Unanswered Question

I recently disabled Aggressive Mode on all my routers with "crypto isakmp aggressive-mode disable". I am now getting the following syslog message for all of the routers.

%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

I have double checked and can't find any router without "aggressive-mode disable". The log message doesn't say who is connecting in aggressive-mode.

I'm getting this message every 2 minutes for all the routers. It is really filling the log files.

Any thoughts?

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sunsrini Sat, 09/05/2009 - 08:03

This message is for informational that aggressive-mode is disabled. Router checks for aggressive-mode during initiating or responding IKE requests. Unfortunately there is no way to selectively drop off this log message in IOS router. Are all the routers enabled for IPSEC ? If you are getting this message every two minutes means, you can check if any non-authorized remote peer keeps trying to initiate ipsec with this router.

You can block those addresses with an interface acl. Please check if you see numerous incomplete IKE sessions (show crypto isakmp sa) or "debug ip packet" to get the remote peers address.


This Discussion