cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
884
Views
0
Helpful
2
Replies

Router to Router VPN-Ipsec error

mariocabrejo
Level 1
Level 1

Hi Everyone, I have a lab with (3) 2500series routers IOS 12.2. Have setup an ipsec vpn between the far side routers, but the ipsec sa is not establishing. After debugging isakmp to see if they establish phase 1, I get the following error:

03:52:45: ISAKMP: reserved not zero on ID payload!

03:52:45: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.0.100 failed its sanity check or is malformed

Here is the complete debug:

Boston#debug crypto isakmp

03:52:34: ISAKMP (0:0): received packet from 172.16.0.100 (N) NEW SA

03:52:34: ISAKMP: local port 500, remote port 500

03:52:34: ISAKMP (0:2): processing SA payload. message ID = 0

03:52:34: ISAKMP (0:2): found peer pre-shared key matching 172.16.0.100

03:52:34: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 105 policy

03:52:34: ISAKMP: encryption DES-CBC

03:52:34: ISAKMP: hash MD5

03:52:34: ISAKMP: default group 2

03:52:34: ISAKMP: auth pre-share

03:52:34: ISAKMP: life type in seconds

03:52:34: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

03:52:34: ISAKMP (0:2): atts are acceptable. Next payload is 0

03:52:36: ISAKMP (0:2): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

03:52:36: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_SA_SETUP

03:52:39: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_SA_SETUP

03:52:39: ISAKMP (0:2): processing KE payload. message ID = 0

03:52:42: ISAKMP (0:2): processing NONCE payload. message ID = 0

03:52:42: ISAKMP (0:2): found peer pre-shared key matching 172.16.0.100

03:52:42: ISAKMP (0:2): SKEYID state generated

03:52:42: ISAKMP (0:2): processing vendor id payload

03:52:42: ISAKMP (0:2): speaking to another IOS box!

03:52:42: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_KEY_EXCH

03:52:45: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_KEY_EXCH

03:52:45: ISAKMP: reserved not zero on ID payload!

03:52:45: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.0.100 failed its sanity check or is malformed

03:52:45: ISAKMP (0:2): incrementing error counter on sa: PAYLOAD_MALFORMED

03:52:45: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_KEY_EXCH

03:52:45: ISAKMP (0:2): incrementing error counter on sa: reset_retransmission

03:52:45: ISAKMP (0:1): purging SA., sa=36B920, delme=36B920

03:52:46: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...

03:52:46: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1

03:52:46: ISAKMP (0:2): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH

03:52:46: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_KEY_EXCH

03:52:46: ISAKMP: reserved not zero on ID payload!

03:52:46: ISAKMP (0:2): incrementing error counter on sa: PAYLOAD_MALFORMED

03:52:46: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_KEY_EXCH

03:52:46: ISAKMP (0:2): incrementing error counter on sa: reset_retransmission

03:52:47: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...

03:52:47: ISAKMP (0:2): peer does not do paranoid keepalives.

03:52:47: ISAKMP (0:2): deleting SA reason "death by retransmission P1" state (R) MM_KEY_EXCH (peer 172.16.0.100) input queue 0

03:52:48: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_NO_STATE

03:52:58: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_NO_STATE

03:53:47: ISAKMP (0:2): purging SA., sa=36BE64, delme=36BE64

2 Replies 2

gfullage
Cisco Employee
Cisco Employee

Already answered in other VPN forum.

This was a redundant round robin personal question.

It worked.....Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: