packet (5) shorter than isakmp header size. - LINUX Clients

Reply
Highlighted
L1 Bithead

packet (5) shorter than isakmp header size. - LINUX Clients

Hi,

We configured remote vpn access in our PA-3020, and we are experiencing some issues with Linux clients. People who are using Global-Protect client work fine, but people who use vpnc client suffer service disruption in SSH or using GIT repositories.

The logs that we have in the system shows this:

  'packet (5) shorter than isakmp header size.'

isakmp-error.PNG.png

Does anyone know about this issue and how could we fix it?

Thank you in advance,

Esteban

Highlighted
L1 Bithead

Hi,

we have the same informational logs. Our configuration is very similar, clients using vpnc clients for connecting trough a tunnel with a PA5050, PANOS 5.0.8, we are near of upgrade to PANOS 6-03, we will see if if the problem persist.

Thank you.

Carlos.

Highlighted
L2 Linker

Hello ecardona,


The ISAKMP header is supposed to be 28 bytes, so I think this message is saying that a header received is smaller than 28 bytes.

'packet (5) shorter than isakmp header size.'

Please share output of below command when you are trying to connect via VPNC client

> tail follow yes mp-log ikemgr.log

Thanks.

Highlighted
L1 Bithead

Hi Mystique,

I really forgot this thread...I gave up, but now when I saw your answer I'm back again with this issue:

> tail follow yes mp-log ikemgr.log

2014-11-06 16:50:19 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=18c085e04b4db9a9 3ffcba454d505765 (size=16).

2014-11-06 16:50:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:50:50 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:50:53 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:51:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:51:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:51:30 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:52:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:52:31 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:52:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:53:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:53:34 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:53:36 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:53:52 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:08 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:15 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:37 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:38 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:56 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=b37c7eed6e74ad9e e5ceed8c5d35b1ca (size=16).

2014-11-06 16:54:56 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:55:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:55:18 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=18c085e04b4db9a9 3ffcba454d505765 (size=16).

2014-11-06 16:55:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:55:31 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:56:09 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:56:15 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:56:35 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:56:50 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:56:55 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:57:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:57:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:57:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:57:36 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:57:37 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:57:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:57:57 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:58:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:58:15 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:58:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:58:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:58:54 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:58:58 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:08 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:16 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:57 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:57 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:57 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=b37c7eed6e74ad9e e5ceed8c5d35b1ca (size=16).

2014-11-06 17:00:15 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 17:00:18 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=18c085e04b4db9a9 3ffcba454d505765 (size=16).

2014-11-06 17:00:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 17:00:37 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 17:00:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 17:00:56 [PROTO_ERR]: packet (5) shorter than isakmp header size.

Thanks!!!!!

Esteban

Highlighted
L7 Applicator

Hello Esteban,

Could you take a packet capture on the PAN firewall to verify the ISAKMP header size.

Thanks

Highlighted
L1 Bithead

Hi HULK,

Sure I can. What kind of filters do you recomend to get this info?

Thanks!


Esteban

Highlighted
Not applicable

Hello. I just thought I should mention I get the same messages in the logs around every 10 seconds and also use VPNC on linux hosts. It's probably going to increase as more and more devices start to connect so it would be nice to get rid of. We're not having any kind of connectivity issues though, only lots of these log messages. Since we only have 1 real vpn user at the moment and it's just a server that we sometimes look at the Nagios GUI on I can safely record everything for a while. I'm connected this way myself from out of the office today also using VPNC.

Anyway, I don't really know what to then actually look for in pcap. I see packets that show up around every 10 seconds (like the log messages) that Wireshark identifies as ISAKMP which are 47 bytes long. These don't show up if I instead actually filter for ISAKMP though. If I do that I get much fewer packets spread out about around every 5 minutes that are 138 bytes long instead.

Those smaller ISAKMP packets are all going from the client to the PA200 so I guess this is something to do with VPNC maybe?

Is this useful to anyone else here in any way?

If it matters, there's NAT going on on both ends. On the server side it's the PA itself that does it and forwards things to loopback interfaces that the globalprotect gateway and portal and stuff runs on.

short.png

long.png

Highlighted
L3 Networker

I see the same errors on my firewall with vpnc Linux clients connecting. Have you come up with a solution yet? I'm currently running 6.0.7

-Brad
Highlighted
L7 Applicator

The "packet (5) shorter than isakmp header size." messages are generated by those ISAKMP messages of length 47.

These are VPNC NAT Keep Alive messages, and are sent every 10 seconds by each VPNC connected client.


A workaround would be to turn off NAT Keep Alives for VPNC, though I have not found a way to do this.


The solution would be to have the ability to suppress these alerts on the logs. For this, an FR needs to be filed.

Please contact your Palo Alto Networks SE to have an FR filed.

If you didn't know who the SE for your account was, please contact your sales representative, or Support, to assist you in finding the correct SE for your account.


Screen Shot 2015-05-15 at 3.12.05 PM.png

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!