When connection from ISP to spoke down and then up I receive this massage:
CRYPTO-4-IKMP_NO_SA: IKE message from [IP_address] has no SA and is not an initialization offer
and no traffic from spoke.
I have ssh from hub and when clear crypto sa and clear crypto iskmp sa and reload router everything ok.
I find this on site:
%CRYPTO-4-IKMP_NO_SA : IKE message from [IP_address] has no SA and is not an initialization offer
Explanation IKE maintains the current state for a communication in the form of security associations. No security association exists for the specified packet, and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.
Recommended Action Contact the remote peer and the administrator of the remote peer.
Thanks for the response. Let me just give you the full info:
Keepalives were already enabled exactly as you say.
The configuration of the spoke routers has shared IPSEC profiles, as more than one mGRE tunnel is sourced from the same physical interface.
Apparently the spoke router does not clear the SA when the HUBs are unreachable. When the HUBs are reachable again, the spoke tries to connect using the old SA. Shouldn't he try to initiate new SA with the HUBs?
I use gre multipoint whit NHRP and 2 tunnel for every one fastethrtnet. I use "tunnel protection ipsec profile XXXXX shared" and
"crypto isakmp keepalive 10 periodic". When route to second HUB go down SA for this 2 tunnel not deleted and when route to second HUB bring up again - i no hev a EIGP Neighbor, and recive CRYPTO-4-IKMP_NO_SA
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...