cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19333
Views
5
Helpful
2
Replies

%CRYPTO-4-IKMP_NO_SA: IKE message has no SA and is not an intialization offer

Svan2
Level 1
Level 1

Hello,
I set up IPSEC in my network a coupe of weeks ago, and I've started getting errors from the following type: "%CRYPTO-4-IKMP_NO_SA: IKE message from [IP address]
has no SA and is not an intialization offer."

can anyone tell me what is the meaning of these messages?

Thank you

1 Accepted Solution

Accepted Solutions

Pablovargas
Level 1
Level 1

Hey,

From my experience, this message appears sometimes when an IPSec tunnel between two routers is momentarily interrupted and restored by one of the devices. In my opinion, the reason for the error is that the router that caused the interruption (and therefor, is aware of it) has "abandoned" the SA (session association) data. The second router, however, haven't noticed the event, and continued to send IKE (internet key exchange) packets "inside" the SA.

Can you check if these messages are adjacent to link/tunnel up-down or to "new adjacency" messages? It can strongly point that this is indeed the case.

Please refer to the following page for more information about the above protocols: 

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46402-16b.html

View solution in original post

2 Replies 2

Pablovargas
Level 1
Level 1

Hey,

From my experience, this message appears sometimes when an IPSec tunnel between two routers is momentarily interrupted and restored by one of the devices. In my opinion, the reason for the error is that the router that caused the interruption (and therefor, is aware of it) has "abandoned" the SA (session association) data. The second router, however, haven't noticed the event, and continued to send IKE (internet key exchange) packets "inside" the SA.

Can you check if these messages are adjacent to link/tunnel up-down or to "new adjacency" messages? It can strongly point that this is indeed the case.

Please refer to the following page for more information about the above protocols: 

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46402-16b.html

I dug a bit deeper in the message log and saw that all these messages in fact appear together, so it seems this is the case.

Anyway, I don't really have connectivity issues, so the important thing for me was to make sure I should not be alarmed by these messages popping up once in a while.

Thank you very much!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: