Solved

CIsco VPN     Pix 506E <-> Pix 501  malformed payload ?

Posted on 2004-09-15
8
3,041 Views
Last Modified: 2012-06-21
Good Morning,

I'm trying to establish a simple VPN between two Pixs.

I get the following error message about a malformed payload.

What should I check ?

------------------------------ CUT ----- CUT ----------------


crypto_isakmp_process_block:src:80.204.93.98, dest:80.22.58.139 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:80.204.93.98, dest:80.22.58.139 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:80.204.93.98, dest:80.22.58.139 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:80.204.93.98, dest:80.22.58.139 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload

0
Comment
Question by:davidey
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
8 Comments
 
LVL 5

Accepted Solution

by:
netspec01 earned 125 total points
ID: 12065056
This means that the ISAKMP keys do not match.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12068480
Make sure that the policy on both sides match exactly:

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

And that the pre-shared keys match exactly on both sides, "address" is remote peer:
isakmp key SecretKEY! address xx.xx.xx.55 netmask 255.255.255.255 no-xauth no-config-mode

And, make sure that the crypto map peer is the same as your key peer:
crypto map CRYMAP 10 set peer xx.xx.xx.55

0
 

Author Comment

by:davidey
ID: 12072876
Thank you for the answers.

It was the SecretKey.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 12074228
Glad you're working. Please award netspec01 the points.

- Cheers!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12102547
Thanks for closing out this question, but I think the points should go to netspec01, don't you?

netspec01:
>the ISAKMP keys do not match

davidey:
>It was the SecretKey

Unless you feel that the extra information I provided was more explanatory and helped you more, the choice is yours.

Thanks again for your attention to this Q..
0
 

Author Comment

by:davidey
ID: 12102717
I agree with You.

The points are with "netspec01".

Have a nice day.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12102791
I've asked a moderator to unaccept this so that you can go ahead and accept netspec01's comment later.

- Cheers!
0

Featured Post

Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question