Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

expect hash payload, got payload#: 11

I have numerous IPSec VPNs via my PIX Version 6.3(5)working.

A new tunnel is being set up and the connection is not being made.

What is a payload # 11 ?

The pertinent debug messages are

ISAKMP (0): beginning Main Mode exchange

throw: mess_id 0x0

send_response:

isakmp_send: ip xx.xx.xx.xx, port 500

ISAKMP msg received

crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:500 dpt:500

gen_cookie:

fill_sa_key:isadb_search returned sa = 0x38045ac

validate_payload: len 212

valid_payload:

ISAKMP_INFO exchange

process_isakmp_info:

expect hash payload, got payload#: 11

error - IKMP_MODE_FAILURE

return status is IKMP_NO_ERR_NO_TRANS

Thanks.

Jacob

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: expect hash payload, got payload#: 11

hello,

also beside as suggested check the acl's on both FW, both side acl's should match in a reverse order form.

HTH, please rate it

3 REPLIES
Silver

Re: expect hash payload, got payload#: 11

it seems that phase 1 negotiation is failing.

The logs show that after the PIX sends out the first MM isakmp packet, it never sees anything back from the remote peer.

Possible reasons:

1. make sure the isakmp policy is matching the other side.

2. make sure the preshared key is set correctly.

3. make sure there is no device in the middle blocking UDP/500 packets.

New Member

Re: expect hash payload, got payload#: 11

Thanks.

I will check the settings on the other end.

Jacob

Bronze

Re: expect hash payload, got payload#: 11

hello,

also beside as suggested check the acl's on both FW, both side acl's should match in a reverse order form.

HTH, please rate it

252
Views
0
Helpful
3
Replies
CreatePlease login to create content