Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1549
Views
0
Helpful
3
Replies

IKMP_MODE_FAILURE

spremkumar
Level 9
Level 9

‎07-29-2003 01:37 PM - edited ‎03-09-2019 04:14 AM

hi all

i want to know y i m getting this message though i m not running IPSEC in my router.i m getting this error since my router is trying to form a peer with the remote or the remote router is trying to form peer with my router ???

ROUTER#sh log | include IKMP

Jul 29 08:52:23.434 IST: %CRYPTO-4-IKMP_NO_SA: IKE message from 219.145.92.238 has no SA and is not an initialization offer

Jul 29 09:42:25.726 IST: %CRYPTO-4-IKMP_NO_SA: IKE message from 211.91.233.27 has no SA and is not an initialization offer

Jul 30 01:38:23.938 IST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed wi th peer at 210.34.12.33

Jul 30 01:39:16.170 IST: %CRYPTO-4-IKMP_NO_SA: IKE message from 210.34.12.33 has no SA and is not an initialization offer

thx in advance

prem

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎07-30-2003 06:44 PM

It would seem that someone "thinks" you're running IPSec on this router, cause there's 3 devices sending you IPSec packets.

Are you "sure" you're not running IPsec on this router? Is this router in a redundant pair (HSRP/VRRP/etc) with another router that is running IPSec?

Certainly those 3 devices are sending you IKE packets for some reason. I would suggest you track down those devices and who owns them and see what's going on.

0 Helpful

mnaveen
Level 1
Level 1

‎07-30-2003 09:39 PM

Hi Prem,

The "%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer" clearly a case when there is a mismatched Transform set on either side. You should have been accidently running IPSec on your side, otherwise your router wouldn't start processing the Main Mode ! The start of the Main mode processing means that it has identified the interesting traffic and is trying to negotiate a isakmp policy with the peer. However, this exercise goes futile since there is no SA and crypto traffic was received. (See %CRYPTO-4-IKMP_NO_SA error).

This is clearly a case when the remote router(s) are trying to peer with your router but you don't have IPSec SAs up on your side.

0 Helpful

spremkumar
Level 9
Level 9
In response to mnaveen

‎07-31-2003 10:38 PM

Hi Glenn&Naveen

i m pretty sure that we arent running IPSEC in any of our routers here.

My only concern is recently we hve seen a peer message with Microsoft corp IP,thatsy i m wondering whether the remote ip from Microsoft Corp is trying or anyone else from outside trying out from our router to see the vulnerability ther in Microsoft.

in the second case Microsoft will block our ip if someone is trying to do that...

pls guide me to check this problem and avoid getting the same negotiation from remote peers..

Regds

prem

0 Helpful
Customers Also Viewed These Support Documents