Received un-encrypted ISAKMP packet, but our SA is crypto active - IPSec with Certificates problem

Unanswered Question
Dec 25th, 2011

I am using a PKI method for authentication for a vpn I am setting up. I have import both the CA and Identity keys into the client and ASA but the tunnel

is not being built. Here is debug for Cisco VPN client

91     18:17:38.747  12/25/11  Sev=Warning/3    IKE/0xA3000068

Received un-encrypted ISAKMP packet, but our SA is crypto active

92     18:17:38.748  12/25/11  Sev=Warning/3    IKE/0xA3000068

Received un-encrypted ISAKMP packet, but our SA is crypto active

93     18:17:38.753  12/25/11  Sev=Warning/3    IKE/0xA3000068

Received un-encrypted ISAKMP packet, but our SA is crypto active

94     18:17:38.755  12/25/11  Sev=Warning/3    IKE/0xA3000068

Received un-encrypted ISAKMP packet, but our SA is crypto active

----------------------------------------------------------------------------------------------------

Here is debug for asa:

ASA# Dec 25 18:21:57 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload! (next payload = 132)

Dec 25 18:21:57 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Dec 25 18:21:57 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload! (next payload = 132)

Dec 25 18:21:57 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Dec 25 18:21:57 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload! (next payload = 132)

Dec 25 18:21:57 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Dec 25 18:21:57 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload! (next payload = 132)

Dec 25 18:21:57 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA p$

Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload!  ^                                                                               (

next payload = 132)

ERROR: % Invalid input detected at '^' marker.

ASA# Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA p$

Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload!  ^                                                                               (

next payload = 132)

ERROR: % Invalid input detected at '^' marker.

ASA# Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA p$

Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload!  ^                                                                               (

next payload = 132)

ERROR: % Invalid input detected at '^' marker.

ASA# 50

     ^

ERROR: % Invalid input detected at '^' marker.

ASA# Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA p$

Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload!  ^                                                                               (

next payload = 132)

ERROR: % Invalid input detected at '^' marker.

ASA# Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA p$

Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload!  ^                                                                               (

next payload = 132)

ERROR: % Invalid input detected at '^' marker.

ASA# Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA p$

Dec 25 18:21:52 [IKEv1]: IP = 75.70.229.139, Header invalid, missing SA payload!  ^                                                                               (

next payload = 132)

ERROR: % Invalid input detected at '^' marker.

ASA# 50

     ^

ERROR: % Invalid input detected at '^' marker.

ASA# Dec 25 18:22:02 [IKEv1]: IP = 75.70.229.139, Received encrypted packet with no matching SA, dropping

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
chris_russo Sun, 12/25/2011 - 17:44

here is my running config:

boot system disk0:/asa707-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 10.0.0.22

name-server 10.0.0.21

domain-name technowledge.local

same-security-traffic permit intra-interface

object-group service Ricks_House tcp

description Remote Desktop

port-object range ftp-data ftp

port-object eq 3389

port-object eq www

port-object eq https

port-object eq 8200

port-object eq 5832

object-group service Bomgar tcp-udp

description Bomgar

port-object eq 8200

port-object eq 443

port-object eq www

port-object eq 5832

object-group service DM_INLINE_TCP_2 tcp

group-object Bomgar

group-object Ricks_House

object-group service BOMGAR

description help for support

service-object tcp eq 8200

service-object tcp eq www

service-object tcp eq https

object-group service RDP tcp

group-object Ricks_House

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

access-list 101 extended permit ip any any

DM_INLINE_TCP_1

access-list hola_splitTunnelAcl standard permit any

access-list inside_access_in remark Ping to Outside World

access-list inside_access_in remark Ping to Outside World

access-list inside_access_in extended permit ip any any

access-list inside_access_in remark Ping to Outside World

access-list inside_access_in remark Ping to Outside World

access-list technowledge_splitTunnelAcl_2 standard permit 10.0.0.0 255.255.255.0

access-list ricks_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.0.32 255.255.255.224

access-list technowledge_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0

access-list technowledge_splitTunnelAcl_1 standard permit 10.0.0.0 255.255.255.0

access-list technowledge_splitTunnelAcl_3 standard permit 10.0.0.0 255.255.255.0

access-list Technowledge_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0

access-list Technowledge_splitTunnelAcl_1 standard permit 10.0.0.0 255.255.255.0

access-list technowledge_splitTunnelAcl_4 standard permit 10.0.0.0 255.255.255.0

access-list technowledge_splitTunnelAcl_5 standard permit 10.0.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

logging facility 16

logging host inside 10.0.0.111 6/1468

mtu inside 1500

mtu outside 1500

mtu dmz 1500

mtu management 1500

ip local pool test 10.0.0.45-10.0.0.48 mask 255.255.255.0

ip local pool hola 1.1.1.1-1.1.1.10 mask 255.255.0.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 10.0.0.0 255.255.255.0 dns

static (inside,outside) 50.76.141.xxx 10.0.0.19 netmask 255.255.255.255 dns

static (inside,outside) 50.76.141.xxx 10.0.0.21 netmask 255.255.255.255 dns

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group 101 out interface outside

route outside 0.0.0.0 0.0.0.0 50.76.141.110 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 75.70.0.0 255.255.0.0 outside

http 10.0.0.0 255.255.255.0 inside

snmp-server host outside 75.70.229.139 community chris version 2c

snmp-server location ricks house

snmp-server contact chris russo

snmp-server community chris

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps entity config-change fru-insert fru-remove

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set pfs

crypto dynamic-map outside_dyn_map 10 set transform-set myset ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint33

enrollment terminal

fqdn

subject-name CN=ASA

no client-types

crl configure

crypto ca trustpoint LOCAL-CA-SERVER

crl configure

crypto ca trustpoint ASDM_TrustPoint34

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint36

fqdn

subject-name CN=ASA

no client-types

crl configure

crypto ca trustpoint ASDM_TrustPoint35

enrollment terminal

crl configure

crypto ca server

shutdown

crypto ca certificate chain LOCAL-CA-SERVER

certificate ca 01

    3082021b 30820184 a0030201 02020101 300d0609 2a864886 f70d0101 04050030

    21311f30 1d060355 04031316 4153412e 74656368 6e6f776c 65646765 2e6c6f63

    616c301e 170d3131 31323235 30303436 35345a17 0d313431 32323430 30343635

    345a3021 311f301d 06035504 03131641 53412e74 6563686e 6f776c65 6467652e

    6c6f6361 6c30819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281

    81008f97 8f934fb0 714c05b4 fa680d7e e142a452 452ec299 b748c1c6 7712d7f0

    d5415a05 c3e9a6df 5299e46b d4427007 3d8cb0ab 81b8cd83 c856ccb7 48cad66f

    02766172 cd7f65b6 7e1af4fd 14a5972e f9a8a8aa 269d51c5 2bd34ca1 854fee3b

    f2ee723b 1a0c0c50 6b13b57b ae2ed47b 079e8dab 77d4585b 33d50ad0 10c59474

    27dd0203 010001a3 63306130 0f060355 1d130101 ff040530 030101ff 300e0603

    551d0f01 01ff0404 03020186 301f0603 551d2304 18301680 14c1e2c1 980161ad

    c70634da a13f45e3 de66b276 28301d06 03551d0e 04160414 c1e2c198 0161adc7

    0634daa1 3f45e3de 66b27628 300d0609 2a864886 f70d0101 04050003 8181000c

    2bcdccd2 04c67998 06ffc9c3 04b460c2 defe997b d4f474cf 1ac3cd45 0c7abf7f

    e7075da4 8e674380 37a82660 130c76a4 a8e6b459 00cb400d ca37bf6e 02f23d5e

    38088e93 a3dcb708 1e2c971e 4b3bf41e 3a397017 afc384f4 542eafc7 a83c5de0

    66f70703 103a04b1 ba434233 8f6aae25 04d43e83 fc6a51bb e7d1a4dd 94505a

  quit

crypto ca certificate chain ASDM_TrustPoint35

certificate ca 43ef1c287a43519d4a459ce3c0c2dc08

    30820385 3082026d a0030201 02021043 ef1c287a 43519d4a 459ce3c0 c2dc0830

    0d06092a 864886f7 0d010105 05003055 31153013 060a0992 268993f2 2c640119

    16056c6f 63616c31 1c301a06 0a099226 8993f22c 64011916 0c546563 686e6f77

    6c656467 65311e30 1c060355 04031315 54656368 6e6f776c 65646765 2d535652

    30312d43 41301e17 0d313131 32323332 30313035 355a170d 31363132 32333230

    32303534 5a305531 15301306 0a099226 8993f22c 64011916 056c6f63 616c311c

    301a060a 09922689 93f22c64 0119160c 54656368 6e6f776c 65646765 311e301c

    06035504 03131554 6563686e 6f776c65 6467652d 53565230 312d4341 30820122

    300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00934ddd

    04242901 384772ab b47815cf c72668a6 b23342a4 8e3d9f8e 5a2ad9ef e0647d08

    9e5c9e6e d372f98e 93bbf80a 3aa14699 6d8df3fd e9acca54 d317a5dd 4df53511

    6e0f64b5 fde671a2 888aab95 657c2879 a68fed0c d573caaa 12dc107f f86bd4e8

    2b1832c0 92cbcf1a 12dda696 30047992 153086d1 79520140 ee146d90 57873b85

    565c9620 8d443d08 6f2e3374 a2192cb7 40ed94df 75f35b1e 4b8ae4a1 740107c5

    6c2b8014 ef3e8bed 38275ae5 3a937cd8 b557275c 1c533b69 7e2e99b8 62100df5

    7dbefe42 0ce6e4f1 81f21c52 878f8507 cdde7687 09492915 7cf53071 d8400d51

    dbf981a1 b623b7fb 85236d07 3713b750 70380d4e 5eb0bf7b b21e91d8 8b020301

    0001a351 304f300b 0603551d 0f040403 02018630 0f060355 1d130101 ff040530

    030101ff 301d0603 551d0e04 16041418 8bc0d462 4ebd997c 6fa26662 994f01a6

    0fc24130 1006092b 06010401 82371501 04030201 00300d06 092a8648 86f70d01

    01050500 03820101 0053c4cc a0e4b893 3eb918e5 2a452a07 33f410d6 6b61e2f8

    a5759d28 e7111972 ea8964b5 1b7e6863 10f45060 69948e8c 7784cab9 d2aac27d

    28b045e9 d827bb83 c0ed5a79 fa98d80c f2d67467 27cad3dc bb208357 cf5786b5

    8f216a3f 5e42869f 2b39fd5b aa8bd460 259ea590 a7e7e450 a28763f9 c216f644

    f82cad8e 06e73be6 da46a685 1af16c60 2c9338ae a641277e ecde50dc 4f6eda39

    a4ed5450 4654bd01 aeaa957f 0fa42796 c050afa6 76112a87 1f15bbd6 4ad78a66

    d03c42bc 5f20f66d 6f529769 d2eba47c 0583b02a 0e2fc050 0350834f 516f91df

    728070e9 446d8db2 bdd49dc4 889ecf76 8cf558c4 7526e0ac b0c75378 5c158e38

    bb6d0d9e 5a549576 d8

  quit

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 30

authentication rsa-sig

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 5

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1

webvpn

enable outside

group-policy technowledge internal

group-policy technowledge attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value technowledge_splitTunnelAcl_5

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec webvpn

username chris password CKiu2cbSgTe2jSPt encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool test

address-pool hola

default-group-policy technowledge

tunnel-group DefaultRAGroup ipsec-attributes

trust-point ASDM_TrustPoint29

isakmp ikev1-user-authentication none

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

authentication eap-proxy

tunnel-group technowledge type remote-access

tunnel-group technowledge general-attributes

address-pool test

default-group-policy technowledge

tunnel-group technowledge ipsec-attributes

trust-point ASDM_TrustPoint29

!

class-map global-class

match any

!

!

policy-map type inspect netbios Netbios

description check for netbios

parameters

  protocol-violation action drop log

policy-map global-policy

class global-class

  inspect ftp

!

service-policy global-policy global

smtp-server xxxxxxxxxxxxx

prompt hostname context

Cryptochecksum:e53a8a50932520386331548bd40d3341

Actions

Login or Register to take actions

This Discussion

Posted December 25, 2011 at 5:25 PM
Stats:
Replies:1 Avg. Rating:
Views:1516 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard