We've just gone through a PIX 6.3 VPN problem in which the characteristic debug message was
ISAKMP: invalid udp len
This message has been mentioned a very small number of times online, and one person asked about it, but no solution was given, so I am documenting it here for future reference.
This is an IPSEC Phase 2 problem, not a Phase 1 problem. Therefore this problem will not occur unless you -have- managed to find usable "isakmp policy" and your isakmp key (or certificates) have passed muster.
Because it is Phase 2, it cannot be an "isakmp identity" problem [the TAC's answer]: the identity is used in Phase 1. In particular if you see these messages then you know the other end has figured out who you are:
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with
In our case, the trigger for this debug message was that the other side had valid isakmp key and isakmp policy (the Phase 1 infrastructure) but had somehow lost all of its crypto map statements and so could not negotiate Phase 2 with us.
[Yes, I would have expected a rather more obvious diagnostic in this situation...]