I have a PIX 506, trying to establish a tunnel to a Netscreen Model 50. When trying to bring the tunnel up, Phase 1 comes up fine, but get
ISAKMP: reserved not zero on payload 5
in phase 2. Eventually, the tunnel comes up, after 4 or 5 minutes, and 4 or 5 thousand ping packets. When it's coming up, if you do a "show crypto isakmp sa" it shows additional sa's keep adding for the same peer. They are all in state QM_IDLE. Eventually, the VPN starts to work, but a number of the sa's remain. Typically, around 35 are present by the time the VPN comes up, and 15 to 20 remain after it's up. We are using group 2, 3DES, MD5.
Please make sure that you have matching pre-shared key on the two sides, and for inter-op issues you can make sure that two sides have one iskamp/ipsec transfor-sets configured, and lifetimes for SAs matches as well.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...