non500-isakmp continues to build QM_IDLE over and over

Gerard Roy · ‎05-27-2010

We have a set of 3845's with HSRP on LAN and the WAN. The 3845's are behind a Juniper (nat traversal with 1 to 1 Nat) which is the internet router (gateway). I have a cisco 871 on internet that can build its IPsec tunnel to the Natted physical IP's of the 3845's but will not build its tunnel to the to the HSRP VIP address.

3845 IP 192.168.245.45------
|-------VIP 192.168.245.44

3845 IP 192.168.245.46------

The above is Natted to the following and all three are Natted.

Juniper IP 12.x.x.45------

|------- 12.x.x.44

Juniper IP 12.x.x.46------

The 3845 shows the following message when attempting to build Ike session on the VIP addresss:

*May 27 16:29:38.423: %CRYPTO-4-IKMP_NO_SA: IKE message from 70.42.209.188 has no SA and is not an initialization offer
*May 27 16:33:24.055: %CRYPTO-4-IKMP_NO_SA: IKE message from 70.42.209.188 has no SA and is not an initialization offer
*May 27 16:38:56.735: %CRYPTO-4-IKMP_NO_SA: IKE message from 70.42.209.188 has no SA and is not an initialization offer

The 871 Spoke increments the connection ID and builds QM_IDLE over and over and never deletes the older sesisons.

Any Ideas?

TIA!

Message was edited by: Gerard Roy - Head End Config added

m.kafka · ‎05-29-2010

Maybe this could help for crypto maps on HSRP interfaces

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml#configs

mainly the

standby 1 name XXXX
crypto map vpn redundancy XXXX

might be necessary to run VPNs over HSRP

(I don't know whether it will fix your incoming "SA not an offer" but it should allow to use the Virtual IP as an ipsec peer)