cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
11762
Views
5
Helpful
2
Replies
Svan2
Beginner

%CRYPTO-4-IKMP_NO_SA: IKE message has no SA and is not an intialization offer

Hello,
I set up IPSEC in my network a coupe of weeks ago, and I've started getting errors from the following type: "%CRYPTO-4-IKMP_NO_SA: IKE message from [IP address]
has no SA and is not an intialization offer."

can anyone tell me what is the meaning of these messages?

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Pablovargas
Beginner

Hey,

From my experience, this message appears sometimes when an IPSec tunnel between two routers is momentarily interrupted and restored by one of the devices. In my opinion, the reason for the error is that the router that caused the interruption (and therefor, is aware of it) has "abandoned" the SA (session association) data. The second router, however, haven't noticed the event, and continued to send IKE (internet key exchange) packets "inside" the SA.

Can you check if these messages are adjacent to link/tunnel up-down or to "new adjacency" messages? It can strongly point that this is indeed the case.

Please refer to the following page for more information about the above protocols: 

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46402-16b.html

View solution in original post

2 REPLIES 2
Pablovargas
Beginner

Hey,

From my experience, this message appears sometimes when an IPSec tunnel between two routers is momentarily interrupted and restored by one of the devices. In my opinion, the reason for the error is that the router that caused the interruption (and therefor, is aware of it) has "abandoned" the SA (session association) data. The second router, however, haven't noticed the event, and continued to send IKE (internet key exchange) packets "inside" the SA.

Can you check if these messages are adjacent to link/tunnel up-down or to "new adjacency" messages? It can strongly point that this is indeed the case.

Please refer to the following page for more information about the above protocols: 

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46402-16b.html

I dug a bit deeper in the message log and saw that all these messages in fact appear together, so it seems this is the case.

Anyway, I don't really have connectivity issues, so the important thing for me was to make sure I should not be alarmed by these messages popping up once in a while.

Thank you very much!

Create
Recognize Your Peers
Content for Community-Ad