Link to home
Start Free TrialLog in
Avatar of davidey
davidey

asked on

CIsco VPN Pix 506E <-> Pix 501 malformed payload ?

Good Morning,

I'm trying to establish a simple VPN between two Pixs.

I get the following error message about a malformed payload.

What should I check ?

------------------------------ CUT ----- CUT ----------------


crypto_isakmp_process_block:src:80.204.93.98, dest:80.22.58.139 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:80.204.93.98, dest:80.22.58.139 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:80.204.93.98, dest:80.22.58.139 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:80.204.93.98, dest:80.22.58.139 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload

ASKER CERTIFIED SOLUTION
Avatar of netspec01
netspec01
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Les Moore
Les Moore
Flag of United States of America image
Make sure that the policy on both sides match exactly:

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

And that the pre-shared keys match exactly on both sides, "address" is remote peer:
isakmp key SecretKEY! address xx.xx.xx.55 netmask 255.255.255.255 no-xauth no-config-mode

And, make sure that the crypto map peer is the same as your key peer:
crypto map CRYMAP 10 set peer xx.xx.xx.55

Avatar of davidey
davidey

ASKER

Thank you for the answers.

It was the SecretKey.
Avatar of Les Moore
Les Moore
Flag of United States of America image
Glad you're working. Please award netspec01 the points.

- Cheers!
Avatar of Les Moore
Les Moore
Flag of United States of America image
Thanks for closing out this question, but I think the points should go to netspec01, don't you?

netspec01:
>the ISAKMP keys do not match

davidey:
>It was the SecretKey

Unless you feel that the extra information I provided was more explanatory and helped you more, the choice is yours.

Thanks again for your attention to this Q..
Avatar of davidey
davidey

ASKER

I agree with You.

The points are with "netspec01".

Have a nice day.
Avatar of Les Moore
Les Moore
Flag of United States of America image
I've asked a moderator to unaccept this so that you can go ahead and accept netspec01's comment later.

- Cheers!