Getting "sanity check or is malformed" error

bamatya · ‎11-02-2005

Hello all,

I am configuring VPN for the first time using three routers. The scenario is I need to have VPN from hpl-rt1 to kirne-rt2 and palate-rt3 routers. I am able to connect from hpl-rt1 to kirne-rt2 but not to the third router. here are the show outputs and the router configs are attached.

HPL-rt1#sho crypto engine conn ac

ID Interface IP-Address State Algorithm Encrypt Decrypt

1 FastEthernet0/0 1.1.1.1 set HMAC_SHA+3DES_56_C 0 0

2000 FastEthernet0/0 1.1.1.1 set HMAC_SHA 0 4

2001 FastEthernet0/0 1.1.1.1 set HMAC_SHA 4 0

2002 FastEthernet0/0 1.1.1.1 set HMAC_SHA+3DES_56_C 0 4

2003 FastEthernet0/0 1.1.1.1 set HMAC_SHA+3DES_56_C 4 0

HPL-rt1#

HPL-rt1#sho crypto isakmp sa

dst src state conn-id slot

2.2.2.2 1.1.1.1 QM_IDLE 1 0

HPL-rt1#

in the log there is this message:

03:32:58: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 3.3.3.3 failed it

s sanity check or is malformed.

what is wrong. can someone help me please?

TIA

B.

smalkeric · ‎11-08-2005

the Auto-enroll feature and Network Time Protocol (NTP) are unconfigured. The clock is set to a time in the distant future, which is past the router's certificate lifetime, and an IPSec connection is started. This is not a recommended action. It is only shown to demonstrate the logging effect on the VPN headend and branch on an 'expired' branch.

Current IPSec tunnels that are already connected when the certificate expires continue to have connectivity until that IPSec session is terminated or attempts to re-key at the IPSec Security Association's (SA's) lifetime.