R: [VPN] vpn problem cisco & watchguard
Filippo Carzaniga
filippo.carzaniga at query.it
Thu Jan 22 08:10:03 EST 2004
I had the same problem.
It's very strange. You can to trasfert the ipsec tunnell over TCP. diseable the NAT-T over the devices.
-----Messaggio originale-----
Da: Jean-Francois Dive [mailto:jef at linuxbe.org]
Inviato: mercoledì 21 gennaio 2004 9.24
A: Navratil Pavel
Cc: vpn at lists.shmoo.com
Oggetto: Re: [VPN] vpn problem cisco & watchguard
The key point is to know if what the cisco dump is true or not. Can you
pinpoint the traffic/condition that trigger this problem ? If you do, a
sniffer trace would be very usefull as well as full enabled debug on the
cisco side.
J.
On Mon, Jan 19, 2004 at 12:25:32PM +0100, Navratil Pavel wrote:
> You posted this question in VPN mail list:
> --------------------------------------
> > I have a problem with a cisco router ed Watchguard firewall.
> > Sometime the tunnel ipsec dropped.
> > the logs on the router is that:
> > %CRYPTO-4-IKMP_PKT_OVERFLOW : ISAKMP message from [IP_address] larger
> ([dec]) than the UDP packet length ([dec])
> > Explanation ISAKMP messages are carried in UDP packets and have their
> own message length field. The message length field of this message was
> greater than the length of the UDP packet. This situation could indicate
> a denial-of-service attack.
> > Recommended Action Contact the remote peer and the administrator of
> the remote peer.
> >
> > the remote watchguard 700/III release 7.0 sp1 seem not have a problem.
> > the cisco si that:
> > System image file is "flash:c837-k9o3y6-mz.122-13.ZH2.bin"
> > CISCO C837 (MPC857DSL) processor (revision 0x400) with 29492K/3276K
> bytes of memory.
> >
> > Please let me
> > know this as soon as possible.
> ----------------------------------------------
>
> I am just starting to resolve similar problem on my VPN with IPsec
> connection between CISCO VPN Client and CISCO Router (IOS version
> 12.2.15T10) with the same error message.
> Did you have any response for your answer or any advice/hint how to
> resolve this problem?
>
> Thank you
>
> -------------------------------------------------------
> Pavel Navratil
> Cisco Certified Security Professional
> NEXTRA Czech Republic s.r.o. - http://www.nextra.cz
> V Celnici 10 / CZ - 117 21 Praha 1 / Czech Republic
> Tel: +420/2/96 355 111
> E-mail: pavel.navratil at nextra.cz
>
> Contact address:
> Wolkerova 1331 / CZ - 565 01 Chocen / Czech Republic
> Tel.: +420/603/279069
> See Disclaimer: http://www.nextra.cz/disclaimer/
> -------------------------------------------------------
>
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn
--
-> Jean-Francois Dive
--> jef at linuxbe.org
I think that God in creating Man somewhat overestimated his ability.
-- Oscar Wilde
_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
More information about the VPN
mailing list