From: 3x CCIE (nettable_walker@hotmail.com)
Date: Tue Sep 20 2005 - 20:26:05 GMT-3
I have seen what you are describiung one time only, & it was PIX to some
kind of Lynix FW
Is this PIX to PIX ?
Also - does the "show crypto map" show the correct peers ?
Thanks,
Richard
CCIE | NNCSE
//
----- Original Message -----
From: "Sam Munzani" <smunzani@comcast.net>
To: <cisco-nsp@puck.nether.net>; <ccielab@groupstudy.com>
Sent: Tuesday, September 20, 2005 5:48 PM
Subject: What's ISAKMP: illegal udp len on PIX Debug?
> Team,
>
> I am about to loose rest of my hair trying to debug a pix IPSEC site to
> site issue. This site can connect to 5 other sites only 3des/sha transform
> set fine. On google search I found some messages postings about 3des/sha
> not going well so I even changed it to 3des/md5 but no luck.
>
> This is my console message when "debug crypto isakmp". [SRC and DEST are
> replaced with x.x.x.x and y.y.y.y for security reasons].
>
> ISAKMP (0): beginning Quick Mode exchange, M-ID of 2014330254:78103d8e
> crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
> ISAKMP (0): processing NOTIFY payload 14 protocol 0
> spi 0, message ID = 3574566540
> return status is IKMP_NO_ERR_NO_TRANS
>
> ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x8d4c0bda
> crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
> ISAKMP: illegal udp len
>
> The isakmp phase-1 seems to finish but failing phase-2.
> Wyoming-PIX(config)# sh crypto isakmp sa
> Total : 1
> Embryonic : 0
> dst src state pending created
> x.x.x.x y.y.y.y QM_IDLE 0 0
>
> Any idea what am I doing wrong here? Below are relavent config snips.
> access-list no-nat permit ip mysource-net 255.255.255.0 mydest-net
> 255.255.255.0
> access-list my-vpn permit ip mysource-net 255.255.255.0 mydest-net
> 255.255.255.0
> nat (inside) 0 access-list no-nat
> sysopt connection permit-ipsec
> crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
> crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
> crypto dynamic-map client-vpn 99 set transform-set 3des-sha
> crypto map vpn-map 5 ipsec-isakmp
> crypto map vpn-map 5 match address my-vpn
> crypto map vpn-map 5 set peer x.x.x.x
> crypto map vpn-map 5 set transform-set 3des-md5
> crypto map vpn-map 99 ipsec-isakmp dynamic client-vpn
> crypto map vpn-map interface outside
> isakmp enable outside
> isakmp key ******** address x.x.x.x netmask 255.255.255.255
> isakmp identity address
> isakmp nat-traversal 20
> isakmp policy 4 authentication pre-share
> isakmp policy 4 encryption 3des
> isakmp policy 4 hash md5
> isakmp policy 4 group 2
> isakmp policy 4 lifetime 86400
> isakmp policy 5 authentication pre-share
> isakmp policy 5 encryption 3des
> isakmp policy 5 hash sha
> isakmp policy 5 group 2
> isakmp policy 5 lifetime 86400
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash sha
> isakmp policy 10 group 1
> isakmp policy 10 lifetime 86400
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:16 GMT-3