IPSec pre-share key VPN failure

Discussion in 'Cisco' started by Frank E Relaxx, Jun 24, 2004.

  1. I have been getting a constant failure on a pre-share IPSec tunnel,
    The tunnel connects our New York and New Jersey office, the New Jersey
    office is newly completed. Th failure I get is ".Jun 24 09:40:31.293:
    %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.XX failed its
    sanity check or
    is malformed" (XX.XX.XX.XX represents our key source) I have been to
    the Cisco site and they say this error occurs when the keys are not
    the same. I have checked the keys and they are correct, also if I
    reload the router in NJ, every thing comes up OK until the next day,
    and the failure reoccurs.

    Any suggestions would be appreciated. This has been ongoing for
    several weeks.
     
    Frank E Relaxx, Jun 24, 2004
    #1
    1. Advertising

  2. In article <>,
    Frank E Relaxx <> wrote:
    :I have been getting a constant failure on a pre-share IPSec tunnel,
    :The tunnel connects our New York and New Jersey office, the New Jersey
    :eek:ffice is newly completed. Th failure I get is ".Jun 24 09:40:31.293:
    :%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.XX failed its
    :sanity check or
    :is malformed" (XX.XX.XX.XX represents our key source) I have been to
    :the Cisco site and they say this error occurs when the keys are not
    :the same. I have checked the keys and they are correct, also if I
    :reload the router in NJ, every thing comes up OK until the next day,
    :and the failure reoccurs.

    When there's an asymmetric failure such as that, I would carefully
    check the ACL in the match-address's to ensure that they are symmetric
    with respect to each other.

    I would also check the NJ isakmp key's clauses to see if perhaps there
    was an accidental IP overlap with another system.
    --
    "Mathematics? I speak it like a native." -- Spike Milligan
     
    Walter Roberson, Jun 24, 2004
    #2
    1. Advertising

  3. Frank E Relaxx

    Hansang Bae Guest

    In article <>,
    says...
    > I have been getting a constant failure on a pre-share IPSec tunnel,
    > The tunnel connects our New York and New Jersey office, the New Jersey
    > office is newly completed. Th failure I get is ".Jun 24 09:40:31.293:
    > %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.XX failed its
    > sanity check or
    > is malformed" (XX.XX.XX.XX represents our key source) I have been to
    > the Cisco site and they say this error occurs when the keys are not
    > the same. I have checked the keys and they are correct, also if I
    > reload the router in NJ, every thing comes up OK until the next day,
    > and the failure reoccurs.
    >
    > Any suggestions would be appreciated. This has been ongoing for
    > several weeks.


    IPSec has been pretty unstable for us. What IOS are you running (what
    platform)?


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Jun 24, 2004
    #3
  4. I am running IOS 12.3(9) if that is of any help.

    Hansang Bae <> wrote in message news:<>...
    > In article <>,
    > says...
    > > I have been getting a constant failure on a pre-share IPSec tunnel,
    > > The tunnel connects our New York and New Jersey office, the New Jersey
    > > office is newly completed. Th failure I get is ".Jun 24 09:40:31.293:
    > > %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.XX failed its
    > > sanity check or
    > > is malformed" (XX.XX.XX.XX represents our key source) I have been to
    > > the Cisco site and they say this error occurs when the keys are not
    > > the same. I have checked the keys and they are correct, also if I
    > > reload the router in NJ, every thing comes up OK until the next day,
    > > and the failure reoccurs.
    > >
    > > Any suggestions would be appreciated. This has been ongoing for
    > > several weeks.

    >
    > IPSec has been pretty unstable for us. What IOS are you running (what
    > platform)?
    >
    >
    > --
    >
    > hsb
    >
    > "Somehow I imagined this experience would be more rewarding" Calvin
    > *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    > ********************************************************************
    > Due to the volume of email that I receive, I may not not be able to
    > reply to emails sent to my account. Please post a followup instead.
    > ********************************************************************
     
    Frank E Relaxx, Jun 25, 2004
    #4
  5. Frank E Relaxx

    Hansang Bae Guest

    > > In article <>,
    > > says...
    > > > I have been getting a constant failure on a pre-share IPSec tunnel,
    > > > The tunnel connects our New York and New Jersey office, the New Jersey
    > > > office is newly completed. Th failure I get is ".Jun 24 09:40:31.293:
    > > > %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.XX failed its
    > > > sanity check or
    > > > is malformed" (XX.XX.XX.XX represents our key source) I have been to
    > > > the Cisco site and they say this error occurs when the keys are not
    > > > the same. I have checked the keys and they are correct, also if I
    > > > reload the router in NJ, every thing comes up OK until the next day,
    > > > and the failure reoccurs.
    > > >
    > > > Any suggestions would be appreciated. This has been ongoing for
    > > > several weeks.


    > I am running IOS 12.3(9) if that is of any help.



    We don't go that bleeding edge. We're piloting 12.2.24a right now. But
    that error message rings a bell, let me check and I'll get to you.


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Jun 29, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bryan
    Replies:
    7
    Views:
    4,958
  2. Nick Bailey
    Replies:
    0
    Views:
    2,291
    Nick Bailey
    Oct 20, 2003
  3. Will Dockery

    Re: OT: Graphic poetry begins (pre-hotspot, pre-poetry)

    Will Dockery, May 31, 2005, in forum: Digital Photography
    Replies:
    4
    Views:
    397
    Will Dockery
    Jun 1, 2005
  4. Will Dockery

    OT: Graphic poetry begins (pre-hotspot, pre-poetry)

    Will Dockery, Jun 1, 2005, in forum: Digital Photography
    Replies:
    1
    Views:
    525
    Citizen_Cain
    Jun 1, 2005
  5. Can2002
    Replies:
    3
    Views:
    4,373
Loading...

Share This Page