Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17051
Views
0
Helpful
4
Replies

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at

jopetik09
Level 1
Level 1

‎06-11-2012 06:50 PM - edited ‎03-04-2019 04:38 PM

Hi All,

I am getting the following log though the site to site vpn tunnel between two peers is still up and running fine without any complaints.

Also I checked the interesting traffic (ACL) config and it is same at both ends.

Jun 11 16:10:22 utc: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 209.171.xxx.xx 

Jun 11 16:11:22 utc: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 209.171.xxx.xx 

Jun 11 16:12:22 utc: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 209.171.xxx.xx

#sh cry ipse sa peer 209.171.xxx.xx

interface: GigabitEthernet0/1
    Crypto map tag: VPNMAP, local addr. 65.55.xxx.xx

   protected vrf:
   local  ident (addr/mask/prot/port): (65.55.xxx.xxx/255.255.255.255/6/0)
   remote ident (addr/mask/prot/port): (208.38.xxx.xxx/255.255.255.255/6/5812)
   current_peer: 209.171.xxx.xx:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 8561, #pkts encrypt: 8561, #pkts digest 8561
    #pkts decaps: 4291, #pkts decrypt: 4291, #pkts verify 4291
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: 65.55.xxx.xx, remote crypto endpt.: 209.171.xxx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (65.55.xxx.xxx/255.255.255.255/6/0)
   remote ident (addr/mask/prot/port): (208.38.xxx.xxx/255.255.255.255/6/5812)
   current_peer: 209.171.xxx.xx:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3424641, #pkts encrypt: 3424641, #pkts digest 3424641
    #pkts decaps: 3760696, #pkts decrypt: 3760696, #pkts verify 3760696
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 3, #recv errors 0

     local crypto endpt.: 65.55.xxx.xx, remote crypto endpt.: 209.171.xxx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 57140C90

     inbound esp sas:
      spi: 0x96137A67(2517858919)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 8127, flow_id: 1039, crypto map: VPNMAP
        sa timing: remaining key lifetime (k/sec): (4513759/2293)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x57140C90(1460931728)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 8128, flow_id: 1040, crypto map: VPNMAP
        sa timing: remaining key lifetime (k/sec): (4513740/2293)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (65.55.xxx.xxx/255.255.255.255/6/0)
   remote ident (addr/mask/prot/port): (208.38.xxx.xxx/255.255.255.255/6/5812)
   current_peer: 209.171.xxx.xx:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 117, #pkts encrypt: 117, #pkts digest 117
    #pkts decaps: 115, #pkts decrypt: 115, #pkts verify 115
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 3, #recv errors 0

     local crypto endpt.: 65.55.xxx.xx, remote crypto endpt.: 209.171.xxx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Can someone please suggest me what to do to stop these logs.

Jopeti.

1 person had this problem
Labels:
0 Helpful
4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

‎06-12-2012 04:59 AM

What type of device is this? Router or ASA? Can you post the config minus addressing information?

HTH, John *** Please rate all useful posts ***
0 Helpful

jopetik09
Level 1
Level 1
In response to John Blakley

‎06-12-2012 05:37 PM

It is router c7200 is the device.

The config looks same at both ends.

Jopeti.

0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to jopetik09

‎06-12-2012 07:18 PM

Hello Jopeti,

Can you do the "debug crypto ipsec" and provide details.

You need to remember that running debug on the production box is risk, so run it in a non working hours also notify your  customer prior to run debug because this may impact the production.

Please rate the helpfull posts.

Regards,

Naidu.

0 Helpful

RishiCSE89
Level 1
Level 1

‎02-12-2021 01:09 AM

Please check if the ISAKMP PSK endpoint IP and the tunnel destination IP addresses are different.  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card