Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

"Invalid SPI size", VPN client 4.01a to PIX 6.31

Gidday,

Somebody help me I am going nuts here - I have redone this config 3 times and I am sure it should work (ie I have no probs with my customers, just the PIX at my office) but the problem seem to be that the IKE Proposal process fails because a suitable set of attributes aren't chosen. Watching the debug on the pix shows that it is being offered AES 3DES etc proposals which it can't accept as it is only licenced for DES. Since VPN access isn't used much I am not sure if this stopped working after I recently upgraded the PIX to 6.3(1) or started using the 4.0 client versions.

I have since tried downgrading the Client to ver 3.63 and had no joy there either. Also I know some CLI purists hate it but I used the PDM 3.01 to run the VPN wizard.

I am testing this using a W2k machine over 56k dialup ISP account. The PIX sits behind an 827 ADSL router which statically translates ESP and UDP 500 through to the PIX. The router is running: c820-k9osy6-mz.123-1a.bin

CLIENT LOG

113 12:02:47.164 08/01/03 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with X.X.X.X.

114 12:02:51.270 08/01/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to X.X.X.X

115 12:02:51.400 08/01/03 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

116 12:02:51.400 08/01/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

117 12:02:51.400 08/01/03 Sev=Info/4 IPSEC/0x6370000D

Key(s) deleted by Interface (X.X.X.X)

118 12:02:51.961 08/01/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = X.X.X.X

119 12:02:51.961 08/01/03 Sev=Warning/2 IKE/0xE3000099

Invalid SPI size (PayloadNotify:116)

120 12:02:51.961 08/01/03 Sev=Info/4 IKE/0xE30000A4

Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:148)

121 12:02:51.961 08/01/03 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

122 12:02:56.367 08/01/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

123 12:02:56.367 08/01/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X

124 12:03:01.375 08/01/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

125 12:03:01.375 08/01/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X

126 12:03:06.382 08/01/03 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

127 12:03:06.382 08/01/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X

128 12:03:11.389 08/01/03 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=4C2814A7C299B252 R_Cookie=2F7EED9EA7C43E3A) reason = DEL_REASON_PEER_NOT_RESPONDING

129 12:03:11.930 08/01/03 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=4C2814A7C299B252 R_Cookie=2F7EED9EA7C43E3A) reason = DEL_REASON_PEER_NOT_RESPONDING

130 12:03:11.950 08/01/03 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

131 12:03:11.960 08/01/03 Sev=Info/4 IKE/0x63000085

Microsoft IPSec Policy Agent service started successfully

132 12:03:12.400 08/01/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

133 12:03:12.400 08/01/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

134 12:03:12.400 08/01/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

135 12:03:12.400 08/01/03 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

PIX CONFIG

MCLAKPIX01# wr t

Building configuration...

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security10

hostname MCLAKPIX01

domain-name XXXXXXXXXXXXX

clock timezone NZST 12

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

XXXXXXXXXXXXX

access-list outside_access_in permit icmp any any echo-reply

access-list outside_access_in permit icmp any any unreachable

access-list outside_access_in permit icmp any any time-exceeded

access-list outside_access_in permit icmp any any traceroute

access-list outside_access_in permit tcp any host 192.168.2.1 eq smtp

access-list outside_access_in permit tcp 172.22.100.0 255.255.255.0 host MCLCTX0

1 eq citrix-ica

access-list outside_access_in permit udp any host 192.168.2.1 eq tftp

access-list outside_access_in permit tcp any interface outside eq https

access-list inside_access_in deny udp any any eq netbios-ns log 4

access-list inside_access_in permit ip any any

access-list Maclean_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any

access-list Maclean_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any

access-list Maclean_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 any

access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 172.22.

100.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 172.22.

100.0 255.255.255.0

access-list DMZ_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 172.22.10

0.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 172.22.100.0 255.255.255.0

pager lines 24

logging timestamp

logging trap debugging

logging history notifications

logging queue 100

logging device-id hostname

logging host inside DANW2KPC

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside 192.168.2.1 255.255.255.252

ip address inside 192.168.0.254 255.255.255.0

ip address DMZ 192.168.10.254 255.255.255.0

ip audit name MCLalarm info action alarm

ip audit name MCLattack attack action alarm drop reset

ip audit name MCLdefend attack action alarm drop

ip audit interface outside MCLalarm

ip audit interface outside MCLdefend

ip audit interface inside MCLalarm

ip audit interface inside MCLattack

ip audit interface DMZ MCLalarm

ip audit interface DMZ MCLattack

ip audit info action alarm

ip audit attack action alarm drop reset

ip local pool VPNCLIENT 172.22.100.1-172.22.100.254

pdm location DANW2KPC 255.255.255.255 inside

pdm logging warnings 100

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 0 access-list DMZ_outbound_nat0_acl

nat (DMZ) 10 MCLDMZ 255.255.255.255 0 0

static (DMZ,outside) tcp interface ftp MCLDMZ ftp netmask 255.255.255.255 0 0

static (DMZ,outside) tcp interface ftp-data MCLDMZ ftp-data netmask 255.255.255.

255 0 0

static (inside,outside) tcp interface smtp MCLFILE smtp netmask 255.255.255.255

0 0

static (inside,outside) udp interface tftp DANW2KPC tftp netmask 255.255.255.255

0 0

static (DMZ,outside) tcp interface https MCLDMZ https netmask 255.255.255.255 0

0

static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

route outside 0.0.0.0 0.0.0.0 192.168.2.2 1

route inside 192.168.1.0 255.255.255.0 192.168.0.253 1

timeout xlate 1:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

ntp server 130.123.128.253 source outside prefer

http server enable

http MCLFILE 255.255.255.255 inside

http 192.168.0.0 255.255.255.0 inside

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp keepalive 60 60

isakmp nat-traversal 60

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup Maclean address-pool VPNCLIENT

vpngroup Maclean dns-server MCLMAIL 202.27.184.3

vpngroup Maclean default-domain maclean.co.nz

vpngroup Maclean split-tunnel Maclean_splitTunnelAcl

vpngroup Maclean idle-time 1800

vpngroup Maclean password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 30

ssh timeout 5

console timeout 0

terminal width 80

2 REPLIES
New Member

Re: "Invalid SPI size", VPN client 4.01a to PIX 6.31

I upgraded the pix to 6.3(2) which fixed it immediately. mutter, mutter, mutter...

New Member

Re: "Invalid SPI size", VPN client 4.01a to PIX 6.31

No that wasn't it! When I upgraded I left out the ISAKMP NAT-TRAVERSAL 60 line.

Time to open a TAC case.........

1318
Views
0
Helpful
2
Replies