×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at

Unanswered Question
Jun 11th, 2012
User Badges:

Hi All,


I am getting the following log though the site to site vpn tunnel between two peers is still up and running fine without any complaints.

Also I checked the interesting traffic (ACL) config and it is same at both ends.


Jun 11 16:10:22 utc: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 209.171.xxx.xx 

Jun 11 16:11:22 utc: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 209.171.xxx.xx 

Jun 11 16:12:22 utc: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 209.171.xxx.xx


#sh cry ipse sa peer 209.171.xxx.xx

interface: GigabitEthernet0/1
    Crypto map tag: VPNMAP, local addr. 65.55.xxx.xx

   protected vrf:
   local  ident (addr/mask/prot/port): (65.55.xxx.xxx/255.255.255.255/6/0)
   remote ident (addr/mask/prot/port): (208.38.xxx.xxx/255.255.255.255/6/5812)
   current_peer: 209.171.xxx.xx:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 8561, #pkts encrypt: 8561, #pkts digest 8561
    #pkts decaps: 4291, #pkts decrypt: 4291, #pkts verify 4291
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: 65.55.xxx.xx, remote crypto endpt.: 209.171.xxx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (65.55.xxx.xxx/255.255.255.255/6/0)
   remote ident (addr/mask/prot/port): (208.38.xxx.xxx/255.255.255.255/6/5812)
   current_peer: 209.171.xxx.xx:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3424641, #pkts encrypt: 3424641, #pkts digest 3424641
    #pkts decaps: 3760696, #pkts decrypt: 3760696, #pkts verify 3760696
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 3, #recv errors 0

     local crypto endpt.: 65.55.xxx.xx, remote crypto endpt.: 209.171.xxx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 57140C90

     inbound esp sas:
      spi: 0x96137A67(2517858919)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 8127, flow_id: 1039, crypto map: VPNMAP
        sa timing: remaining key lifetime (k/sec): (4513759/2293)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x57140C90(1460931728)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 8128, flow_id: 1040, crypto map: VPNMAP
        sa timing: remaining key lifetime (k/sec): (4513740/2293)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (65.55.xxx.xxx/255.255.255.255/6/0)
   remote ident (addr/mask/prot/port): (208.38.xxx.xxx/255.255.255.255/6/5812)
   current_peer: 209.171.xxx.xx:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 117, #pkts encrypt: 117, #pkts digest 117
    #pkts decaps: 115, #pkts decrypt: 115, #pkts verify 115
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 3, #recv errors 0

     local crypto endpt.: 65.55.xxx.xx, remote crypto endpt.: 209.171.xxx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:



Can someone please suggest me what to do to stop these logs.


Jopeti.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Tue, 06/12/2012 - 04:59
User Badges:
  • Purple, 4500 points or more

What type of device is this? Router or ASA? Can you post the config minus addressing information?

jopetik09 Tue, 06/12/2012 - 17:37
User Badges:

It is router c7200 is the device.

The config looks same at both ends.


Jopeti.

Latchum Naidu Tue, 06/12/2012 - 19:18
User Badges:
  • Blue, 1500 points or more

Hello Jopeti,


Can you do the "debug crypto ipsec" and provide details.

You need to remember that running debug on the production box is risk, so run it in a non working hours also notify your  customer prior to run debug because this may impact the production.


Please rate the helpfull posts.

Regards,

Naidu.

Actions

This Discussion