PIX 501 HELP!!!!!!!!!!!!

[icw27]

I've set up 5 PIX 501 to PIX 515 VPN with no problems except on one of them. I keep getting the following output from the # debug cry isa

Can anybody please shed some light on why it keeps deleteing the peer and what this message means:

ISAKMP: reserved not zero on payload 5!


ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 212.24.70.34, dest 212.250.169.55
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 212.24.70.34, dest 212.250.169.55
ISAKMP: reserved not zero on payload 5!
crypto_isakmp_process_block: src 212.24.70.34, dest 212.250.169.55
ISAKMP: reserved not zero on payload 5!
crypto_isakmp_process_block: src 212.24.70.34, dest 212.250.169.55
ISAKMP: reserved not zero on payload 5!
ISAKMP (0): deleting SA: src 212.24.70.34, dst 212.250.169.55
ISADB: reaper checking SA 0x813445d0, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:212.24.70.34 Ref cnt decremented to:0 Total VPN Peers:
2
VPN Peer: ISAKMP: Deleted peer: ip:212.24.70.34 Total VPN peers:1
ISADB: reaper checking SA 0x81460588, conn_id = 0
crypto_isakmp_process_block: src 212.24.70.34, dest 212.250.169.55
VPN Peer: ISAKMP: Added new peer: ip:212.24.70.34 Total VPN Peers:2
VPN Peer: ISAKMP: Peer ip:212.24.70.34 Ref cnt incremented to:1 Total VPN Peers:
2
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 1
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 212.24.70.34, dest 212.250.169.55
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 212.24.70.34, dest 212.250.169.55
ISAKMP: reserved not zero on payload 5!

 

[sunyasee]

Could be an access-list problem or an error in the isakmp pre-shared key, double check these two things first. If you still have problems post both the PIX501 and PIX515 configs here, maybe someone else here could identify a problem.... ----

Sunyasee B-)

 

[yizhar]

HI.

If configuration on all pi501 devices is similar, it could also be something with the Internet connection of the problematic device.
What is the connection type at that location?
Is it different then the other 501 boxes?
Is it a different ISP?
No NAT box or packet filter in between?
Can the pix501 ping the pix515 and vice versa?
Can you try to connect it directly to the pix515?
Can you put a PC with software VPN client instead of the remote pix501 and try to connect from there?

What are the pix OS versions involved?

I don't know what the following line means, but it might point out something:
> ISAKMP: reserved not zero on payload 5

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar