IPSec pre-share key VPN failure

Discussion in 'Cisco' started by Frank E Relaxx, Jun 24, 2004.

  1. I have been getting a constant failure on a pre-share IPSec tunnel,
    The tunnel connects our New York and New Jersey office, the New Jersey
    office is newly completed. Th failure I get is ".Jun 24 09:40:31.293:
    %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.XX failed its
    sanity check or
    is malformed" (XX.XX.XX.XX represents our key source) I have been to
    the Cisco site and they say this error occurs when the keys are not
    the same. I have checked the keys and they are correct, also if I
    reload the router in NJ, every thing comes up OK until the next day,
    and the failure reoccurs.

    Any suggestions would be appreciated. This has been ongoing for
    several weeks.
     
    Frank E Relaxx, Jun 24, 2004
    #1
    1. Advertisements

  2. :I have been getting a constant failure on a pre-share IPSec tunnel,
    :The tunnel connects our New York and New Jersey office, the New Jersey
    :eek:ffice is newly completed. Th failure I get is ".Jun 24 09:40:31.293:
    :%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from XX.XX.XX.XX failed its
    :sanity check or
    :is malformed" (XX.XX.XX.XX represents our key source) I have been to
    :the Cisco site and they say this error occurs when the keys are not
    :the same. I have checked the keys and they are correct, also if I
    :reload the router in NJ, every thing comes up OK until the next day,
    :and the failure reoccurs.

    When there's an asymmetric failure such as that, I would carefully
    check the ACL in the match-address's to ensure that they are symmetric
    with respect to each other.

    I would also check the NJ isakmp key's clauses to see if perhaps there
    was an accidental IP overlap with another system.
     
    Walter Roberson, Jun 24, 2004
    #2
    1. Advertisements

  3. Frank E Relaxx

    Hansang Bae Guest

    IPSec has been pretty unstable for us. What IOS are you running (what
    platform)?


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Jun 24, 2004
    #3
  4. I am running IOS 12.3(9) if that is of any help.

     
    Frank E Relaxx, Jun 25, 2004
    #4
  5. Frank E Relaxx

    Hansang Bae Guest


    We don't go that bleeding edge. We're piloting 12.2.24a right now. But
    that error message rings a bell, let me check and I'll get to you.


    --

    hsb

    "Somehow I imagined this experience would be more rewarding" Calvin
    *************** USE ROT13 TO SEE MY EMAIL ADDRESS ****************
    ********************************************************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Jun 29, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.