- Cisco Community
- Technology and Support
- Security
- VPN
- Received un-encrypted ISAKMP packet, but our SA is crypto active - IPSec with Certificates problem
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Received un-encrypted ISAKMP packet, but our SA is crypto active - IPSec with Certificates problem
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-25-2011 05:25 PM - edited 02-21-2020 05:47 PM
I am using a PKI method for authentication for a vpn I am setting up. I have import both the CA and Identity keys into the client and ASA but the tunnel
is not being built. Here is debug for Cisco VPN client
91 18:17:38.747 12/25/11 Sev=Warning/3 IKE/0xA3000068
Received un-encrypted ISAKMP packet, but our SA is crypto active
92 18:17:38.748 12/25/11 Sev=Warning/3 IKE/0xA3000068
Received un-encrypted ISAKMP packet, but our SA is crypto active
93 18:17:38.753 12/25/11 Sev=Warning/3 IKE/0xA3000068
Received un-encrypted ISAKMP packet, but our SA is crypto active
94 18:17:38.755 12/25/11 Sev=Warning/3 IKE/0xA3000068
Received un-encrypted ISAKMP packet, but our SA is crypto active
----------------------------------------------------------------------------------------------------
Here is debug for asa:
ASA# Dec 25 18:21:57 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload! (next payload = 132)
Dec 25 18:21:57 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 25 18:21:57 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload! (next payload = 132)
Dec 25 18:21:57 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 25 18:21:57 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload! (next payload = 132)
Dec 25 18:21:57 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 25 18:21:57 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload! (next payload = 132)
Dec 25 18:21:57 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA p$
Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload! ^ (
next payload = 132)
ERROR: % Invalid input detected at '^' marker.
ASA# Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA p$
Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload! ^ (
next payload = 132)
ERROR: % Invalid input detected at '^' marker.
ASA# Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA p$
Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload! ^ (
next payload = 132)
ERROR: % Invalid input detected at '^' marker.
ASA# 50
^
ERROR: % Invalid input detected at '^' marker.
ASA# Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA p$
Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload! ^ (
next payload = 132)
ERROR: % Invalid input detected at '^' marker.
ASA# Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA p$
Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload! ^ (
next payload = 132)
ERROR: % Invalid input detected at '^' marker.
ASA# Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA p$
Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload! ^ (
next payload = 132)
ERROR: % Invalid input detected at '^' marker.
ASA# 50
^
ERROR: % Invalid input detected at '^' marker.
ASA# Dec 25 18:22:02 [IKEv1]: IP = 75.70.229.139, Received encrypted packet with no matching SA, dropping
- Labels:
-
IPSEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-25-2011 05:44 PM
here is my running config:
boot system disk0:/asa707-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.0.0.22
name-server 10.0.0.21
domain-name technowledge.local
same-security-traffic permit intra-interface
object-group service Ricks_House tcp
description Remote Desktop
port-object range ftp-data ftp
port-object eq 3389
port-object eq www
port-object eq https
port-object eq 8200
port-object eq 5832
object-group service Bomgar tcp-udp
description Bomgar
port-object eq 8200
port-object eq 443
port-object eq www
port-object eq 5832
object-group service DM_INLINE_TCP_2 tcp
group-object Bomgar
group-object Ricks_House
object-group service BOMGAR
description help for support
service-object tcp eq 8200
service-object tcp eq www
service-object tcp eq https
object-group service RDP tcp
group-object Ricks_House
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list 101 extended permit ip any any
DM_INLINE_TCP_1
access-list hola_splitTunnelAcl standard permit any
access-list inside_access_in remark Ping to Outside World
access-list inside_access_in remark Ping to Outside World
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark Ping to Outside World
access-list inside_access_in remark Ping to Outside World
access-list technowledge_splitTunnelAcl_2 standard permit 10.0.0.0 255.255.255.0
access-list ricks_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.0.32 255.255.255.224
access-list technowledge_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list technowledge_splitTunnelAcl_1 standard permit 10.0.0.0 255.255.255.0
access-list technowledge_splitTunnelAcl_3 standard permit 10.0.0.0 255.255.255.0
access-list Technowledge_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list Technowledge_splitTunnelAcl_1 standard permit 10.0.0.0 255.255.255.0
access-list technowledge_splitTunnelAcl_4 standard permit 10.0.0.0 255.255.255.0
access-list technowledge_splitTunnelAcl_5 standard permit 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging facility 16
logging host inside 10.0.0.111 6/1468
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool test 10.0.0.45-10.0.0.48 mask 255.255.255.0
ip local pool hola 1.1.1.1-1.1.1.10 mask 255.255.0.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.255.0 dns
static (inside,outside) 50.76.141.xxx 10.0.0.19 netmask 255.255.255.255 dns
static (inside,outside) 50.76.141.xxx 10.0.0.21 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group 101 out interface outside
route outside 0.0.0.0 0.0.0.0 50.76.141.110 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 75.70.0.0 255.255.0.0 outside
http 10.0.0.0 255.255.255.0 inside
snmp-server host outside 75.70.229.139 community chris version 2c
snmp-server location ricks house
snmp-server contact chris russo
snmp-server community chris
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change fru-insert fru-remove
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set pfs
crypto dynamic-map outside_dyn_map 10 set transform-set myset ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint33
enrollment terminal
fqdn
subject-name CN=ASA
no client-types
crl configure
crypto ca trustpoint LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint34
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint36
fqdn
subject-name CN=ASA
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint35
enrollment terminal
crl configure
crypto ca server
shutdown
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
3082021b 30820184 a0030201 02020101 300d0609 2a864886 f70d0101 04050030
21311f30 1d060355 04031316 4153412e 74656368 6e6f776c 65646765 2e6c6f63
616c301e 170d3131 31323235 30303436 35345a17 0d313431 32323430 30343635
345a3021 311f301d 06035504 03131641 53412e74 6563686e 6f776c65 6467652e
6c6f6361 6c30819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281
81008f97 8f934fb0 714c05b4 fa680d7e e142a452 452ec299 b748c1c6 7712d7f0
d5415a05 c3e9a6df 5299e46b d4427007 3d8cb0ab 81b8cd83 c856ccb7 48cad66f
02766172 cd7f65b6 7e1af4fd 14a5972e f9a8a8aa 269d51c5 2bd34ca1 854fee3b
f2ee723b 1a0c0c50 6b13b57b ae2ed47b 079e8dab 77d4585b 33d50ad0 10c59474
27dd0203 010001a3 63306130 0f060355 1d130101 ff040530 030101ff 300e0603
551d0f01 01ff0404 03020186 301f0603 551d2304 18301680 14c1e2c1 980161ad
c70634da a13f45e3 de66b276 28301d06 03551d0e 04160414 c1e2c198 0161adc7
0634daa1 3f45e3de 66b27628 300d0609 2a864886 f70d0101 04050003 8181000c
2bcdccd2 04c67998 06ffc9c3 04b460c2 defe997b d4f474cf 1ac3cd45 0c7abf7f
e7075da4 8e674380 37a82660 130c76a4 a8e6b459 00cb400d ca37bf6e 02f23d5e
38088e93 a3dcb708 1e2c971e 4b3bf41e 3a397017 afc384f4 542eafc7 a83c5de0
66f70703 103a04b1 ba434233 8f6aae25 04d43e83 fc6a51bb e7d1a4dd 94505a
quit
crypto ca certificate chain ASDM_TrustPoint35
certificate ca 43ef1c287a43519d4a459ce3c0c2dc08
30820385 3082026d a0030201 02021043 ef1c287a 43519d4a 459ce3c0 c2dc0830
0d06092a 864886f7 0d010105 05003055 31153013 060a0992 268993f2 2c640119
16056c6f 63616c31 1c301a06 0a099226 8993f22c 64011916 0c546563 686e6f77
6c656467 65311e30 1c060355 04031315 54656368 6e6f776c 65646765 2d535652
30312d43 41301e17 0d313131 32323332 30313035 355a170d 31363132 32333230
32303534 5a305531 15301306 0a099226 8993f22c 64011916 056c6f63 616c311c
301a060a 09922689 93f22c64 0119160c 54656368 6e6f776c 65646765 311e301c
06035504 03131554 6563686e 6f776c65 6467652d 53565230 312d4341 30820122
300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00934ddd
04242901 384772ab b47815cf c72668a6 b23342a4 8e3d9f8e 5a2ad9ef e0647d08
9e5c9e6e d372f98e 93bbf80a 3aa14699 6d8df3fd e9acca54 d317a5dd 4df53511
6e0f64b5 fde671a2 888aab95 657c2879 a68fed0c d573caaa 12dc107f f86bd4e8
2b1832c0 92cbcf1a 12dda696 30047992 153086d1 79520140 ee146d90 57873b85
565c9620 8d443d08 6f2e3374 a2192cb7 40ed94df 75f35b1e 4b8ae4a1 740107c5
6c2b8014 ef3e8bed 38275ae5 3a937cd8 b557275c 1c533b69 7e2e99b8 62100df5
7dbefe42 0ce6e4f1 81f21c52 878f8507 cdde7687 09492915 7cf53071 d8400d51
dbf981a1 b623b7fb 85236d07 3713b750 70380d4e 5eb0bf7b b21e91d8 8b020301
0001a351 304f300b 0603551d 0f040403 02018630 0f060355 1d130101 ff040530
030101ff 301d0603 551d0e04 16041418 8bc0d462 4ebd997c 6fa26662 994f01a6
0fc24130 1006092b 06010401 82371501 04030201 00300d06 092a8648 86f70d01
01050500 03820101 0053c4cc a0e4b893 3eb918e5 2a452a07 33f410d6 6b61e2f8
a5759d28 e7111972 ea8964b5 1b7e6863 10f45060 69948e8c 7784cab9 d2aac27d
28b045e9 d827bb83 c0ed5a79 fa98d80c f2d67467 27cad3dc bb208357 cf5786b5
8f216a3f 5e42869f 2b39fd5b aa8bd460 259ea590 a7e7e450 a28763f9 c216f644
f82cad8e 06e73be6 da46a685 1af16c60 2c9338ae a641277e ecde50dc 4f6eda39
a4ed5450 4654bd01 aeaa957f 0fa42796 c050afa6 76112a87 1f15bbd6 4ad78a66
d03c42bc 5f20f66d 6f529769 d2eba47c 0583b02a 0e2fc050 0350834f 516f91df
728070e9 446d8db2 bdd49dc4 889ecf76 8cf558c4 7526e0ac b0c75378 5c158e38
bb6d0d9e 5a549576 d8
quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 30
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 5
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
webvpn
enable outside
group-policy technowledge internal
group-policy technowledge attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value technowledge_splitTunnelAcl_5
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
username chris password CKiu2cbSgTe2jSPt encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool test
address-pool hola
default-group-policy technowledge
tunnel-group DefaultRAGroup ipsec-attributes
trust-point ASDM_TrustPoint29
isakmp ikev1-user-authentication none
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication eap-proxy
tunnel-group technowledge type remote-access
tunnel-group technowledge general-attributes
address-pool test
default-group-policy technowledge
tunnel-group technowledge ipsec-attributes
trust-point ASDM_TrustPoint29
!
class-map global-class
match any
!
!
policy-map type inspect netbios Netbios
description check for netbios
parameters
protocol-violation action drop log
policy-map global-policy
class global-class
inspect ftp
!
service-policy global-policy global
smtp-server xxxxxxxxxxxxx
prompt hostname context
Cryptochecksum:e53a8a50932520386331548bd40d3341
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide