Solved: expect hash payload, got payload#: 11

jvanwa1 · ‎05-21-2007

I have numerous IPSec VPNs via my PIX Version 6.3(5)working.

A new tunnel is being set up and the connection is not being made.

What is a payload # 11 ?

The pertinent debug messages are

ISAKMP (0): beginning Main Mode exchange

throw: mess_id 0x0

send_response:

isakmp_send: ip xx.xx.xx.xx, port 500

ISAKMP msg received

crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:500 dpt:500

gen_cookie:

fill_sa_key:isadb_search returned sa = 0x38045ac

validate_payload: len 212

valid_payload:

ISAKMP_INFO exchange

process_isakmp_info:

expect hash payload, got payload#: 11

error - IKMP_MODE_FAILURE

return status is IKMP_NO_ERR_NO_TRANS

Thanks.

Jacob

zulqurnain · ‎05-26-2007

hello,

also beside as suggested check the acl's on both FW, both side acl's should match in a reverse order form.

HTH, please rate it

mchin345 · ‎05-25-2007

it seems that phase 1 negotiation is failing.

The logs show that after the PIX sends out the first MM isakmp packet, it never sees anything back from the remote peer.

Possible reasons:

1. make sure the isakmp policy is matching the other side.

2. make sure the preshared key is set correctly.

3. make sure there is no device in the middle blocking UDP/500 packets.

jvanwa1 · ‎05-25-2007

Thanks.

I will check the settings on the other end.

Jacob

zulqurnain · ‎05-26-2007

hello,

also beside as suggested check the acl's on both FW, both side acl's should match in a reverse order form.

HTH, please rate it