Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Getting "sanity check or is malformed" error

Hello all,

I am configuring VPN for the first time using three routers. The scenario is I need to have VPN from hpl-rt1 to kirne-rt2 and palate-rt3 routers. I am able to connect from hpl-rt1 to kirne-rt2 but not to the third router. here are the show outputs and the router configs are attached.

HPL-rt1#sho crypto engine conn ac

ID Interface IP-Address State Algorithm Encrypt Decrypt

1 FastEthernet0/0 1.1.1.1 set HMAC_SHA+3DES_56_C 0 0

2000 FastEthernet0/0 1.1.1.1 set HMAC_SHA 0 4

2001 FastEthernet0/0 1.1.1.1 set HMAC_SHA 4 0

2002 FastEthernet0/0 1.1.1.1 set HMAC_SHA+3DES_56_C 0 4

2003 FastEthernet0/0 1.1.1.1 set HMAC_SHA+3DES_56_C 4 0

HPL-rt1#

HPL-rt1#sho crypto isakmp sa

dst src state conn-id slot

2.2.2.2 1.1.1.1 QM_IDLE 1 0

HPL-rt1#

in the log there is this message:

03:32:58: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 3.3.3.3 failed it

s sanity check or is malformed.

what is wrong. can someone help me please?

TIA

B.

1 REPLY
Silver

Re: Getting "sanity check or is malformed" error

the Auto-enroll feature and Network Time Protocol (NTP) are unconfigured. The clock is set to a time in the distant future, which is past the router's certificate lifetime, and an IPSec connection is started. This is not a recommended action. It is only shown to demonstrate the logging effect on the VPN headend and branch on an 'expired' branch.

Current IPSec tunnels that are already connected when the certificate expires continue to have connectivity until that IPSec session is terminated or attempts to re-key at the IPSec Security Association's (SA's) lifetime.

430
Views
0
Helpful
1
Replies
CreatePlease to create content