I have an IPSec VPN between an IOS router (1841) and ISA. VPN is established and each LAN can access the other. From the end user point of view, no connectivity problems are experienced. But on the IOS router, 'show cryp is sa' shows the conn-id number is increasing frequently. Error message " %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer" and "%CRYPTO-4-IKMP_NO_SA: IKE message from x.x.x.x has no SA and is not an initialization offer" also come up on console.
%CRYPTO-6-IKMP_MODE_FAILURE : Processing of [chars] mode failed with peer at [IP_address]
Explanation Negotiation with the remote peer has failed.
Recommended Action If this situation persists, contact the remote peer.
%CRYPTO-4-IKMP_NO_SA: IKE message from x.x.x.x has no SA
If this error message occurs in the IOS Router, the problem is that the SA has either expired or been cleared. The remote tunnel end device does not know that it uses the expired SA to send a packet (not a SA establishment packet). When a new SA has been established, the communication resumes, so initiate the interesting traffic across the tunnel to create a new SA and re-stablish the tunnel.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...