Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Configured With Aggressive Mode Enabled

Hi,

Can anyone tell me whatthe above message means and how to resolve it.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN Configured With Aggressive Mode Enabled

The command will disable inbound aggresive mode connections.

If you want, there's an option to disable inbound aggresive mode connections on the tunnel-group as well.

tunnel-group xxxxxx ipsec-attributes

  isakmp am-disable

In this way you disable inbound aggresive mode connections from an specific peer.

If a peer tries to establish an aggresive mode connection, you should see a message like this in the logs:

''Unable to initiate or respond to Aggressive Mode while disabled''

This command will prevent Easy Virtual Private Network (Easy VPN) clients from connecting if they are using preshared keys because Easy VPN clients (hardware and software) use aggressive mode.

Federico.

5 REPLIES

Re: VPN Configured With Aggressive Mode Enabled

Hi,

Both Main Mode and Aggresive Mode are IKE Phase 1 exchange methods.
Main mode is the default and recommended (more secure) exchange method because it consists of six exchange messages.
Aggresive mode squeezes the IKE SA negotiation in three packets.

You can configure the device to use aggresive mode if needed or disable it.
What device are we talking about?

Federico.

New Member

Re: VPN Configured With Aggressive Mode Enabled

Hi,

This is on the ASA5520, how can i change them to normal mode?

Thanks

Ellech

Re: VPN Configured With Aggressive Mode Enabled

crypto isakmp am-disable
The above command disable inbound aggresive mode connections

Please rate helpful posts.

Federico.

New Member

Re: VPN Configured With Aggressive Mode Enabled

will this automatically change the aggressive mode to normal mode?

Re: VPN Configured With Aggressive Mode Enabled

The command will disable inbound aggresive mode connections.

If you want, there's an option to disable inbound aggresive mode connections on the tunnel-group as well.

tunnel-group xxxxxx ipsec-attributes

  isakmp am-disable

In this way you disable inbound aggresive mode connections from an specific peer.

If a peer tries to establish an aggresive mode connection, you should see a message like this in the logs:

''Unable to initiate or respond to Aggressive Mode while disabled''

This command will prevent Easy Virtual Private Network (Easy VPN) clients from connecting if they are using preshared keys because Easy VPN clients (hardware and software) use aggressive mode.

Federico.

1996
Views
0
Helpful
5
Replies