%CRYPTO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer

ittechk4u1 · ‎03-26-2018

Hello Experts,

I implemented DMVPN and all spokes are working except one spoke.

on this HUB I am getting the error from this problemtic spoke:

%CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.xxx has no SA and is not an initialization offer

Info: Sometime tunnel comes up and then automatically goes down....so its not stable at all.

on HUB: sh cry isa sa

196.243.205.120 107.120.64.62 MM_SA_SETUP 0 ACTIVE
196.243.205.120 107.120.64.62 MM_SA_SETUP 0 ACTIVE
196.243.205.120 107.120.64.62 MM_NO_STATE 0 ACTIVE (deleted)
196.243.205.120 107.120.64.62 MM_NO_STATE 0 ACTIVE (deleted)
196.243.205.120 107.120.64.62 MM_NO_STATE 0 ACTIVE (deleted)

On Spoke: sh cry isa sa

196.243.205.120 107.120.64.62 MM_NO_STATE 0 ACTIVE (deleted)
196.243.205.120 107.120.64.62 MM_NO_STATE 0 ACTIVE (deleted)

what could be the reason!!!

Thanks in advance.

Georg Pauwen · ‎03-26-2018

Hello,

does that spoke have a high amount of traffic compared to the other ones ? Try and configure:

crypto ipsec security-association lifetime kilobytes disable

ittechk4u1 · ‎03-26-2018

yes it has more traffic then other spokes.

I configured the above command but still tunnels are not coming UP.

Thanks

ittechk4u1 · ‎03-26-2018

ittechk4u1 · ‎03-26-2018

can anyone help ?

Georg Pauwen · ‎03-26-2018

Hello,

is the IOS version and the hardware used at the 'problem' spoke different from the other spoke sites ? What about the ISP link ?

Post the full config of the spoke, we might be able to spot something...

Richard Burts · ‎03-26-2018

The output of debug crypto isakmp on the spoke might have something helpful.

HTH

Rick

HTH

Rick

ittechk4u1 · ‎03-26-2018

Hi,

all spoke have same IOS version: c2900-universalk9-mz.SPA.155-3.M5.bin

ISP is ok, as it works for few hours(tunnel is up) and then automatically stop(tunnel down for few hours)

Thanks

Georg Pauwen · ‎03-27-2018

Hello,

not sure if this has already been asked, but does the entire connection go down, or just the tunnel ?

Either way, try a lower replay window size:

crypto ipsec security-association replay window-size 512

ittechk4u1 · ‎03-27-2018

Only Tunnel goes down.

At the moment tunnel is active from last 12 hours.

Thanks

charanjit.jassar · ‎04-29-2019

Even after this command I am facing the same problem.

Error Message
Apr 29 2019 12:16:14 UTC: %CRYPTO-4-IKMP_NO_SA: IKE message from X.X.X.X has no SA and is not an initialization offer
SYD-RT01#
Apr 29 2019 12:17:18 UTC: %CRYPTO-4-IKMP_NO_SA: IKE message from X.X.X.X has no SA and is not an initialization offer
IOS Version:
show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.5(3)M5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Wed 25-Jan-17 08:12 by prod_rel_team

Felipe A. Amaya · ‎03-26-2018

Just finished working on a similar issue. Have the provider ping their remote NID (success rate)? In me situation I had a faulty path from the CO to the remote site. Once the service provider fixed their path. Everything came up.