01-05-2004 07:51 AM - edited 02-21-2020 12:59 PM
Hi Everyone, I have a lab with (3) 2500series routers IOS 12.2. Have setup an ipsec vpn between the far side routers, but the ipsec sa is not establishing. After debugging isakmp to see if they establish phase 1, I get the following error:
03:52:45: ISAKMP: reserved not zero on ID payload!
03:52:45: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.0.100 failed its sanity check or is malformed
Here is the complete debug:
Boston#debug crypto isakmp
03:52:34: ISAKMP (0:0): received packet from 172.16.0.100 (N) NEW SA
03:52:34: ISAKMP: local port 500, remote port 500
03:52:34: ISAKMP (0:2): processing SA payload. message ID = 0
03:52:34: ISAKMP (0:2): found peer pre-shared key matching 172.16.0.100
03:52:34: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 105 policy
03:52:34: ISAKMP: encryption DES-CBC
03:52:34: ISAKMP: hash MD5
03:52:34: ISAKMP: default group 2
03:52:34: ISAKMP: auth pre-share
03:52:34: ISAKMP: life type in seconds
03:52:34: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
03:52:34: ISAKMP (0:2): atts are acceptable. Next payload is 0
03:52:36: ISAKMP (0:2): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
03:52:36: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_SA_SETUP
03:52:39: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_SA_SETUP
03:52:39: ISAKMP (0:2): processing KE payload. message ID = 0
03:52:42: ISAKMP (0:2): processing NONCE payload. message ID = 0
03:52:42: ISAKMP (0:2): found peer pre-shared key matching 172.16.0.100
03:52:42: ISAKMP (0:2): SKEYID state generated
03:52:42: ISAKMP (0:2): processing vendor id payload
03:52:42: ISAKMP (0:2): speaking to another IOS box!
03:52:42: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_KEY_EXCH
03:52:45: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_KEY_EXCH
03:52:45: ISAKMP: reserved not zero on ID payload!
03:52:45: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.0.100 failed its sanity check or is malformed
03:52:45: ISAKMP (0:2): incrementing error counter on sa: PAYLOAD_MALFORMED
03:52:45: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_KEY_EXCH
03:52:45: ISAKMP (0:2): incrementing error counter on sa: reset_retransmission
03:52:45: ISAKMP (0:1): purging SA., sa=36B920, delme=36B920
03:52:46: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...
03:52:46: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
03:52:46: ISAKMP (0:2): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
03:52:46: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_KEY_EXCH
03:52:46: ISAKMP: reserved not zero on ID payload!
03:52:46: ISAKMP (0:2): incrementing error counter on sa: PAYLOAD_MALFORMED
03:52:46: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_KEY_EXCH
03:52:46: ISAKMP (0:2): incrementing error counter on sa: reset_retransmission
03:52:47: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...
03:52:47: ISAKMP (0:2): peer does not do paranoid keepalives.
03:52:47: ISAKMP (0:2): deleting SA reason "death by retransmission P1" state (R) MM_KEY_EXCH (peer 172.16.0.100) input queue 0
03:52:48: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_NO_STATE
03:52:58: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_NO_STATE
03:53:47: ISAKMP (0:2): purging SA., sa=36BE64, delme=36BE64
01-05-2004 11:52 AM
According to the following Cisco link, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#zero, the first message means the pre-shared keys don't match. They must be the same on each end.
The second means that an ISAKMP message failed verification for the correct length. The following is from Cisco's error decoder:
1. %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from [IP_address] failed its sanity check or is malformed
A quick verification check is done on all received ISAKMP messages to ensure that all component payload types are valid and that the sum of their individual lengths equals the total length of the received message. This message i ndicates a failed verification check. Persistently bad messages could mean a denial-of-service attack or bad decryption.
Recommended Action: Contact the administrator of the remote peer.
Hope that helps.
03-19-2004 09:09 AM
check your group entry and make sure they match group 1 is the default
03-22-2004 01:39 PM
Verify your crypto settings on both devices match, all the way to the SA lifetimes. Run a 'sh run' on both devices and check your crypto statements line by line. If they match and are all correct, remove all the lines, clear your SAs, and apply the lines once again. This way you know you started with a clean slate.
09-09-2004 11:23 AM
Hi guys,
I am having the exact same problem. This is part of a hub and spoke VPN network (the hub runs a dynamic crypto map). The IOS version on the remote is 12.3(7)T2, while the hub runs 12.2(13)T3. I have tried all the suggestions above but to no avail. Please see a sample of my debugs below.
*Mar 10 02:25:10: ISAKMP: received ke message (1/1)
*Mar 10 02:25:10: ISAKMP: set new node 0 to QM_IDLE
*Mar 10 02:25:10: ISAKMP:(0:1:HW:2):SA is still budding. Attached new ipsec request to it. ([local address], [remote address])
*Mar 10 02:25:10: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
*Mar 10 02:25:10: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retransmit phase 1
*Mar 10 02:25:10: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
*Mar 10 02:25:10: ISAKMP:(0:1:HW:2): sending packet to [ip address] my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 10 02:25:20: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
*Mar 10 02:25:20: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retransmit phase 1
*Mar 10 02:25:20: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
*Mar 10 02:25:20: ISAKMP:(0:1:HW:2): sending packet to [ip address] my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 10 02:25:28: ISAKMP: received ke message (1/1)
*Mar 10 02:25:28: ISAKMP: set new node 0 to QM_IDLE
*Mar 10 02:25:28: ISAKMP:(0:1:HW:2):SA is still budding. Attached new ipsec request to it.
*Mar 10 02:25:30: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...
*Mar 10 02:25:30: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retransmit phase 1
*Mar 10 02:25:30: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE
*Mar 10 02:25:30: ISAKMP:(0:1:HW:2): sending packet to [ip address] my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 10 02:25:40: ISAKMP: received ke message (3/1)
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to delete ike sa" state (I) MM_NO_STATE (peer ip address) input queue 0
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to delete ike sa" state (I) MM_NO_STATE (peer ip address) input queue 0
*Mar 10 02:25:40: ISAKMP: Unlocking IKE struct 0x824C53A4 for isadb_mark_sa_deleted(), count 0
*Mar 10 02:25:40: ISAKMP: Deleting peer node by peer_reap for [remote ip address]: 824C
53A4
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -938513491 error TRUE reason "receive request to delete ike sa"
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -1343263010 error TRUE reason"receive request to delete ike sa"
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -2146876017 error TRUE reason"receive request to delete ike sa"
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -1379398450 error TRUE reason"receive request to delete ike sa"
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Mar 10 02:25:58: ISAKMP: received ke message (3/1)
*Mar 10 02:25:58: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.
Admittedly, I am at my wits' end with this one. The worst thing is that it has worked in the lab before. The only difference between the lab and field is the internet connection (ADSL pppoe vs. Cable).
Any ideas?
Thanks in advance,
Ade
09-09-2004 04:03 PM
Ok, I have experimented some problems in VPN implementation when the IOS version are diferent.
Is it your case?
I hope this helps
mc
09-17-2004 10:24 AM
Can you sanitize and post the configs?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide