Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

CRYPTO-5-IKMP_AG_MODE_DISABLED

I recently disabled Aggressive Mode on all my routers with "crypto isakmp aggressive-mode disable". I am now getting the following syslog message for all of the routers.

%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

I have double checked and can't find any router without "aggressive-mode disable". The log message doesn't say who is connecting in aggressive-mode.

I'm getting this message every 2 minutes for all the routers. It is really filling the log files.

Any thoughts?

Thank you

2 REPLIES
Cisco Employee

Re: CRYPTO-5-IKMP_AG_MODE_DISABLED

This message is for informational that aggressive-mode is disabled. Router checks for aggressive-mode during initiating or responding IKE requests. Unfortunately there is no way to selectively drop off this log message in IOS router. Are all the routers enabled for IPSEC ? If you are getting this message every two minutes means, you can check if any non-authorized remote peer keeps trying to initiate ipsec with this router.

You can block those addresses with an interface acl. Please check if you see numerous incomplete IKE sessions (show crypto isakmp sa) or "debug ip packet" to get the remote peers address.

New Member

With dmvpn (Dynamic being the

With dmvpn (Dynamic being the main term) creating an acl to only allow your ips to connect when there are 100s of ips that could\should connect to each other directly. It isn't really feasible, otherwise you do away with the most useful part of dmvpn. He is asking how to disable that message as it isn't really useful since someone is always knocking on the door.

9746
Views
0
Helpful
2
Replies
CreatePlease to create content