NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Gateway VPN SRX5308 to Cisco RV320
We are attempting to setup a VPN gateway connection between an SRX5308 (latest firmware) with a Cisco RV320 (also latest firmware) and cannot get them to connect. We believe we have the configuration mirrored between the two, but it fails to connect on the Connection Status page of the NetGear.
VPN Log shows the following when attempting to connect from the Cisco:
Received Malformed packet of payload length 14501 and total length 32.
Tue Apr 18 19:51:39 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 4949 and total length 32.
Tue Apr 18 19:51:38 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received Vendor ID: DPD
Tue Apr 18 19:51:38 2017 (GMT +0000): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.
Tue Apr 18 19:51:38 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received request for new phase 1 negotiation: 71.41.72.xxx[500]<=>173.9.167.xxx[500]
Tue Apr 18 19:51:38 2017 (GMT +0000): [SRX5308] [IKE] INFO: Configuration found for 173.9.167.xxx[500].
Tue Apr 18 19:51:20 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 46639 and total length 32.
Tue Apr 18 19:51:00 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 46639 and total length 32.
Tue Apr 18 19:50:51 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 49779 and total length 32.
Tue Apr 18 19:50:50 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received Vendor ID: DPD
Tue Apr 18 19:50:50 2017 (GMT +0000): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.
Tue Apr 18 19:50:50 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received request for new phase 1 negotiation: 71.41.72.xxx[500]<=>173.9.167.xxx[500]
Tue Apr 18 19:50:50 2017 (GMT +0000): [SRX5308] [IKE] INFO: Configuration found for 173.9.167.xxx[500].
Tue Apr 18 19:50:00 2017 (GMT +0000): [SRX5308] [IKE] ERROR: Phase 1 negotiation failed due to time up for 173.9.167.xxx[500]. bb91219dd84ccfd5:1a2465ff21f772fa
Config on both sides:
Group 2 - 1,024
MD5
3DES
IKE with passphrase
SA timeout: 28800 sec
Any assistance is appreciated.
We got it working. Seems the Cisco does not accept the same special characters as the NetGear, and that was the SA Protocol error. It is up and running now. Thanks for your help!
4 Replies
Post screens of both sides configs, if you can.
According to the logs you posted, phase 1 is not completing. Generally this is an IKE settings mismatch.
I cannot post pictures of the config here, but here are the settings from each:
SRX5308
Encryption Algorythm: 3DES
Authentication Algorythm: MD5
Pre-Shared Key
DH Group 2 1024 bit
SA Lifetime 28800 sec
Dead Peer - no
Direction - Both
Exchange Mode - Main
Cisco RV320
Phase 1 DH Group 1 1024 bit
Phase 1 Encryption: 3DES
Phase 1 Authentication: MD5
SA Lifetime 28800
Perfect Forward Secrecy - Enabled by default, but we tested with and without this setting
Advanced - Exchange mode - Main
Phase 2 settings - same as above
Thanks for looking at this. I'm banging my head trying to see something that is different....
Latest log file:
[SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1.
Wed Apr 19 14:49:04 2017 (GMT +0000): [SRX5308] [IKE] ERROR: Invalid SA protocol type: 0
Wed Apr 19 14:48:49 2017 (GMT +0000): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 22172 and total length 32.
Wed Apr 19 14:48:32 2017 (GMT +0000): [SRX5308] [IKE] INFO: Configuration found for 173.9.167.xxx.
Wed Apr 19 14:48:32 2017 (GMT +0000): [SRX5308] [IKE] INFO: Configuration found for 173.9.167.xxx.
Wed Apr 19 14:48:32 2017 (GMT +0000): [SRX5308] [IKE] INFO: accept a request to establish IKE-SA: 173.9.167.xxx
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
