Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
0
Helpful
3
Replies

c1720-VPNet Unit (debug message)

hoon32two
Level 1
Level 1

‎11-22-2001 04:44 AM - edited ‎03-08-2019 09:14 PM

Would you send me the cause discard ?

network information.

encryption / 3des

hash / md5

authentication / pre-share

ipsec / esp-3des, esp-md5-hmc

the same isakmp key. (c1720, VPNet Unit)

c1720 / 10.10.10.6 - local network (192.168.20.0)

VPNet Unit / 192.168.10.253 - local network (192.168.10.0)

the debugging messgage is following as...

Router1720#

02:37:43: IPSEC(sa_request): ,

(key eng. msg.) src= 10.10.10.6, dest= 192.168.10.253,

src_proxy= 192.168.20.1/255.255.255.255/0/0 (type=1),

dest_proxy= 192.168.10.1/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004

02:37:43: ISAKMP (238): beginning Main Mode exchange

02:37:43: ISAKMP (238): processing SA payload. message ID = 0

02:37:43: ISAKMP (238): Checking ISAKMP transform 1 against priority 1 policy

02:37:43: ISAKMP: encryption 3DES-CBC

02:37:43: ISAKMP: hash SHA

02:37:43: ISAKMP: default group 1

02:37:43: ISAKMP: auth pre-share

02:37:43: ISAKMP (238): atts are acceptable. Next payload is 0

02:37:43: ISAKMP (238): SA is doing pre-shared key authentication

02:37:44: ISAKMP (238): processing KE payload. message ID = 0

02:37:44: ISAKMP (238): processing NONCE payload. message ID = 0

02:37:44: ISAKMP (238): SKEYID state generated

02:37:44: ISAKMP: reserved not zero on payload 8!

02:37:45: ISAKMP (238): retransmitting phase 2...

02:37:45: ISAKMP: reserved not zero on payload 8!

02:37:46: ISAKMP (238): retransmitting phase 2...

02:37:57: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.168.10.253 was not encrypted

and it should've been.

02:37:58: ISAKMP (238): retransmitting phase 1...

02:38:04: IPSEC(encapsulate): invalid conn id 0

02:38:04: IPSEC(encapsulate): error in encapsulation fs_encap_decap_fail

02:38:13: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 10.10.10.6, remote= 192.168.10.253,

local_proxy= 192.168.20.1/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.10.1/255.255.255.255/0/0 (type=1)

02:38:13: IPSEC(sa_request): ,

(key eng. msg.) src= 10.10.10.6, dest= 192.168.10.253,

src_proxy= 192.168.20.1/255.255.255.255/0/0 (type=1),

dest_proxy= 192.168.10.1/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004

02:38:13: ISAKMP (239): beginning Main Mode exchange

02:38:13: ISAKMP (239): processing SA payload. message ID = 0

02:38:13: ISAKMP (239): Checking ISAKMP transform 1 against priority 1 policy

02:38:13: ISAKMP: encryption 3DES-CBC

02:38:13: ISAKMP: hash SHA

02:38:13: ISAKMP: default group 1

02:38:13: ISAKMP: auth pre-share

02:38:13: ISAKMP (239): atts are acceptable. Next payload is 0

02:38:13: ISAKMP (239): SA is doing pre-shared key authentication

02:38:14: ISAKMP (239): processing KE payload. message ID = 0

02:38:14: ISAKMP (239): processing NONCE payload. message ID = 0

02:38:14: ISAKMP (239): SKEYID state generated

02:38:14: ISAKMP: reserved not zero on payload 8!

02:38:14: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 192.168.10.253 failed its sanity c

heck or is malformed

02:38:15: ISAKMP (239): retransmitting phase 2...

02:38:15: ISAKMP: reserved not zero on payload 8!

02:38:16: ISAKMP (239): retransmitting phase 2...

02:38:28: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.168.10.253 was not encrypted

and it should've been.

02:38:29: ISAKMP (239): retransmitting phase 1...

02:38:43: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 10.10.10.6, remote= 192.168.10.253,

local_proxy= 192.168.20.1/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.10.1/255.255.255.255/0/0 (type=1)

...

02:40:07: ISADB: reaper checking SA, conn_id = 237 DELETE IT!

02:40:07: ISADB: reaper checking SA, conn_id = 239 DELETE IT!

02:40:07: ISADB: reaper checking SA, conn_id = 235 DELETE IT!

02:40:07: ISADB: reaper checking SA, conn_id = 238 DELETE IT!

02:40:07: ISADB: reaper checking SA, conn_id = 236 DELETE IT! ?

Router1720#sh crypto isakmp sa

dst src state conn-id slot

10.10.10.6 192.168.10.253 MM_NO_STATE 2 0 (deleted)

Labels:
0 Helpful
3 Replies 3

michael.brown
Level 1
Level 1

‎11-26-2001 06:36 AM

I'm getting a similar error,

806-VPN#

1w3d: IPSEC(encapsulate): invalid conn id 0

1w3d: IPSEC(encapsulate): error in encapsulation crypto_ip_encrypt

Any ideas what this is?

0 Helpful

hoon32two
Level 1
Level 1

‎11-26-2001 07:39 PM

Before I'm who post this article.

I resolved this problem !!

My interworking Trouble is no same of Pre-shared key.

Before I set the HEX Code at VSU.

Right Setting !! => I set the ASCII Code about Pre-shared key.

Thank you for cisco support.

For great VPN Service.

0 Helpful

ushafiq
Level 1
Level 1

‎11-27-2001 12:23 PM

check and verify your pre-shared keys. The message below tell keys are mismatching

02:38:14: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 192.168.10.253 failed its sanity check or is malformed

0 Helpful
Customers Also Viewed These Support Documents