11-22-2001 04:44 AM - edited 03-08-2019 09:14 PM
Would you send me the cause discard ?
network information.
encryption / 3des
hash / md5
authentication / pre-share
ipsec / esp-3des, esp-md5-hmc
the same isakmp key. (c1720, VPNet Unit)
c1720 / 10.10.10.6 - local network (192.168.20.0)
VPNet Unit / 192.168.10.253 - local network (192.168.10.0)
the debugging messgage is following as...
Router1720#
02:37:43: IPSEC(sa_request): ,
(key eng. msg.) src= 10.10.10.6, dest= 192.168.10.253,
src_proxy= 192.168.20.1/255.255.255.255/0/0 (type=1),
dest_proxy= 192.168.10.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
02:37:43: ISAKMP (238): beginning Main Mode exchange
02:37:43: ISAKMP (238): processing SA payload. message ID = 0
02:37:43: ISAKMP (238): Checking ISAKMP transform 1 against priority 1 policy
02:37:43: ISAKMP: encryption 3DES-CBC
02:37:43: ISAKMP: hash SHA
02:37:43: ISAKMP: default group 1
02:37:43: ISAKMP: auth pre-share
02:37:43: ISAKMP (238): atts are acceptable. Next payload is 0
02:37:43: ISAKMP (238): SA is doing pre-shared key authentication
02:37:44: ISAKMP (238): processing KE payload. message ID = 0
02:37:44: ISAKMP (238): processing NONCE payload. message ID = 0
02:37:44: ISAKMP (238): SKEYID state generated
02:37:44: ISAKMP: reserved not zero on payload 8!
02:37:45: ISAKMP (238): retransmitting phase 2...
02:37:45: ISAKMP: reserved not zero on payload 8!
02:37:46: ISAKMP (238): retransmitting phase 2...
02:37:57: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.168.10.253 was not encrypted
and it should've been.
02:37:58: ISAKMP (238): retransmitting phase 1...
02:38:04: IPSEC(encapsulate): invalid conn id 0
02:38:04: IPSEC(encapsulate): error in encapsulation fs_encap_decap_fail
02:38:13: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 10.10.10.6, remote= 192.168.10.253,
local_proxy= 192.168.20.1/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.10.1/255.255.255.255/0/0 (type=1)
02:38:13: IPSEC(sa_request): ,
(key eng. msg.) src= 10.10.10.6, dest= 192.168.10.253,
src_proxy= 192.168.20.1/255.255.255.255/0/0 (type=1),
dest_proxy= 192.168.10.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
02:38:13: ISAKMP (239): beginning Main Mode exchange
02:38:13: ISAKMP (239): processing SA payload. message ID = 0
02:38:13: ISAKMP (239): Checking ISAKMP transform 1 against priority 1 policy
02:38:13: ISAKMP: encryption 3DES-CBC
02:38:13: ISAKMP: hash SHA
02:38:13: ISAKMP: default group 1
02:38:13: ISAKMP: auth pre-share
02:38:13: ISAKMP (239): atts are acceptable. Next payload is 0
02:38:13: ISAKMP (239): SA is doing pre-shared key authentication
02:38:14: ISAKMP (239): processing KE payload. message ID = 0
02:38:14: ISAKMP (239): processing NONCE payload. message ID = 0
02:38:14: ISAKMP (239): SKEYID state generated
02:38:14: ISAKMP: reserved not zero on payload 8!
02:38:14: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 192.168.10.253 failed its sanity c
heck or is malformed
02:38:15: ISAKMP (239): retransmitting phase 2...
02:38:15: ISAKMP: reserved not zero on payload 8!
02:38:16: ISAKMP (239): retransmitting phase 2...
02:38:28: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 192.168.10.253 was not encrypted
and it should've been.
02:38:29: ISAKMP (239): retransmitting phase 1...
02:38:43: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 10.10.10.6, remote= 192.168.10.253,
local_proxy= 192.168.20.1/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.10.1/255.255.255.255/0/0 (type=1)
...
02:40:07: ISADB: reaper checking SA, conn_id = 237 DELETE IT!
02:40:07: ISADB: reaper checking SA, conn_id = 239 DELETE IT!
02:40:07: ISADB: reaper checking SA, conn_id = 235 DELETE IT!
02:40:07: ISADB: reaper checking SA, conn_id = 238 DELETE IT!
02:40:07: ISADB: reaper checking SA, conn_id = 236 DELETE IT! ?
Router1720#sh crypto isakmp sa
dst src state conn-id slot
10.10.10.6 192.168.10.253 MM_NO_STATE 2 0 (deleted)
11-26-2001 06:36 AM
I'm getting a similar error,
806-VPN#
1w3d: IPSEC(encapsulate): invalid conn id 0
1w3d: IPSEC(encapsulate): error in encapsulation crypto_ip_encrypt
Any ideas what this is?
11-26-2001 07:39 PM
Before I'm who post this article.
I resolved this problem !!
My interworking Trouble is no same of Pre-shared key.
Before I set the HEX Code at VSU.
Right Setting !! => I set the ASCII Code about Pre-shared key.
Thank you for cisco support.
For great VPN Service.
11-27-2001 12:23 PM
check and verify your pre-shared keys. The message below tell keys are mismatching
02:38:14: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 192.168.10.253 failed its sanity check or is malformed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide