IPSEC: reserved not zero on payload message when connecting site-to-site

Discussion in 'Cisco' started by Arjan, Oct 12, 2005.

  1. Arjan

    Arjan Guest

    I finally managed to implement a Site-to-Site tunnel using IPSEC
    between ISA back-to-back on one site and and a PIX on the other.

    When testing I noticed that it takes some time to establish the
    connection. Debug showed the following message several times during
    negotiating:
    "ISAKMP: reserved not zero on payload 8!"
    "ISAKMP: malformed payload"

    This message comes up serveral times and then finally the connection
    starts working.
    Cisco stated that this message means that the shared key does not
    match however, I cheked this (of course) and still the message comes
    up. Both in the end the tunnel comes up and traffic is allowed and
    works.

    The problem here is the relative long time needed to establish the
    tunnel causes time-out problems on applications (RDP e.g.)

    I already tried to disable PFS and also checked IKE timers etc.

    Does anyone know the solution for this.
     
    Arjan, Oct 12, 2005
    #1
    1. Advertisements

  2. Arjan

    Merv Guest

    Does the hash algorihmn configured for each peer match?
     
    Merv, Oct 13, 2005
    #2
    1. Advertisements

  3. Arjan

    Arjan Guest

    meaning ESP-DES-MD5 for stage one and two? Yes they do, however PIX
    also has policy for ESP-DES-SHA that is not used at the moment.
     
    Arjan, Oct 13, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.