Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

1811 VPN Not Working

Many Kudos to the person who figures this one out...

We have a VPN concentrator and about 15 1811's already in the field and working. We can't seem to get the latest one to work properly, we initially thought it was bad hardware, we are on our 3rd VPN router. Multiple IOS versions have been tried, 3 different ISP's from 4 seperate locations have been tried, and of course we even copied known good configs with still no luck. And yes we have verified the connection limit of our concentrator.

Now on to the good stuff

Log message, distant end failed sanity check:

000157: *Aug 28 10:56:56.126 CDT: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from failed its sanity check or is malformed

Console message:

000734: *Aug 28 11:58:57.197 CDT: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) Use

r= Group=<grp-name omitted> Client_public_addr=yyy.yyy.yyy.yyy

show crypto ipsec client ezvpn

Easy VPN Remote Phase: 6

Tunnel name : <name omitted>

Inside interface list: Vlan199

Outside interface: FastEthernet0

Current State: SS_OPEN


DNS Primary:

Save Password: Disallowed

Current EzVPN Peer:

show crypto session

Crypto session current status

Interface: FastEthernet0

Session status: UP-IDLE

Peer: port 500

IKE SA: local remote Active

IKE SA: local remote Inactive

IKE SA: local remote Inactive

IPSEC FLOW: permit ip xx.xx.xx.xx/

Active SAs: 0, origin: crypto map

show crypto isakmp sa


dst src state conn-id slot status QM_IDLE 2170 0 ACTIVE MM_NO_STATE 2169 0 ACTIVE (deleted) MM_NO_STATE 2168 0 ACTIVE (deleted) MM_NO_STATE 2167 0 ACTIVE (deleted)

I can get any show commands or debug commands that is needed to help get this resolved.




Re: 1811 VPN Not Working

Also, this is setup with ezvpn, IKE phase 1 completes.

here is a partial output of the isakmp debug, after the 5th retry it attempts to tear down the connection but fails because the connection doesn't exist, and then goes through the policy matching, authenticates, inserts a peer and comes back to this point.

t phase 2

004734: *Aug 28 13:44:44.497 CDT: ISAKMP:(2392): retransmitting phase 2 QM_IDLE

1712116236 ...

004735: *Aug 28 13:44:44.997 CDT: ISAKMP:(2392): retransmitting phase 2 QM_IDLE

1712116236 ...

004736: *Aug 28 13:44:44.997 CDT: ISAKMP (0:2392): incrementing error counter on

node, attempt 2 of 5: retransmit phase 2

004737: *Aug 28 13:44:44.997 CDT: ISAKMP (0:2392): incrementing error counter on

sa, attempt 3 of 5: retransmit phase 2

004738: *Aug 28 13:44:44.997 CDT: ISAKMP:(2392): retransmitting phase 2 17121162


004739: *Aug 28 13:44:44.997 CDT: ISAKMP:(2392): sending packet to

my_port 500 peer_port 500 (I) QM_IDLE

004740: *Aug 28 13:44:44.997 CDT: ISAKMP:(2392):Sending an IKE IPv4 Packet.


Re: 1811 VPN Not Working


Can you post your config of the router?

Is the Ezvpn mode "network extension"?

If the mode is network extension check your configs on both sides using following url:


Re: 1811 VPN Not Working

After many hours we figured out a solution to the problem but developed another issue.

The original problem was resolved by finding an IOS with a crypto library version 19.0.0, the 20.0.0 gave bad IKE messages and couldn't generate an RSA key without an error. So that part is resolved, but I can't find an IOS that has the crypto lib I need with a good working wireless for my Cisco 1811.

The current IOS I have loaded is c181x-advipservicesk9-mz.124-6.T11.

The IOS's we are having known issues with the vrypto lib are c181x-advipservicesk9-mz.124-11.XW3.bin - 124-11.XW9.bin.

The "T" series does not work with the wireless (at least the ones that I have tried) and the XW series wont work because of the crypto lib version.

I have tried many different IOS's and shooting in the dark for the right information is becoming a headache and wasting a lot of time. Any additional help would be appreciated.



CreatePlease to create content