Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ISAKMP quick mode failure

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at x.x.x.x I receive this message fairly often on my site to site VPNs. What exactly does this mean? Is this something that should concern me?

Thanks,

RJ

3 REPLIES
Cisco Employee

Re: ISAKMP quick mode failure

Is your site to site tunnel up for this peer? Whats the output of show isakmp sa?

Community Member

Re: ISAKMP quick mode failure

Yes my tunnels are up. But the output of sh crypto isakmp sa shows that they are in QM_IDLE for a few minutes, then the conn_id goes to MM_NO_STATE and (deleted). Then the conn_id increments 1, the state goes to QM_IDLE and so on.

Will this slow the throughput of my tunnel?

Does anyone know the fix off the top of their head? Or do I need to run the debug crytpo commands?

Thanks,

RJ

Cisco Employee

Re: ISAKMP quick mode failure

Running debug would be the best idea.

It looks like your IKE Phase II (Isakmp) is getting reset randomly. You may want to check your isakmp lifetime setting on both ends.

Are you using IKE keep alives (DPD)? Do you manage both the end of the tunnels? If so, a config example would add greater value to suggest any fix for this problem.

Yes it surely would degrade your performance of the tunnel as the IKE negosiations are happening frequently even after the tunnel establishments. But the data traffic will continue as the the IPsec tunnel is not being removed/reset.

1552
Views
0
Helpful
3
Replies
CreatePlease to create content