From: john matijevic (john.matijevic@gmail.com)
Date: Tue Sep 20 2005 - 22:54:37 GMT-3
Hello Sam,
Please try recreating the keys on both sides, also need to reboot one of the
pix. Can you send configs on both pixes if that doesn't fix the issue.
Sincerely,
John
On 9/20/05, 3x CCIE <nettable_walker@hotmail.com> wrote:
>
> I have seen what you are describiung one time only, & it was PIX to some
> kind of Lynix FW
>
> Is this PIX to PIX ?
> Also - does the "show crypto map" show the correct peers ?
>
> Thanks,
>
> Richard
> CCIE | NNCSE
>
> //
> ----- Original Message -----
> From: "Sam Munzani" <smunzani@comcast.net>
> To: <cisco-nsp@puck.nether.net>; <ccielab@groupstudy.com>
> Sent: Tuesday, September 20, 2005 5:48 PM
> Subject: What's ISAKMP: illegal udp len on PIX Debug?
>
>
> > Team,
> >
> > I am about to loose rest of my hair trying to debug a pix IPSEC site to
> > site issue. This site can connect to 5 other sites only 3des/sha
> transform
> > set fine. On google search I found some messages postings about 3des/sha
> > not going well so I even changed it to 3des/md5 but no luck.
> >
> > This is my console message when "debug crypto isakmp". [SRC and DEST are
> > replaced with x.x.x.x and y.y.y.y for security reasons].
> >
> > ISAKMP (0): beginning Quick Mode exchange, M-ID of 2014330254:78103d8e
> > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
> > ISAKMP (0): processing NOTIFY payload 14 protocol 0
> > spi 0, message ID = 3574566540
> > return status is IKMP_NO_ERR_NO_TRANS
> >
> > ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x8d4c0bda
> > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
> > ISAKMP: illegal udp len
> >
> > The isakmp phase-1 seems to finish but failing phase-2.
> > Wyoming-PIX(config)# sh crypto isakmp sa
> > Total : 1
> > Embryonic : 0
> > dst src state pending created
> > x.x.x.x y.y.y.y QM_IDLE 0 0
> >
> > Any idea what am I doing wrong here? Below are relavent config snips.
> > access-list no-nat permit ip mysource-net
255.255.255.0<http://255.255.255.0>mydest-net
> > 255.255.255.0 <http://255.255.255.0>
> > access-list my-vpn permit ip mysource-net
255.255.255.0<http://255.255.255.0>mydest-net
> > 255.255.255.0 <http://255.255.255.0>
> > nat (inside) 0 access-list no-nat
> > sysopt connection permit-ipsec
> > crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
> > crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
> > crypto dynamic-map client-vpn 99 set transform-set 3des-sha
> > crypto map vpn-map 5 ipsec-isakmp
> > crypto map vpn-map 5 match address my-vpn
> > crypto map vpn-map 5 set peer x.x.x.x
> > crypto map vpn-map 5 set transform-set 3des-md5
> > crypto map vpn-map 99 ipsec-isakmp dynamic client-vpn
> > crypto map vpn-map interface outside
> > isakmp enable outside
> > isakmp key ******** address x.x.x.x netmask
255.255.255.255<http://255.255.255.255>
> > isakmp identity address
> > isakmp nat-traversal 20
> > isakmp policy 4 authentication pre-share
> > isakmp policy 4 encryption 3des
> > isakmp policy 4 hash md5
> > isakmp policy 4 group 2
> > isakmp policy 4 lifetime 86400
> > isakmp policy 5 authentication pre-share
> > isakmp policy 5 encryption 3des
> > isakmp policy 5 hash sha
> > isakmp policy 5 group 2
> > isakmp policy 5 lifetime 86400
> > isakmp policy 10 authentication pre-share
> > isakmp policy 10 encryption 3des
> > isakmp policy 10 hash sha
> > isakmp policy 10 group 1
> > isakmp policy 10 lifetime 86400
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- John Matijevic, CCIE #13254 U.S. Installation Group Senior Network Engineer 954-969-7160 ext. 1147 (office) 305-321-6232 (cell)
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:16 GMT-3