cisco 1841 vpn issue - "packet has a bad bad pad length"

Tunnel is up, and I can ping and even browse UNC paths over the tunnel.

If I try to make an ssh connection to a host on the remote side from either direction, the below message is logged and the ssh connection fails.

*Sep  8 00:56:45.202: %CRYPTO-4-RECVD_PKT_MSG_LEN_ERR: decapsulate: packet has bad bad pad length for packet: decrypt error? length destadr=10.0.104.2, prot=50, len=8
*Sep  8 00:56:45.202: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=4

It's not just "bad" it's "bad bad".  Or is it talking about a field called "bad pad" which has a bad length...
snowdog_2112Asked:
Who is Participating?
 
John HurstConnect With a Mentor Business Consultant (Owner)Commented:
Thanks for the update. You should probably close the question here. I hope you think we have been trying to help you with this.  ... Thinkpads_User
0
 
John HurstBusiness Consultant (Owner)Commented:
Try adjusting the MTU value on your router. Default MTU most of the time is 1500. For DSL connections, the MTU is best set at 1492 (or a bit less).  See if that helps. ... Thinkpads_User
0
 
snowdog_2112Author Commented:
Would I adjust the MTU on the outside interface?  Will that have any other effects on other services or NAT translastions?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
John HurstBusiness Consultant (Owner)Commented:
Yes, adjust MTU on the WAN side (outside interface). No, adjusting MTU will not affect NAT or other services.  ... Thinkpads_User
0
 
snowdog_2112Author Commented:
conf t
int fa0/1
ip mtu 1400
shut
no shut
end
show int

MTU 1500

???
I've tried several times with different values and "show interface" always shows 1500.

Is it not changing?
0
 
snowdog_2112Author Commented:
also, after setting the MTU (assuming it is actually changing), I am still getting the "bad bad pad packet length" when trying an SSH connection over the tunnel.
0
 
John HurstBusiness Consultant (Owner)Commented:
With respect to Interface, you need to look at the documentation for that model to change MTU. It appears not be changing, but I cannot tell you why.

If it is not MTU (that is, if you change successfully to 1492 or less) then I am not sure what would be breaking up your packets.

Let's see if we can verify a smaller MTU and go from there.

.... Thinkpads_User
0
 
snowdog_2112Author Commented:
I have in the config

int fa0/1
ip mtu 1400

but show int still shows 1500.
I have shut/no shut the int several times.


I have tested with another tunnel to a router I control on the remote side, and I do not have issues with SSH over that tunnel.  This leads me to believe it has something to do with the tunnel to the SonicWall that I do *not* have access to.

Would you agree?  I think it's anything I need to change on my side.
0
 
John HurstBusiness Consultant (Owner)Commented:
This leads me to believe it has something to do with the tunnel to the SonicWall that I do *not* have access to.   Would you agree?

Yes, but given your testing, I do not know how you would affect the router you do not have access to.

Who can access that router?  .... Thinkpads_User
0
 
snowdog_2112Author Commented:
That's just it...I can't affect the remote firewall (I'm talking to their management folks now).

I'm just trying to make sure I can say that it's definitely *not* on my side.
0
 
snowdog_2112Author Commented:
Update:  the remote firewall people found an IPS rule to drop SSH.  Problem resolved.
0
 
snowdog_2112Author Commented:
read entire thread - remote firewall was the problem.  Thanks guys.
0
All Courses

From novice to tech pro — start learning today.