01-05-2004 06:03 AM - edited 02-21-2020 12:59 PM
Hi Everyone, I have a lab with (3) 2500series routers IOS 12.2. Have setup an ipsec vpn between the far side routers, but the ipsec sa is not establishing. After debugging isakmp to see if they establish phase 1, I get the following error:
03:52:45: ISAKMP: reserved not zero on ID payload!
03:52:45: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.0.100 failed its sanity check or is malformed
Here is the complete debug:
Boston#debug crypto isakmp
03:52:34: ISAKMP (0:0): received packet from 172.16.0.100 (N) NEW SA
03:52:34: ISAKMP: local port 500, remote port 500
03:52:34: ISAKMP (0:2): processing SA payload. message ID = 0
03:52:34: ISAKMP (0:2): found peer pre-shared key matching 172.16.0.100
03:52:34: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 105 policy
03:52:34: ISAKMP: encryption DES-CBC
03:52:34: ISAKMP: hash MD5
03:52:34: ISAKMP: default group 2
03:52:34: ISAKMP: auth pre-share
03:52:34: ISAKMP: life type in seconds
03:52:34: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
03:52:34: ISAKMP (0:2): atts are acceptable. Next payload is 0
03:52:36: ISAKMP (0:2): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
03:52:36: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_SA_SETUP
03:52:39: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_SA_SETUP
03:52:39: ISAKMP (0:2): processing KE payload. message ID = 0
03:52:42: ISAKMP (0:2): processing NONCE payload. message ID = 0
03:52:42: ISAKMP (0:2): found peer pre-shared key matching 172.16.0.100
03:52:42: ISAKMP (0:2): SKEYID state generated
03:52:42: ISAKMP (0:2): processing vendor id payload
03:52:42: ISAKMP (0:2): speaking to another IOS box!
03:52:42: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_KEY_EXCH
03:52:45: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_KEY_EXCH
03:52:45: ISAKMP: reserved not zero on ID payload!
03:52:45: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.0.100 failed its sanity check or is malformed
03:52:45: ISAKMP (0:2): incrementing error counter on sa: PAYLOAD_MALFORMED
03:52:45: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_KEY_EXCH
03:52:45: ISAKMP (0:2): incrementing error counter on sa: reset_retransmission
03:52:45: ISAKMP (0:1): purging SA., sa=36B920, delme=36B920
03:52:46: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...
03:52:46: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1
03:52:46: ISAKMP (0:2): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
03:52:46: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_KEY_EXCH
03:52:46: ISAKMP: reserved not zero on ID payload!
03:52:46: ISAKMP (0:2): incrementing error counter on sa: PAYLOAD_MALFORMED
03:52:46: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_KEY_EXCH
03:52:46: ISAKMP (0:2): incrementing error counter on sa: reset_retransmission
03:52:47: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...
03:52:47: ISAKMP (0:2): peer does not do paranoid keepalives.
03:52:47: ISAKMP (0:2): deleting SA reason "death by retransmission P1" state (R) MM_KEY_EXCH (peer 172.16.0.100) input queue 0
03:52:48: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_NO_STATE
03:52:58: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_NO_STATE
03:53:47: ISAKMP (0:2): purging SA., sa=36BE64, delme=36BE64
01-05-2004 06:15 PM
Already answered in other VPN forum.
01-07-2004 02:50 PM
This was a redundant round robin personal question.
It worked.....Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide