the website and resolved. NAT-T version 7 is implemented in this version, so the other devices don't understand that.