[c-nsp] ISAKMP: illegal udp len
Andriy Malyuk
a.v.malyuk at gmail.com
Wed Jun 25 13:38:00 EDT 2008
Hello Cisco Community,
I'm having a weird problem with Site-to-Site VPN between two PIX 506e
devices and most likely because one of them is behind NAT.
Here is relevant config snippet (security sensitive info is obscured):
access-list outside_vpn_acl permit ip x.x.x.x 255.255.0.0 y.y.y.y
255.255.0.0
access-list inside_outbound_no_nat permit ip x.x.x.x 255.255.0.0 y.y.y.y
255.255.0.0
crypto ipsec transform-set strong esp-3des esp-sha-hmac
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_no_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
sysopt connection permit-ipsec
isakmp nat-traversal 60
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp key **************** address z.z.z.z netmask 255.255.255.255 no-xauth
crypto map cm_outside 35 ipsec-isakmp
crypto map cm_outside 35 match address outside_vpn_acl
crypto map cm_outside 35 set peer z.z.z.z
crypto map cm_outside 35 set transform-set strong
crypto map cm_outside interface outside
PIX on the other end(behind NAT) is configured the same way, peer and acls
differences respected.
and here is what I get when debugging isakmp on my device:
ISAKMP msg received
crypto_isakmp_process_block:src:z.z.z.z, dest:<my outside ip> spt:63887
dpt:4500
ISAKMP: illegal udp len
SESSION_IDLE_TIMER
ISAKMP msg received
crypto_isakmp_process_block:z.z.z.z, dest:<my outside ip> spt:64849 dpt:4500
ISAKMP: illegal udp len
I'm getting frustrated as hours of searching the Internet for solution
yielded no results, so any help with this is very much appreciated.
Thanks in advance,
Andriy
More information about the cisco-nsp
mailing list