Hi Frank,
Error Message:
%CRYPTO-4-IKMP_BAD_MESSAGE : IKE message from [IP_address] failed its sanity check or is malformed
Explanation:
A quick verification check is done on all received ISAKMP messages to ensure that all component payload types are valid and that the sum of their individual lengths equals the total length of the received message.
This message indicates a failed verification check.
Persistently bad messages could mean a denial-of-service attack or bad decryption.
Recommended Action:
Contact the administrator of the remote peer.
formatting link
-------------------------------------------------
PIXs and Cisco routers
Symptom/Message:
(Router) log message of
CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from x.x.x.x failed its sanity check or is malformed
Likely cause or solution:
Pre-shared key mismatch.
This is more often a router VPN message than a PIX VPN message.
formatting link
-------------------------------------------------
It seems to be a preshared mismatch.
Make sure they are both the same.
Remember if you are going to make a change you need to disable the crypto map on the interface, make the changes and then enable it back.
Changes made without following these steps might not work properly.
-------------------------------------------------
Verify your crypto settings on both devices match, all the way to the SA lifetimes.
Run a 'sh run' on both devices and check your crypto statements line by line.
If they match and are all correct, remove all the lines, clear your SAs, and apply the lines once again.
This way you know you started with a clean slate.
-------------------------------------------------
Issuing a "clear crypto sa" will clear the problem.
In the past, Cisco TAC has indicated that the problem is due to the use of the keyword "any" in the crypto ACL
Sincerely,
Brad Reese
formatting link