Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN with Pix501 and VPN Client v4.6 - Not working

Have setup a VPN on a Pix501 (6.2), using the VPN wizard; the remote peer running the vpn client is WindowsXP Pro SP2.

When I attempt to connect, I get "Invalid SPI size (PayloadNotify:116)". Next "Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149).

The IKE SA at the Pix goes to AG_NO_STATE and no farther.

The policy for IKE is des-sha and the tunnel policy for IPSec is esp-des-sha.

All my reading says its a basic config issue, but there are few, if any, recommendations on what to change to fix it.

I really didn't think it could be any easier than using a wizard; does the VPN wizard really work? Also tried it on a PIX515 with same results.

What am I doing wrong???


Dale Hoffmann


Re: VPN with Pix501 and VPN Client v4.6 - Not working

I can't tell what the problem is, although obviously you're stuck in Phase 1, which is only matching the isakmp policy and pre-shared key.

Post the PIX config or turn on logging and run "debug crypto isakmp".

New Member

Re: VPN with Pix501 and VPN Client v4.6 - Not working

Thanks for the reply.

When I ran the "debug crypto isakmp" (from the PDM) the only response was "The command has been sent to PIX." I am accessing the PIX and the client remotely from 40 miles away, so I can't run a console session.

The PIX output and client output was too large, so have attached "VPN.txt" with the pertinent info.

From some recent reading, on a dynamic crypto map only the transform set should be required, as follows:

"Supporting Clients with Dynamic Addresses

Dynamic crypto maps are frequently used with Internet Key Exchange (IKE) to negotiate SAs with remote access VPN clients. Dynamic crypto maps are used to negotiate SAs for connections initiated from an external network for peers that do not have a known IP address. After successful IKE authentication, the client connection request is processed using a dynamic crypto map that is configured to set up SAs without requiring a known IP address.

A dynamic crypto map entry is essentially a crypto map entry that does not specify the identity of the remote peer. It acts as a template where the missing parameters are dynamically assigned based on the IKE negotiation. Only the transform set is required to configure a dynamic crypto map entry. "

Thanks again for your help. I'm behind the 8-ball on this one and need to have the VPN up by Monday night. I'm stressin'...


Dale Hoffmann

New Member

Re: VPN with Pix501 and VPN Client v4.6 - Not working

UPDATE !!! Finally, some light at the end of the tunnel ** (Sorry - I know; bad pun)

Changing the IKE policy transform set from sha to md5 changed the world. Its still not quite working, but I'm alot closer... I think.

The IKE SA is QM_IDLE. The DNS and WINS IP addresses and domain name are pushed out to the client, but then it says no proposal chosen.

Client log file attached.

Now I'll go read and play some more.

Dale Hoffmann

Cisco Employee

Re: VPN with Pix501 and VPN Client v4.6 - Not working

Hello Dale,

Could you try removing this statement

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

Also, any chance you can run concurrent debugs on the Pix as well?

debug crypto isakmp

debug crypto ipsec

Also, as an fyi, these combinations work(not including AES)




DES-SHA does not work as you already found out.

Hope this helps! If so, please rate.


New Member

Re: VPN with Pix501 and VPN Client v4.6 - Not working

Thanks for your reply.

I got it working, but forgot to post a reply stating so.

It was the sha-des thing again; I'd changed the IKE policy, but not the IPSec policy. One of those senior moments...

I consider this issue resolved. Thanks all.

Dale Hoffmann

CreatePlease to create content