cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2109
Views
0
Helpful
5
Replies

CRYPTO-6-IKMP_NO_PRESHARED_KEY error

Rojer-bkk
Beginner
Beginner

Hi Expert,


I removed the peering of 192.168.21.63  but i found log below keep happening all the time .


May 23 21:46:06.841 : %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at 192.168.21.63 is missing

How should i resolve this problem? Thank you

5 Replies 5

andamani
Cisco Employee
Cisco Employee

Hi,

Please paste the output of "sh run" from the ASA.

Regards,

Anisha

- Do rate helpful posts

Hi Anisha,

Thanks for feedback. Anyway, this is router not ASA. I attached 'show run' file.

We already removed the peering of 192.55.12.36 and 192.55.16.36 but a ton of the log below keep happening all the time .

May 23 21:46:06.841 Thailan: %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at 192.55.12.36 is missing
May 23 21:46:30.101 Thailan: %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at 192.55.16.36 is missing
May 23 21:47:11.881 Thailan: %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at 192.55.12.36 is missing
May 23 21:47:30.105 Thailan: %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at 192.55.16.36 is missing

>> We already removed the peering of 192.55.12.36 and 192.55.16.36 but a ton of the log below keep happening all the time .

The two peers you are mentioning have not removed you as a peer in their configuration and hence keep trying to build the tunnel.

You can block these peers by putting an access list on the ingress interface (internet facing) for UDP/500.

-Vikas

Hi Vikas,

Can you advice me to create ACL to block UDP/500 from peer?


Thanks

Looking at your configuration, you have g0/1 as the internet connected interface, you have an ACL applied here in inbound

ip access-list extended VPN-Backup
remark inbounnd traffic from internet
permit gre any host 119.x.y.2
permit ahp any host 119.x.y.2
permit udp any host 119.x.y.2 eq isakmp
permit icmp any host 119.x.y.2

the two IP address you mentioned for which the peering has been intentionaly removed can be blocked in this ACL. Below is the way you can add entries into an extended ACL without destrying its contents:

(config)# ip access-li VPN-Backup exten

(config-acl)#1 deny udp host host eq 500

(config-acl)#2 deny udp host host eq 500

...rest of the ACL...

you may want to check the numbering of the acl first by doing 'show access-li VPN-Backup'

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers