Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
32472
Views
9
Helpful
1
Replies

%CRYPTO-4-IKMP_NO_SA + %CRYPTO-4-IKMP_BAD_MESSAGE

neo_christina
Level 1
Level 1

‎07-01-2007 04:06 AM - edited ‎03-03-2019 05:41 PM

Hi,

Need help on the following:

The following only happened recently and no configuration change was done.

The impact is that the session and application layer can't connect from end to end server.

the following are the error messages that are logged on both side of the routers.

%CRYPTO-4-IKMP_NO_SA: IKE message from 10.232.113.38 has no SA and is not an initialization offer

%CRYPTO-4-IKMP_NO_SA: IKE message from 10.232.113.38 has no SA and is not an initialization offer

%CRYPTO-4-IKMP_NO_SA: IKE message from 10.232.113.38 has no SA and is not an initialization offer

%CRYPTO-4-IKMP_NO_SA: IKE message from 10.232.113.38 has no SA and is not an initialization offer

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.232.113.38 failed its sanity check or is malformed

when crypto was removed from both sides of the router, everything becomes ok.

Thanks!

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Anand Narayana
Level 6
Level 6

‎07-01-2007 05:38 AM

%CRYPTO-4-IKMP_NO_SA (x1): IKE message from [IP_address] has no SA and is

not an initialization offer

Explanation: IKE maintains the current state for a communication in the form

of security associations. No security association exists for the specified packet,

and it is not an initial offer from the peer to establish one. This situation

could indicate a denial-of-service attack.

Recommended Action: Contact the remote peer and the administrator of the remote

peer.

for ERROR: This device has recorded the %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from

[IP_address] failed its sanity check or is malformed log message.

A quick sanity check is performed on all received ISAKMP messages to verify that

all component payload types are valid and that the sum of their individual lengths

equals the total length of the received messages. This message failed the sanity

check, or the pre-shared keys between the two devices do not match. Persistently

invalid messages indicate a possible denial-of-service attack or failed decryption.

TRY THIS: Use the show crypto isakmp policy command on both peers to verify whether

the settings match. Ensure that the key is correct on both ends. If not re-enter

the key. If every setting matches on both ends, issue the no crypto map interface

PIX command to remove the crypto maps. Then, issue the no isakmp key address

command to remove the ISAKMP keys. Remove the ISAKMP policies with the no isakmp

policy command and reapply them. Finally, reapply the crypto map to the interface.

Issue the write memory PIX command, and reboot both devices.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card