Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5451
Views
10
Helpful
3
Replies

VPN Aggressive mode where are you?

dc_specialist
Level 1
Level 1

‎08-22-2019 10:59 AM - edited ‎02-21-2020 09:25 AM

Hello,

 

I am using an ASA 5545 with a 9.8(2)38 IOS and during an audit using Nipper I got flagged for aggressive mode being enabled.

I can't find AM or aggressive (or MM or Main Mode) anywhere in the show run or the sh crypto isakmp sa detail. 

So how do I know for sure my VPN is using aggressive mode or not?

 

Thanks

 

0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎08-22-2019 11:42 AM

Hi,

The command "crypto ikev1 am-disable" disables aggressive mode, if you don't see this command in your configuration then aggressive mode is enabled. To enable it you use "no crypto ikev1 am-disable" < this is on by default, it is NOT displayed in the configuration.

 

Use "show crypto isakmp sa" and check the state, which is probably MM_ACTIVE - which means it used Main Mode. If not using Main Mode, it would start AM_ for aggressive mode.

 

ASA-2(config-tunnel-ipsec)# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 1.1.1.1
Type : L2L 
Role : initiator
Rekey : no 
State : MM_ACTIVE

 

dc_specialist
Level 1
Level 1
In response to Rob Ingram

‎08-22-2019 12:30 PM

Hello RJI,

 

I notice you have that 

show crypto isakmp sa

 inside of the config mode. I am looking for a command I can just run from privileged mode. I'm not the main Cisco person and I am just looking to verify without taking the chance of messing up a config.

 

Using show crypto isakmp sa I do see that my ASA is the initiator but I don't see State : anywhere.

Just curious if this is the default and my ASA is accepting Main Mode or Aggressive Mode connections.

Thanks 

0 Helpful

Rob Ingram
VIP
VIP
In response to dc_specialist

‎08-22-2019 12:40 PM

Perhaps you don't have the rights to view the entire output. Perhaps get full rights and run the command again, the "show" command will not mess anything up.

If you have permissions to run a debug, you could run "debug crypto isakmp" or "debug crypto ikev1" and observe the establishment of an IKE SA, if it has MM_ACTIVE, MM_WAIT_MSG or MM_KEY_EXCH in the output then the VPN is being established with Main Mode.

If you don't have "crypto ikev1 am-disable" in the running configuration, then it's likely aggressive mode is enabled. It's also likely that main mode is used for the VPNs.

HTH
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card