«

We've just gone through a PIX 6.3 VPN problem in which the characteristic
debug message was

ISAKMP: invalid udp len

This message has been mentioned a very small number of times online,
and one person asked about it, but no solution was given, so I am
documenting it here for future reference.


This is an IPSEC Phase 2 problem, not a Phase 1 problem. Therefore
this problem will not occur unless you -have- managed to find usable
"isakmp policy" and your isakmp key (or certificates) have passed muster.

Because it is Phase 2, it cannot be an "isakmp identity" problem
[the TAC's answer]: the identity is used in Phase 1. In particular
if you see these messages then you know the other end has figured out
who you are:

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with <REMOTEIP>


In our case, the trigger for this debug message was that the other
side had valid isakmp key and isakmp policy (the Phase 1 infrastructure)
but had somehow lost all of its crypto map statements and so could
not negotiate Phase 2 with us.

[Yes, I would have expected a rather more obvious diagnostic in this
situation...]
--
Usenet is like a slice of lemon, wrapped around a large gold brick.