cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16711
Views
5
Helpful
3
Replies
Highlighted
Beginner

CRYPTO-5-IKMP_AG_MODE_DISABLED

I recently disabled Aggressive Mode on all my routers with "crypto isakmp aggressive-mode disable". I am now getting the following syslog message for all of the routers.

%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled

I have double checked and can't find any router without "aggressive-mode disable". The log message doesn't say who is connecting in aggressive-mode.

I'm getting this message every 2 minutes for all the routers. It is really filling the log files.

Any thoughts?

Thank you

3 REPLIES 3
Highlighted
Cisco Employee

This message is for informational that aggressive-mode is disabled. Router checks for aggressive-mode during initiating or responding IKE requests. Unfortunately there is no way to selectively drop off this log message in IOS router. Are all the routers enabled for IPSEC ? If you are getting this message every two minutes means, you can check if any non-authorized remote peer keeps trying to initiate ipsec with this router.

You can block those addresses with an interface acl. Please check if you see numerous incomplete IKE sessions (show crypto isakmp sa) or "debug ip packet" to get the remote peers address.

Highlighted

With dmvpn (Dynamic being the main term) creating an acl to only allow your ips to connect when there are 100s of ips that could\should connect to each other directly. It isn't really feasible, otherwise you do away with the most useful part of dmvpn. He is asking how to disable that message as it isn't really useful since someone is always knocking on the door.

Highlighted

Unfortunately there isn't really a true way to disable the alert but you can keep if from flooding your logs by implementing a logging discriminator.  Command Reference

Once you have configured your discriminator make sure to actually apply it to your logging method (buffered, host, console)

 

Content for Community-Ad