03-05-2014 06:35 AM
Hi,
We configured remote vpn access in our PA-3020, and we are experiencing some issues with Linux clients. People who are using Global-Protect client work fine, but people who use vpnc client suffer service disruption in SSH or using GIT repositories.
The logs that we have in the system shows this:
'packet (5) shorter than isakmp header size.'
Does anyone know about this issue and how could we fix it?
Thank you in advance,
Esteban
06-18-2014 02:02 AM
Hi,
we have the same informational logs. Our configuration is very similar, clients using vpnc clients for connecting trough a tunnel with a PA5050, PANOS 5.0.8, we are near of upgrade to PANOS 6-03, we will see if if the problem persist.
Thank you.
Carlos.
06-18-2014 07:49 AM
Hello ecardona,
The ISAKMP header is supposed to be 28 bytes, so I think this message is saying that a header received is smaller than 28 bytes.
'packet (5) shorter than isakmp header size.'
Please share output of below command when you are trying to connect via VPNC client
> tail follow yes mp-log ikemgr.log
Thanks.
11-06-2014 12:03 PM
Hi Mystique,
I really forgot this thread...I gave up, but now when I saw your answer I'm back again with this issue:
> tail follow yes mp-log ikemgr.log
2014-11-06 16:50:19 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=18c085e04b4db9a9 3ffcba454d505765 (size=16).
2014-11-06 16:50:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:50:50 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:50:53 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:51:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:51:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:51:30 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:52:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:52:31 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:52:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:53:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:53:34 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:53:36 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:53:52 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:54:08 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:54:15 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:54:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:54:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:54:37 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:54:38 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:54:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:54:56 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:54:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=b37c7eed6e74ad9e e5ceed8c5d35b1ca (size=16).
2014-11-06 16:54:56 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:55:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:55:18 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=18c085e04b4db9a9 3ffcba454d505765 (size=16).
2014-11-06 16:55:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:55:31 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:56:09 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:56:15 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:56:35 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:56:50 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:56:55 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:57:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:57:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:57:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:57:36 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:57:37 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:57:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:57:57 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:58:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:58:15 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:58:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:58:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:58:54 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:58:58 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:59:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:59:08 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:59:16 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:59:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:59:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:59:57 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:59:57 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 16:59:57 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=b37c7eed6e74ad9e e5ceed8c5d35b1ca (size=16).
2014-11-06 17:00:15 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 17:00:18 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=18c085e04b4db9a9 3ffcba454d505765 (size=16).
2014-11-06 17:00:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 17:00:37 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 17:00:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.
2014-11-06 17:00:56 [PROTO_ERR]: packet (5) shorter than isakmp header size.
Thanks!!!!!
Esteban
11-06-2014 12:43 PM
Hello Esteban,
Could you take a packet capture on the PAN firewall to verify the ISAKMP header size.
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!