?
Solved

CIsco VPN     Pix 506E <-> Pix 501  malformed payload ?

Posted on 2004-09-15
8
Medium Priority
?
3,099 Views
Last Modified: 2012-06-21
Good Morning,

I'm trying to establish a simple VPN between two Pixs.

I get the following error message about a malformed payload.

What should I check ?

------------------------------ CUT ----- CUT ----------------


crypto_isakmp_process_block:src:80.204.93.98, dest:80.22.58.139 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption DES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 1
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:80.204.93.98, dest:80.22.58.139 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:80.204.93.98, dest:80.22.58.139 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
crypto_isakmp_process_block:src:80.204.93.98, dest:80.22.58.139 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload

0
Comment
Question by:davidey
  • 4
  • 2
7 Comments
 
LVL 5

Accepted Solution

by:
netspec01 earned 375 total points
ID: 12065056
This means that the ISAKMP keys do not match.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12068480
Make sure that the policy on both sides match exactly:

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

And that the pre-shared keys match exactly on both sides, "address" is remote peer:
isakmp key SecretKEY! address xx.xx.xx.55 netmask 255.255.255.255 no-xauth no-config-mode

And, make sure that the crypto map peer is the same as your key peer:
crypto map CRYMAP 10 set peer xx.xx.xx.55

0
 

Author Comment

by:davidey
ID: 12072876
Thank you for the answers.

It was the SecretKey.
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
LVL 79

Expert Comment

by:lrmoore
ID: 12074228
Glad you're working. Please award netspec01 the points.

- Cheers!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12102547
Thanks for closing out this question, but I think the points should go to netspec01, don't you?

netspec01:
>the ISAKMP keys do not match

davidey:
>It was the SecretKey

Unless you feel that the extra information I provided was more explanatory and helped you more, the choice is yours.

Thanks again for your attention to this Q..
0
 

Author Comment

by:davidey
ID: 12102717
I agree with You.

The points are with "netspec01".

Have a nice day.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12102791
I've asked a moderator to unaccept this so that you can go ahead and accept netspec01's comment later.

- Cheers!
0

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

568 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question