Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

non500-isakmp continues to build QM_IDLE over and over

We have a set of 3845's with HSRP on LAN and the WAN. The 3845's are behind a Juniper (nat traversal with 1 to 1 Nat) which is the internet router (gateway). I have a cisco 871 on internet that can build its IPsec tunnel to the Natted physical IP's of the 3845's but will not build its tunnel to the to the HSRP VIP address.

3845 IP 192.168.245.45------
                                        |-------VIP 192.168.245.44

3845 IP 192.168.245.46------

The above is Natted to the following and all three are Natted.

Juniper IP 12.x.x.45------

                                   |------- 12.x.x.44

Juniper IP 12.x.x.46------

The 3845 shows the following message when attempting to build Ike session on the VIP addresss:

*May 27 16:29:38.423: %CRYPTO-4-IKMP_NO_SA: IKE message from 70.42.209.188 has no SA and is not an initialization offer
*May 27 16:33:24.055: %CRYPTO-4-IKMP_NO_SA: IKE message from 70.42.209.188 has no SA and is not an initialization offer
*May 27 16:38:56.735: %CRYPTO-4-IKMP_NO_SA: IKE message from 70.42.209.188 has no SA and is not an initialization offer

The 871 Spoke increments the connection ID and builds QM_IDLE over and over and never deletes the older sesisons.

Any Ideas?

TIA!

Message was edited by: Gerard Roy - Head End Config added

Everyone's tags (4)
1 REPLY
Bronze

Re: non500-isakmp continues to build QM_IDLE over and over

Maybe this could help for crypto maps on HSRP interfaces

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml#configs

mainly the

standby 1 name XXXX
crypto map vpn redundancy XXXX

might be necessary to run VPNs over HSRP

(I don't know whether it will fix your incoming "SA not an offer" but it should allow to use the Virtual IP as an ipsec peer)

1467
Views
0
Helpful
1
Replies
CreatePlease login to create content