cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17003
Views
0
Helpful
4
Replies

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at

jopetik09
Level 1
Level 1

Hi All,

I am getting the following log though the site to site vpn tunnel between two peers is still up and running fine without any complaints.

Also I checked the interesting traffic (ACL) config and it is same at both ends.

Jun 11 16:10:22 utc: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 209.171.xxx.xx 

Jun 11 16:11:22 utc: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 209.171.xxx.xx 

Jun 11 16:12:22 utc: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 209.171.xxx.xx

#sh cry ipse sa peer 209.171.xxx.xx

interface: GigabitEthernet0/1
    Crypto map tag: VPNMAP, local addr. 65.55.xxx.xx

   protected vrf:
   local  ident (addr/mask/prot/port): (65.55.xxx.xxx/255.255.255.255/6/0)
   remote ident (addr/mask/prot/port): (208.38.xxx.xxx/255.255.255.255/6/5812)
   current_peer: 209.171.xxx.xx:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 8561, #pkts encrypt: 8561, #pkts digest 8561
    #pkts decaps: 4291, #pkts decrypt: 4291, #pkts verify 4291
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: 65.55.xxx.xx, remote crypto endpt.: 209.171.xxx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (65.55.xxx.xxx/255.255.255.255/6/0)
   remote ident (addr/mask/prot/port): (208.38.xxx.xxx/255.255.255.255/6/5812)
   current_peer: 209.171.xxx.xx:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 3424641, #pkts encrypt: 3424641, #pkts digest 3424641
    #pkts decaps: 3760696, #pkts decrypt: 3760696, #pkts verify 3760696
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 3, #recv errors 0

     local crypto endpt.: 65.55.xxx.xx, remote crypto endpt.: 209.171.xxx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 57140C90

     inbound esp sas:
      spi: 0x96137A67(2517858919)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 8127, flow_id: 1039, crypto map: VPNMAP
        sa timing: remaining key lifetime (k/sec): (4513759/2293)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x57140C90(1460931728)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 8128, flow_id: 1040, crypto map: VPNMAP
        sa timing: remaining key lifetime (k/sec): (4513740/2293)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   protected vrf:
   local  ident (addr/mask/prot/port): (65.55.xxx.xxx/255.255.255.255/6/0)
   remote ident (addr/mask/prot/port): (208.38.xxx.xxx/255.255.255.255/6/5812)
   current_peer: 209.171.xxx.xx:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 117, #pkts encrypt: 117, #pkts digest 117
    #pkts decaps: 115, #pkts decrypt: 115, #pkts verify 115
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 3, #recv errors 0

     local crypto endpt.: 65.55.xxx.xx, remote crypto endpt.: 209.171.xxx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Can someone please suggest me what to do to stop these logs.

Jopeti.

4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

What type of device is this? Router or ASA? Can you post the config minus addressing information?

HTH, John *** Please rate all useful posts ***

It is router c7200 is the device.

The config looks same at both ends.

Jopeti.

Hello Jopeti,

Can you do the "debug crypto ipsec" and provide details.

You need to remember that running debug on the production box is risk, so run it in a non working hours also notify your  customer prior to run debug because this may impact the production.

Please rate the helpfull posts.

Regards,

Naidu.

RishiCSE89
Level 1
Level 1

Please check if the ISAKMP PSK endpoint IP and the tunnel destination IP addresses are different.  

Review Cisco Networking for a $25 gift card