expect hash payload, got payload#: 11

Answered Question
May 21st, 2007

I have numerous IPSec VPNs via my PIX Version 6.3(5)working.

A new tunnel is being set up and the connection is not being made.

What is a payload # 11 ?

The pertinent debug messages are

ISAKMP (0): beginning Main Mode exchange

throw: mess_id 0x0

send_response:

isakmp_send: ip xx.xx.xx.xx, port 500

ISAKMP msg received

crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:500 dpt:500

gen_cookie:

fill_sa_key:isadb_search returned sa = 0x38045ac

validate_payload: len 212

valid_payload:

ISAKMP_INFO exchange

process_isakmp_info:

expect hash payload, got payload#: 11

error - IKMP_MODE_FAILURE

return status is IKMP_NO_ERR_NO_TRANS

Thanks.

Jacob

Correct Answer by zulqurnain about 9 years 9 months ago

hello,

also beside as suggested check the acl's on both FW, both side acl's should match in a reverse order form.

HTH, please rate it

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
mchin345 Fri, 05/25/2007 - 13:55

it seems that phase 1 negotiation is failing.

The logs show that after the PIX sends out the first MM isakmp packet, it never sees anything back from the remote peer.

Possible reasons:

1. make sure the isakmp policy is matching the other side.

2. make sure the preshared key is set correctly.

3. make sure there is no device in the middle blocking UDP/500 packets.

Correct Answer
zulqurnain Sat, 05/26/2007 - 05:13

hello,

also beside as suggested check the acl's on both FW, both side acl's should match in a reverse order form.

HTH, please rate it

Actions

This Discussion