IPSec - invalid length of payload
Posted: Mon May 11, 2009 2:58 pm
by psyfer
Hi,
I have had an IPSec tunnel between a mikrotik and Cisco setup for about 6 months.
Yesterday I upgraded to v3.23, and then after the upgrade, no IPSec tunnel couldn’t be established again.
This is the error log:
12:57:40 respond new phase 1 negotiation: 196.223.113.21[500]<=>193.142.87.124[500]
12:57:40 begin Identity Protection mode.
12:57:41 invalid length of payload
12:57:42 invalid length of payload
12:57:42 invalid length of payload
I then downgraded to v3.13 - but the problem still exists.
Has anyone had the same problem or know how to resolve it?
Re: IPSec - invalid length of payload
Posted: Wed May 13, 2009 4:14 pm
by Muqatil
I've got the same issue against a JunOS router..
Re: IPSec - invalid length of payload
Posted: Wed May 20, 2009 1:32 am
by ispan
Looks like IPSec is broken in some 3.x release. What 3.x version works stable?
Eric
Re: IPSec - invalid length of payload
Posted: Wed May 20, 2009 12:27 pm
by sergejs
Contact support (
support@mikrotik.com) with the attached support output file from the 3.23 router.
Re: IPSec - invalid length of payload
Posted: Thu Nov 04, 2010 6:56 pm
by NAB
I'm seeing this with ROS 5.0rc3 connecting to a Fortinet Fortigate.
Should I downgrade to the latest 4.x?
Re: IPSec - invalid length of payload
Posted: Tue Aug 03, 2021 9:07 am
by BlackRat
I have RB4011iGS+ with 6.48.3 installed that connected to the RouterOS-x86 6.48.3. And I have the same situation:
13:05:09 ipsec,debug ===== received 76 bytes from XX.XXX.XX.XX[1025] to YY.YYY.YYY.YY[4500]
13:05:09 ipsec,debug,packet 53c28f4e 6b6fd2c5 8ce8c01f 63c109a1 05100201 00000000 0000004c 8abac649
13:05:09 ipsec,debug,packet 38a64a42 fa9c3851 aabe2004 4985b179 8dcda2f3 515d24f1 33ec005e af74ceeb
13:05:09 ipsec,debug,packet f1039154 2231616d 01567c30
13:05:09 ipsec,debug,packet encryption(aes)
13:05:09 ipsec,debug,packet IV was saved for next processing:
13:05:09 ipsec,debug,packet af74ceeb f1039154 2231616d 01567c30
13:05:09 ipsec,debug,packet encryption(aes)
13:05:09 ipsec,debug,packet with key:
13:05:09 ipsec,debug,packet fc8023c3 99853760 baf97e8b d482945a
13:05:09 ipsec,debug,packet decrypted payload by IV:
13:05:09 ipsec,debug,packet d90b87c0 1a054350 36fa6997 bf9a9c27
13:05:09 ipsec,debug,packet decrypted payload, but not trimed.
13:05:09 ipsec,debug,packet a572f40e 5583db16 f012686b a2a7e30e b3c42691 ee344454 7a19ef4a f969d5d1
13:05:09 ipsec,debug,packet a36c1423 2507872c aee4825f 4e8d4e02
13:05:09 ipsec,debug,packet padding len=3
13:05:09 ipsec,debug,packet skip to trim padding.
13:05:09 ipsec,debug,packet decrypted.
13:05:09 ipsec,debug,packet 53c28f4e 6b6fd2c5 8ce8c01f 63c109a1 05100201 00000000 0000004c a572f40e
13:05:09 ipsec,debug,packet 5583db16 f012686b a2a7e30e b3c42691 ee344454 7a19ef4a f969d5d1 a36c1423
13:05:09 ipsec,debug,packet 2507872c aee4825f 4e8d4e02
13:05:09 ipsec,debug begin.
13:05:09 ipsec,debug seen nptype=5(id) len=62478
13:05:09 ipsec invalid length of payload
13:05:09 ipsec,error XX.XXX.XX.XX parsing packet failed, possible cause: wrong password
I have about 30 IPSec tunnels (Site-To-Site) and only a few of them writes same errors to log.
Re: IPSec - invalid length of payload
Posted: Tue Sep 14, 2021 11:22 am
by BlackRat
Same situation!
parsing packet failed, possible cause: wrong password
I have about 45 different IPSEC-tunnels and only one of the routers generating this error.
I tried to change proposals - same situation. Tunnel established, but constantly see this error!
/system routerboard print
routerboard: yes
model: RB4011iGS+
serial-number: ....
firmware-type: al2
factory-firmware: 6.45.1
current-firmware: 6.48.3
upgrade-firmware: 6.48.3