packet (5) shorter than isakmp header size. - LINUX Clients

ecardona · ‎03-05-2014

Hi,

We configured remote vpn access in our PA-3020, and we are experiencing some issues with Linux clients. People who are using Global-Protect client work fine, but people who use vpnc client suffer service disruption in SSH or using GIT repositories.

The logs that we have in the system shows this:

'packet (5) shorter than isakmp header size.'

Does anyone know about this issue and how could we fix it?

Thank you in advance,

Esteban

uam · ‎06-18-2014

Hi,

we have the same informational logs. Our configuration is very similar, clients using vpnc clients for connecting trough a tunnel with a PA5050, PANOS 5.0.8, we are near of upgrade to PANOS 6-03, we will see if if the problem persist.

Thank you.

Carlos.

Mystique · ‎06-18-2014

Hello ecardona,

The ISAKMP header is supposed to be 28 bytes, so I think this message is saying that a header received is smaller than 28 bytes.

'packet (5) shorter than isakmp header size.'

Please share output of below command when you are trying to connect via VPNC client

> tail follow yes mp-log ikemgr.log

Thanks.

ecardona · ‎11-06-2014

Hi Mystique,

I really forgot this thread...I gave up, but now when I saw your answer I'm back again with this issue:

> tail follow yes mp-log ikemgr.log

2014-11-06 16:50:19 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=18c085e04b4db9a9 3ffcba454d505765 (size=16).

2014-11-06 16:50:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:50:50 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:50:53 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:51:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:51:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:51:30 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:52:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:52:31 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:52:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:53:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:53:34 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:53:36 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:53:52 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:08 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:15 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:37 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:38 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:56 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:54:56 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=b37c7eed6e74ad9e e5ceed8c5d35b1ca (size=16).

2014-11-06 16:54:56 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:55:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:55:18 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=18c085e04b4db9a9 3ffcba454d505765 (size=16).

2014-11-06 16:55:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:55:31 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:56:09 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:56:15 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:56:35 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:56:50 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:56:55 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:57:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:57:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:57:36 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:57:37 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:57:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:57:57 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:58:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:58:15 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:58:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:58:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:58:54 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:58:58 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:07 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:08 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:16 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:28 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:57 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 16:59:57 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=b37c7eed6e74ad9e e5ceed8c5d35b1ca (size=16).

2014-11-06 17:00:15 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 17:00:18 [PROTO_NOTIFY]: notification message 36136:R-U-THERE, doi=1 proto_id=1 spi=18c085e04b4db9a9 3ffcba454d505765 (size=16).

2014-11-06 17:00:27 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 17:00:37 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 17:00:47 [PROTO_ERR]: packet (5) shorter than isakmp header size.

2014-11-06 17:00:56 [PROTO_ERR]: packet (5) shorter than isakmp header size.

Thanks!!!!!

Esteban

HULK · ‎11-06-2014

Hello Esteban,

Could you take a packet capture on the PAN firewall to verify the ISAKMP header size.

Thanks

packet (5) shorter than isakmp header size. - LINUX Clients

packet (5) shorter than isakmp header size. - LINUX Clients

Show your appreciation!