Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix 6.3(3)

I have an issue trying to set up a VPN between a Vigor 2600 Annex A router with firmware v2.3.6_UK and a Cisco PIX running 6.3(3).

The encryption on the Vigor is set to

IPSEC dial-out only with preshared keys and 3DES with authentication

The PIX transform set is up match the Vigor config.

When I try to connect from the Vigor to the PIX the key exchange appears to be successful as the PIX reports a “QM_IDLE” state.

However data will not pass over the link.

In PDM under the Monitor -> VPN Statistics -> IPSec VPNs, the Error Pkts count increases and the reported error is that “Packets are arriving without an SA”

A debug of the PIX when a data transfer attempt occurs is shown below (IP addresses have been changed) :-

ISADB: reaper checking SA 0x120172c, conn_id = 0

crypto_isakmp_process_block:src:vigor_2600_public_ip, dest:my_pix_public_ip spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 0 against priority 20 policy

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 1

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 1

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 1

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 0 against priority 40 policy

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28800

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 1

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:vigor_2600_public_ip, dest:my_pix_public_ip spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:vigor_2600_public_ip, dest:my_pix_public_ip spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 0

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

VPN Peer: ISAKMP: Peer ip:vigor_2600_public_ip/500 Ref cnt incremented to:2 Total VPN Peers:1

crypto_isakmp_process_block:src:vigor_2600_public_ip, dest:my_pix_public_ip spt:500 dpt:500

ISAKMP: reserved not zero on payload 5!

ISAKMP: malformed payload

crypto_isakmp_process_block:src:vigor_2600_public_ip, dest:my_pix_public_ip spt:500 dpt:500

ISAKMP: reserved not zero on payload 5!

ISAKMP: malformed payload

I have checked on the Cisco website for an explanation of the “ISAKMP:reserved no zero on payload 5!” error message and it says that the ISAKMP keys need to be re-keyed or reset. I have since set both ends to “abcd” and the same error still occurs.

After extensive testing with other Vigor 2600 routers ,I have now downgraded the PIX to 6.2(3) and the VPN has come up straight away.

So it would seem that there is an interoperability issue between the Vigor 2600 router and PIX 6.3(3) software

1 REPLY
New Member

Re: Pix 6.3(3)

but you try rekeying, i mean just remove the add some other key and try

113
Views
0
Helpful
1
Replies
CreatePlease login to create content