1811 VPN Not Working

Unanswered Question
Aug 28th, 2008

Many Kudos to the person who figures this one out...

We have a VPN concentrator and about 15 1811's already in the field and working. We can't seem to get the latest one to work properly, we initially thought it was bad hardware, we are on our 3rd VPN router. Multiple IOS versions have been tried, 3 different ISP's from 4 seperate locations have been tried, and of course we even copied known good configs with still no luck. And yes we have verified the connection limit of our concentrator.

Now on to the good stuff

Log message, distant end failed sanity check:

000157: *Aug 28 10:56:56.126 CDT: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from xxx.xxx.xxx.xxx failed its sanity check or is malformed

Console message:

000734: *Aug 28 11:58:57.197 CDT: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) Use

r= Group=<grp-name omitted> Client_public_addr=yyy.yyy.yyy.yyy Server_public_addr=xxx.xxx.xxx.xxx

show crypto ipsec client ezvpn

Easy VPN Remote Phase: 6

Tunnel name : <name omitted>

Inside interface list: Vlan199

Outside interface: FastEthernet0

Current State: SS_OPEN


DNS Primary: xxx.xxx.xxx.xxx

Save Password: Disallowed

Current EzVPN Peer: xxx.xxx.xxx.xxx

show crypto session

Crypto session current status

Interface: FastEthernet0

Session status: UP-IDLE

Peer: xxx.xxx.xxx.xxx port 500

IKE SA: local remote xxx.xxx.xxx.xxx/500 Active

IKE SA: local remote xxx.xxx.xxx.xxx/500 Inactive

IKE SA: local remote xxx.xxx.xxx.xxx/500 Inactive

IPSEC FLOW: permit ip xx.xx.xx.xx/

Active SAs: 0, origin: crypto map

show crypto isakmp sa


dst src state conn-id slot status

xxx.xxx.xxx.xxx QM_IDLE 2170 0 ACTIVE

xxx.xxx.xxx.xxx MM_NO_STATE 2169 0 ACTIVE (deleted)

xxx.xxx.xxx.xxx MM_NO_STATE 2168 0 ACTIVE (deleted)

xxx.xxx.xxx.xxx MM_NO_STATE 2167 0 ACTIVE (deleted)

I can get any show commands or debug commands that is needed to help get this resolved.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
xcz504d1114 Thu, 08/28/2008 - 10:47

Also, this is setup with ezvpn, IKE phase 1 completes.

here is a partial output of the isakmp debug, after the 5th retry it attempts to tear down the connection but fails because the connection doesn't exist, and then goes through the policy matching, authenticates, inserts a peer and comes back to this point.

t phase 2

004734: *Aug 28 13:44:44.497 CDT: ISAKMP:(2392): retransmitting phase 2 QM_IDLE

1712116236 ...

004735: *Aug 28 13:44:44.997 CDT: ISAKMP:(2392): retransmitting phase 2 QM_IDLE

1712116236 ...

004736: *Aug 28 13:44:44.997 CDT: ISAKMP (0:2392): incrementing error counter on

node, attempt 2 of 5: retransmit phase 2

004737: *Aug 28 13:44:44.997 CDT: ISAKMP (0:2392): incrementing error counter on

sa, attempt 3 of 5: retransmit phase 2

004738: *Aug 28 13:44:44.997 CDT: ISAKMP:(2392): retransmitting phase 2 17121162


004739: *Aug 28 13:44:44.997 CDT: ISAKMP:(2392): sending packet to xxx.xxx.xxx.xxx

my_port 500 peer_port 500 (I) QM_IDLE

004740: *Aug 28 13:44:44.997 CDT: ISAKMP:(2392):Sending an IKE IPv4 Packet.

xcz504d1114 Mon, 10/06/2008 - 14:09

After many hours we figured out a solution to the problem but developed another issue.

The original problem was resolved by finding an IOS with a crypto library version 19.0.0, the 20.0.0 gave bad IKE messages and couldn't generate an RSA key without an error. So that part is resolved, but I can't find an IOS that has the crypto lib I need with a good working wireless for my Cisco 1811.

The current IOS I have loaded is c181x-advipservicesk9-mz.124-6.T11.

The IOS's we are having known issues with the vrypto lib are c181x-advipservicesk9-mz.124-11.XW3.bin - 124-11.XW9.bin.

The "T" series does not work with the wireless (at least the ones that I have tried) and the XW series wont work because of the crypto lib version.

I have tried many different IOS's and shooting in the dark for the right information is becoming a headache and wasting a lot of time. Any additional help would be appreciated.




This Discussion