Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Router to ROuter VPN error

Hi Everyone, I have a lab with (3) 2500series routers IOS 12.2. Have setup an ipsec vpn between the far side routers, but the ipsec sa is not establishing. After debugging isakmp to see if they establish phase 1, I get the following error:

03:52:45: ISAKMP: reserved not zero on ID payload!

03:52:45: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.0.100 failed its sanity check or is malformed

Here is the complete debug:

Boston#debug crypto isakmp

03:52:34: ISAKMP (0:0): received packet from 172.16.0.100 (N) NEW SA

03:52:34: ISAKMP: local port 500, remote port 500

03:52:34: ISAKMP (0:2): processing SA payload. message ID = 0

03:52:34: ISAKMP (0:2): found peer pre-shared key matching 172.16.0.100

03:52:34: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 105 policy

03:52:34: ISAKMP: encryption DES-CBC

03:52:34: ISAKMP: hash MD5

03:52:34: ISAKMP: default group 2

03:52:34: ISAKMP: auth pre-share

03:52:34: ISAKMP: life type in seconds

03:52:34: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

03:52:34: ISAKMP (0:2): atts are acceptable. Next payload is 0

03:52:36: ISAKMP (0:2): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

03:52:36: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_SA_SETUP

03:52:39: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_SA_SETUP

03:52:39: ISAKMP (0:2): processing KE payload. message ID = 0

03:52:42: ISAKMP (0:2): processing NONCE payload. message ID = 0

03:52:42: ISAKMP (0:2): found peer pre-shared key matching 172.16.0.100

03:52:42: ISAKMP (0:2): SKEYID state generated

03:52:42: ISAKMP (0:2): processing vendor id payload

03:52:42: ISAKMP (0:2): speaking to another IOS box!

03:52:42: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_KEY_EXCH

03:52:45: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_KEY_EXCH

03:52:45: ISAKMP: reserved not zero on ID payload!

03:52:45: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 172.16.0.100 failed its sanity check or is malformed

03:52:45: ISAKMP (0:2): incrementing error counter on sa: PAYLOAD_MALFORMED

03:52:45: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_KEY_EXCH

03:52:45: ISAKMP (0:2): incrementing error counter on sa: reset_retransmission

03:52:45: ISAKMP (0:1): purging SA., sa=36B920, delme=36B920

03:52:46: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...

03:52:46: ISAKMP (0:2): incrementing error counter on sa: retransmit phase 1

03:52:46: ISAKMP (0:2): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH

03:52:46: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_KEY_EXCH

03:52:46: ISAKMP: reserved not zero on ID payload!

03:52:46: ISAKMP (0:2): incrementing error counter on sa: PAYLOAD_MALFORMED

03:52:46: ISAKMP (0:2): sending packet to 172.16.0.100 (R) MM_KEY_EXCH

03:52:46: ISAKMP (0:2): incrementing error counter on sa: reset_retransmission

03:52:47: ISAKMP (0:2): retransmitting phase 1 MM_KEY_EXCH...

03:52:47: ISAKMP (0:2): peer does not do paranoid keepalives.

03:52:47: ISAKMP (0:2): deleting SA reason "death by retransmission P1" state (R) MM_KEY_EXCH (peer 172.16.0.100) input queue 0

03:52:48: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_NO_STATE

03:52:58: ISAKMP (0:2): received packet from 172.16.0.100 (R) MM_NO_STATE

03:53:47: ISAKMP (0:2): purging SA., sa=36BE64, delme=36BE64

6 REPLIES
New Member

Re: Router to ROuter VPN error

According to the following Cisco link, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#zero, the first message means the pre-shared keys don't match. They must be the same on each end.

The second means that an ISAKMP message failed verification for the correct length. The following is from Cisco's error decoder:

1. %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from [IP_address] failed its sanity check or is malformed

A quick verification check is done on all received ISAKMP messages to ensure that all component payload types are valid and that the sum of their individual lengths equals the total length of the received message. This message i ndicates a failed verification check. Persistently bad messages could mean a denial-of-service attack or bad decryption.

Recommended Action: Contact the administrator of the remote peer.

Hope that helps.

New Member

Re: Router to ROuter VPN error

check your group entry and make sure they match group 1 is the default

New Member

Re: Router to ROuter VPN error

Verify your crypto settings on both devices match, all the way to the SA lifetimes. Run a 'sh run' on both devices and check your crypto statements line by line. If they match and are all correct, remove all the lines, clear your SAs, and apply the lines once again. This way you know you started with a clean slate.

New Member

Re: Router to ROuter VPN error

Hi guys,

I am having the exact same problem. This is part of a hub and spoke VPN network (the hub runs a dynamic crypto map). The IOS version on the remote is 12.3(7)T2, while the hub runs 12.2(13)T3. I have tried all the suggestions above but to no avail. Please see a sample of my debugs below.

*Mar 10 02:25:10: ISAKMP: received ke message (1/1)

*Mar 10 02:25:10: ISAKMP: set new node 0 to QM_IDLE

*Mar 10 02:25:10: ISAKMP:(0:1:HW:2):SA is still budding. Attached new ipsec request to it. ([local address], [remote address])

*Mar 10 02:25:10: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...

*Mar 10 02:25:10: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retransmit phase 1

*Mar 10 02:25:10: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE

*Mar 10 02:25:10: ISAKMP:(0:1:HW:2): sending packet to [ip address] my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 10 02:25:20: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...

*Mar 10 02:25:20: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retransmit phase 1

*Mar 10 02:25:20: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE

*Mar 10 02:25:20: ISAKMP:(0:1:HW:2): sending packet to [ip address] my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 10 02:25:28: ISAKMP: received ke message (1/1)

*Mar 10 02:25:28: ISAKMP: set new node 0 to QM_IDLE

*Mar 10 02:25:28: ISAKMP:(0:1:HW:2):SA is still budding. Attached new ipsec request to it.

*Mar 10 02:25:30: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE...

*Mar 10 02:25:30: ISAKMP:(0:1:HW:2):incrementing error counter on sa: retransmit phase 1

*Mar 10 02:25:30: ISAKMP:(0:1:HW:2): retransmitting phase 1 MM_NO_STATE

*Mar 10 02:25:30: ISAKMP:(0:1:HW:2): sending packet to [ip address] my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 10 02:25:40: ISAKMP: received ke message (3/1)

*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.

*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to delete ike sa" state (I) MM_NO_STATE (peer ip address) input queue 0

*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting SA reason "receive request to delete ike sa" state (I) MM_NO_STATE (peer ip address) input queue 0

*Mar 10 02:25:40: ISAKMP: Unlocking IKE struct 0x824C53A4 for isadb_mark_sa_deleted(), count 0

*Mar 10 02:25:40: ISAKMP: Deleting peer node by peer_reap for [remote ip address]: 824C

53A4

*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -938513491 error TRUE reason "receive request to delete ike sa"

*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -1343263010 error TRUE reason"receive request to delete ike sa"

*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -2146876017 error TRUE reason"receive request to delete ike sa"

*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):deleting node -1379398450 error TRUE reason"receive request to delete ike sa"

*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar 10 02:25:40: ISAKMP:(0:1:HW:2):Old State = IKE_I_MM1 New State = IKE_DEST_SA

*Mar 10 02:25:58: ISAKMP: received ke message (3/1)

*Mar 10 02:25:58: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.

Admittedly, I am at my wits' end with this one. The worst thing is that it has worked in the lab before. The only difference between the lab and field is the internet connection (ADSL pppoe vs. Cable).

Any ideas?

Thanks in advance,

Ade

New Member

Re: Router to ROuter VPN error

Ok, I have experimented some problems in VPN implementation when the IOS version are diferent.

Is it your case?

I hope this helps

mc

New Member

Re: Router to ROuter VPN error

Can you sanitize and post the configs?

256
Views
0
Helpful
6
Replies