Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
24455
Views
3
Helpful
5
Replies

CRYPTO-4-IKMP_NO_SA

vaba
Level 1
Level 1

‎09-29-2008 09:30 AM

I have DMVPN network and everything work well.

When connection from ISP to spoke down and then up I receive this massage:

CRYPTO-4-IKMP_NO_SA: IKE message from [IP_address] has no SA and is not an initialization offer

and no traffic from spoke.

I have ssh from hub and when clear crypto sa and clear crypto iskmp sa and reload router everything ok.

I find this on site:

Error Message

%CRYPTO-4-IKMP_NO_SA : IKE message from [IP_address] has no SA and is not an initialization offer

Explanation IKE maintains the current state for a communication in the form of security associations. No security association exists for the specified packet, and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.

Recommended Action Contact the remote peer and the administrator of the remote peer.

But this is no Dos attack.

Can you help me

Thanks in advance

4 people had this problem
Labels:
0 Helpful
5 Replies 5

singhsaju
Level 4
Level 4

‎09-29-2008 09:45 AM

Try enabling isakmp keepalives on both sides to send dead peer detection (DPD) messages to the peer on the router .

"crypto isakmp keepalive 10 periodic"

HTH

Saju

Pls rate helpful posts

mladentsvetkov
Level 1
Level 1
In response to singhsaju

‎09-30-2008 04:18 AM

Hi,

We are colleagues with Vaba.

Thanks for the response. Let me just give you the full info:

Keepalives were already enabled exactly as you say.

The configuration of the spoke routers has shared IPSEC profiles, as more than one mGRE tunnel is sourced from the same physical interface.

Apparently the spoke router does not clear the SA when the HUBs are unreachable. When the HUBs are reachable again, the spoke tries to connect using the old SA. Shouldn't he try to initiate new SA with the HUBs?

Regards,

Mladen

0 Helpful

mladentsvetkov
Level 1
Level 1
In response to mladentsvetkov

‎09-30-2008 09:59 PM

I have noticed the following:

The pre-shared keys I used do not have the "no-xauth" option.

Xauth is not used, but still it is not disabled. So the IPSEC peers should be trying to negotioate Xauth (I will debug to see what exactly happens).

Do you think that this could be the problem? (apparently when the spoke router reboots or the spoke uplink goes down/up the SA are successfully renegotiated, so in this case Xauth is not a problem).

Regards,

Mladen

0 Helpful

vaba
Level 1
Level 1
In response to mladentsvetkov

‎10-06-2008 11:25 PM

Notice:

I have 4 DMVPN ruuning on my lan

2 for one ISP and 2 for second ISP

My spoke is have 2 fast ethernet whit 4 dmvpn.

I use gre multipoint whit NHRP and 2 tunnel for every one fastethrtnet. I use "tunnel protection ipsec profile XXXXX shared" and

"crypto isakmp keepalive 10 periodic". When route to second HUB go down SA for this 2 tunnel not deleted and when route to second HUB bring up again - i no hev a EIGP Neighbor, and recive CRYPTO-4-IKMP_NO_SA

Can you help me

thank in advance

0 Helpful

Hector Espinoza Pena
Level 1
Level 1
In response to vaba

‎03-28-2014 07:07 AM

Hello Vaba,

Excuse me asking, but I am implementing a DMVPN network to connect 500 spoke but I could route the packets towards the tunnel, and I would like to know how did the routing, I'm using EIGRP.

Thank you.

0 Helpful
Customers Also Viewed These Support Documents