Hi Anisha,

Thanks for feedback. Anyway, this is router not ASA. I attached 'show run' file.

We already removed the peering of 192.55.12.36 and 192.55.16.36 but a ton of the log below keep happening all the time .

May 23 21:46:06.841 Thailan: %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at 192.55.12.36 is missing
May 23 21:46:30.101 Thailan: %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at 192.55.16.36 is missing
May 23 21:47:11.881 Thailan: %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at 192.55.12.36 is missing
May 23 21:47:30.105 Thailan: %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at 192.55.16.36 is missing

>> We already removed the peering of 192.55.12.36 and 192.55.16.36 but a ton of the log below keep happening all the time .

The two peers you are mentioning have not removed you as a peer in their configuration and hence keep trying to build the tunnel.

You can block these peers by putting an access list on the ingress interface (internet facing) for UDP/500.

-Vikas

Hi Vikas,

Can you advice me to create ACL to block UDP/500 from peer?

Thanks

Looking at your configuration, you have g0/1 as the internet connected interface, you have an ACL applied here in inbound

ip access-list extended VPN-Backup
remark inbounnd traffic from internet
permit gre any host 119.x.y.2
permit ahp any host 119.x.y.2
permit udp any host 119.x.y.2 eq isakmp
permit icmp any host 119.x.y.2

the two IP address you mentioned for which the peering has been intentionaly removed can be blocked in this ACL. Below is the way you can add entries into an extended ACL without destrying its contents:

(config)# ip access-li VPN-Backup exten

(config-acl)#1 deny udp host host eq 500

(config-acl)#2 deny udp host host eq 500

...rest of the ACL...

you may want to check the numbering of the acl first by doing 'show access-li VPN-Backup'