[c-nsp] What's ISAKMP: illegal udp len on PIX Debug?

Sam Munzani smunzani at comcast.net
Tue Sep 20 18:48:42 EDT 2005 

Team,

I am about to loose rest of my hair trying to debug a pix IPSEC site to 
site issue. This site can connect to 5 other sites only 3des/sha 
transform set fine. On google search I found some messages postings 
about 3des/sha not going well so I even changed it to 3des/md5 but no luck.

This is my console message when "debug crypto isakmp". [SRC and DEST are 
replaced with x.x.x.x and y.y.y.y for security reasons].

ISAKMP (0): beginning Quick Mode exchange, M-ID of 2014330254:78103d8e
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 14 protocol 0
        spi 0, message ID = 3574566540
return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x8d4c0bda
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
ISAKMP: illegal udp len

The isakmp phase-1 seems to finish but failing phase-2.
Wyoming-PIX(config)# sh crypto isakmp sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
     x.x.x.x     y.y.y.y    QM_IDLE         0           0

Any idea what am I doing wrong here? Below are relavent config snips.
access-list no-nat permit ip mysource-net 255.255.255.0 mydest-net 
255.255.255.0
access-list my-vpn permit ip mysource-net 255.255.255.0 mydest-net 
255.255.255.0
nat (inside) 0 access-list no-nat
sysopt connection permit-ipsec
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto dynamic-map client-vpn 99 set transform-set 3des-sha
crypto map vpn-map 5 ipsec-isakmp
crypto map vpn-map 5 match address my-vpn
crypto map vpn-map 5 set peer x.x.x.x
crypto map vpn-map 5 set transform-set 3des-md5
crypto map vpn-map 99 ipsec-isakmp dynamic client-vpn
crypto map vpn-map interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 4 authentication pre-share
isakmp policy 4 encryption 3des
isakmp policy 4 hash md5
isakmp policy 4 group 2
isakmp policy 4 lifetime 86400
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

More information about the cisco-nsp mailing list