Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2584
Views
4
Helpful
1
Replies

IPSec Tunnel Conn-ID Changes Frequently

Chuan Liu
Level 1
Level 1

‎07-21-2008 12:46 AM - edited ‎02-21-2020 03:50 PM

Hi NetPro,

I have an IPSec VPN between an IOS router (1841) and ISA. VPN is established and each LAN can access the other. From the end user point of view, no connectivity problems are experienced. But on the IOS router, 'show cryp is sa' shows the conn-id number is increasing frequently. Error message " %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer" and "%CRYPTO-4-IKMP_NO_SA: IKE message from x.x.x.x has no SA and is not an initialization offer" also come up on console.

'debug cry is' is attached.

Any advice is appreciated.

Thanks.

Labels:
Preview file
24 KB
0 Helpful
1 Reply 1

smahbub
Level 6
Level 6

‎07-25-2008 06:25 AM

%CRYPTO-6-IKMP_MODE_FAILURE : Processing of [chars] mode failed with peer at [IP_address]

Explanation Negotiation with the remote peer has failed.

Recommended Action If this situation persists, contact the remote peer.

%CRYPTO-4-IKMP_NO_SA: IKE message from x.x.x.x has no SA

If this error message occurs in the IOS Router, the problem is that the SA has either expired or been cleared. The remote tunnel end device does not know that it uses the expired SA to send a packet (not a SA establishment packet). When a new SA has been established, the communication resumes, so initiate the interesting traffic across the tunnel to create a new SA and re-stablish the tunnel.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents