07-01-2007 04:06 AM - edited 03-03-2019 05:41 PM
Hi,
Need help on the following:
The following only happened recently and no configuration change was done.
The impact is that the session and application layer can't connect from end to end server.
the following are the error messages that are logged on both side of the routers.
%CRYPTO-4-IKMP_NO_SA: IKE message from 10.232.113.38 has no SA and is not an initialization offer
%CRYPTO-4-IKMP_NO_SA: IKE message from 10.232.113.38 has no SA and is not an initialization offer
%CRYPTO-4-IKMP_NO_SA: IKE message from 10.232.113.38 has no SA and is not an initialization offer
%CRYPTO-4-IKMP_NO_SA: IKE message from 10.232.113.38 has no SA and is not an initialization offer
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.232.113.38 failed its sanity check or is malformed
when crypto was removed from both sides of the router, everything becomes ok.
Thanks!
07-01-2007 05:38 AM
%CRYPTO-4-IKMP_NO_SA (x1): IKE message from [IP_address] has no SA and is
not an initialization offer
Explanation: IKE maintains the current state for a communication in the form
of security associations. No security association exists for the specified packet,
and it is not an initial offer from the peer to establish one. This situation
could indicate a denial-of-service attack.
Recommended Action: Contact the remote peer and the administrator of the remote
peer.
for ERROR: This device has recorded the %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from
[IP_address] failed its sanity check or is malformed log message.
A quick sanity check is performed on all received ISAKMP messages to verify that
all component payload types are valid and that the sum of their individual lengths
equals the total length of the received messages. This message failed the sanity
check, or the pre-shared keys between the two devices do not match. Persistently
invalid messages indicate a possible denial-of-service attack or failed decryption.
TRY THIS: Use the show crypto isakmp policy command on both peers to verify whether
the settings match. Ensure that the key is correct on both ends. If not re-enter
the key. If every setting matches on both ends, issue the no crypto map interface
PIX command to remove the crypto maps. Then, issue the no isakmp key address
command to remove the ISAKMP keys. Remove the ISAKMP policies with the no isakmp
policy command and reapply them. Finally, reapply the crypto map to the interface.
Issue the write memory PIX command, and reboot both devices.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide