cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2177
Views
0
Helpful
3
Replies

ISAKMP quick mode failure

rj.remien
Level 1
Level 1

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at x.x.x.x I receive this message fairly often on my site to site VPNs. What exactly does this mean? Is this something that should concern me?

Thanks,

RJ

3 Replies 3

srajkuma
Cisco Employee
Cisco Employee

Is your site to site tunnel up for this peer? Whats the output of show isakmp sa?

Yes my tunnels are up. But the output of sh crypto isakmp sa shows that they are in QM_IDLE for a few minutes, then the conn_id goes to MM_NO_STATE and (deleted). Then the conn_id increments 1, the state goes to QM_IDLE and so on.

Will this slow the throughput of my tunnel?

Does anyone know the fix off the top of their head? Or do I need to run the debug crytpo commands?

Thanks,

RJ

Running debug would be the best idea.

It looks like your IKE Phase II (Isakmp) is getting reset randomly. You may want to check your isakmp lifetime setting on both ends.

Are you using IKE keep alives (DPD)? Do you manage both the end of the tunnels? If so, a config example would add greater value to suggest any fix for this problem.

Yes it surely would degrade your performance of the tunnel as the IKE negosiations are happening frequently even after the tunnel establishments. But the data traffic will continue as the the IPsec tunnel is not being removed/reset.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: