CRYPTO-4-IKMP_NO_SA

Unanswered Question
Sep 29th, 2008

I have DMVPN network and everything work well.

When connection from ISP to spoke down and then up I receive this massage:

CRYPTO-4-IKMP_NO_SA: IKE message from [IP_address] has no SA and is not an initialization offer

and no traffic from spoke.

I have ssh from hub and when clear crypto sa and clear crypto iskmp sa and reload router everything ok.

I find this on site:

Error Message

%CRYPTO-4-IKMP_NO_SA : IKE message from [IP_address] has no SA and is not an initialization offer

Explanation IKE maintains the current state for a communication in the form of security associations. No security association exists for the specified packet, and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.

Recommended Action Contact the remote peer and the administrator of the remote peer.

But this is no Dos attack.

Can you help me

Thanks in advance

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
singhsaju Mon, 09/29/2008 - 09:45

Try enabling isakmp keepalives on both sides to send dead peer detection (DPD) messages to the peer on the router .

"crypto isakmp keepalive 10 periodic"

HTH

Saju

Pls rate helpful posts

mladentsvetkov Tue, 09/30/2008 - 04:18

Hi,

We are colleagues with Vaba.

Thanks for the response. Let me just give you the full info:

Keepalives were already enabled exactly as you say.

The configuration of the spoke routers has shared IPSEC profiles, as more than one mGRE tunnel is sourced from the same physical interface.

Apparently the spoke router does not clear the SA when the HUBs are unreachable. When the HUBs are reachable again, the spoke tries to connect using the old SA. Shouldn't he try to initiate new SA with the HUBs?

Regards,

Mladen

mladentsvetkov Tue, 09/30/2008 - 21:59

I have noticed the following:

The pre-shared keys I used do not have the "no-xauth" option.

Xauth is not used, but still it is not disabled. So the IPSEC peers should be trying to negotioate Xauth (I will debug to see what exactly happens).

Do you think that this could be the problem? (apparently when the spoke router reboots or the spoke uplink goes down/up the SA are successfully renegotiated, so in this case Xauth is not a problem).

Regards,

Mladen

vaba Mon, 10/06/2008 - 23:25

Notice:

I have 4 DMVPN ruuning on my lan

2 for one ISP and 2 for second ISP

My spoke is have 2 fast ethernet whit 4 dmvpn.

I use gre multipoint whit NHRP and 2 tunnel for every one fastethrtnet. I use "tunnel protection ipsec profile XXXXX shared" and

"crypto isakmp keepalive 10 periodic". When route to second HUB go down SA for this 2 tunnel not deleted and when route to second HUB bring up again - i no hev a EIGP Neighbor, and recive CRYPTO-4-IKMP_NO_SA

Can you help me

thank in advance

Hector Espinoza Pena Fri, 03/28/2014 - 07:07

Hello Vaba,

Excuse me asking, but I am implementing a DMVPN network to connect 500 spoke but I could route the packets towards the tunnel, and I would like to know how did the routing, I'm using EIGRP.

Thank you.

Actions

This Discussion