02-27-2006 11:34 AM - edited 02-21-2020 02:17 PM
I have a problem. I try connect Cisco 3620 and Linksys RV042 by site-to-site VPN and I can't establish 1 phase of ISAKMP. From "show log" I get erorr:%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 83.17.159.254 failed its sanity check or is malformed. and from "debug crypto isakmp error" I get the output:
4d07h: ISAKMP (0:0): received packet from 83.17.159.254 dport 500 sport 500 Glob
al (N) NEW SA
4d07h: ISAKMP: Created a peer struct for 83.17.159.254, peer port 500
4d07h: ISAKMP: Locking peer struct 0x630776D4, IKE refcount 1 for crypto_ikmp_co
nfig_initialize_sa
4d07h: ISAKMP (0:0): Setting client config settings 62C50FF0
4d07h: ISAKMP: local port 500, remote port 500
4d07h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 62
A55DF0
4d07h: ISAKMP (0:4): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
4d07h: ISAKMP (0:4): Old State = IKE_READY New State = IKE_R_MM1
4d07h: ISAKMP (0:4): processing SA payload. message ID = 0
4d07h: ISAKMP (0:4): processing vendor id payload
4d07h: ISAKMP (0:4): vendor ID is DPD
4d07h: ISAKMP: Looking for a matching key for 83.17.159.254 in default : success
4d07h: ISAKMP (0:4): found peer pre-shared key matching 83.17.159.254
4d07h: ISAKMP (0:4) local preshared key found
4d07h: ISAKMP : Scanning profiles for xauth ...
4d07h: ISAKMP (0:4): Checking ISAKMP transform 0 against priority 3 policy
4d07h: ISAKMP: life type in seconds
4d07h: ISAKMP: life duration (basic) of 28800
4d07h: ISAKMP: encryption DES-CBC
4d07h: ISAKMP: hash SHA
4d07h: ISAKMP: auth pre-share
4d07h: ISAKMP: default group 2
4d07h: ISAKMP (0:4): atts are acceptable. Next payload is 0
4d07h: ISAKMP (0:4): processing vendor id payload
4d07h: ISAKMP (0:4): vendor ID is DPD
4d07h: ISAKMP (0:4): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
4d07h: ISAKMP (0:4): Old State = IKE_R_MM1 New State = IKE_R_MM1
4d07h: ISAKMP: Error: payload length of VENDOR 0 < 4
4d07h: ISAKMP (0:4): sending packet to 83.17.159.254 my_port 500 peer_port 500 (
R) MM_SA_SETUP
4d07h: ISAKMP (0:4): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
4d07h: ISAKMP (0:4): Old State = IKE_R_MM1 New State = IKE_R_MM2
4d07h: ISAKMP (0:4): received packet from 83.17.159.254 dport 500 sport 500 Glob
al (R) MM_SA_SETUP
4d07h: ISAKMP (0:4): phase 1 packet is a duplicate of a previous packet.
4d07h: ISAKMP (0:4): retransmitting due to retransmit phase 1
4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP...
4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP...
4d07h: ISAKMP (0:4): incrementing error counter on sa: retransmit phase 1
4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP
4d07h: ISAKMP (0:4): sending packet to 83.17.159.254 my_port 500 peer_port 500 (
R) MM_SA_SETUP
4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP...
4d07h: ISAKMP (0:4): incrementing error counter on sa: retransmit phase 1
4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP
4d07h: ISAKMP (0:4): sending packet to 83.17.159.254 my_port 500 peer_port 500 (
R) MM_SA_SETUP
4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP...
4d07h: ISAKMP (0:4): incrementing error counter on sa: retransmit phase 1
4d07h: ISAKMP (0:4): retransmitting phase 1 MM_SA_SETUP
4d07h: ISAKMP (0:4): sending packet to 83.17.159.254 my_port 500 peer_port 500 (
R) MM_SA_SETUP
4d07h: ISAKMP (0:4): received packet from 83.17.159.254 dport 500 sport 500 Glob
I check my pre-shared key several times and are smilar on both routers, I can't find any information what's wrong.
Thanks for any help
Regards
Mac Foxx
03-01-2006 04:20 AM
hi
Do find the possible reason for the log message.
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from [IP_address] failed its sanity check or is malformed
A quick verification check is done on all received ISAKMP messages to ensure that all component payload types are valid and that the sum of their individual lengths equals the total length of the received message. This message indicates a failed verification check. Persistently bad messages could mean a denial-of-service attack or bad decryption.
Can you revert whether the ISAKMP configurations are the same on both the boxes ?
Can you check up the same on both the Cisco box related to hash,encryption and group if you have set under ISAKMP config with the config set in the linksys box ?.
regds
03-19-2006 07:50 AM
Hi,
If you have config it successfully. Can you send me the config on Cisco router and Linksys router? Many Thanks.
Sam.
03-20-2006 12:07 PM
It dosn't work but If you want some configuration look here http://www.tek-tips.com/viewthread.cfm?qid=1196669
It maybe usefull for you
Mac
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: