Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19867
Views
5
Helpful
5
Replies

Disable Aggresive Mode

Go to solution
hongsang
Level 1
Level 1

‎03-18-2019 01:33 AM

I have a site-to-site VPV using IKEv1. If I would disable aggressive mode on ASA. Shall I disable at remote device or local device first, then change on the other peer? Do the VPN connection drop when apple the change? Any thing I need to be aware before make this change?

 

Thanks for any one can support me.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-18-2019 08:19 AM

Cisco ASA typically use Main Mode for Site-to-Site VPNs and only use aggressive mode for Remote Access VPNs. You can determine if your current VPNs are using MM by using the command show crypto ikev1 sa

 

ASA-1(config-tunnel-ipsec)# show crypto ikev1 sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 3.3.3.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

 

If you see MM_ACTIVE the IKEv1 SA was established using Main Mode. Therefore you can disable aggressive mode using the command crypto ikev1 am-disable. You should be able to disable this without impacting the current tunnel, as this would only affect the establishment of an IKE SA - not the IPSec SA which data is being tunnelled.

 

Although obviously do take care when making the changes in a production environment, as recommended make the change in a maintenance window and ensure you have connectivity to the remote device via ssh (not through the tunnel).

 

HTH

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-18-2019 02:17 AM

Tunnel will be dropped and re-established if all the setup done correctly, if this like Live environment perform in maintenance window. make sure some one available remotly in case any issue around to reset the tunnel at far end.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
hongsang
Level 1
Level 1
In response to balaji.bandi

‎03-18-2019 04:07 AM

If one firewall configure disable aggressive mode but another end not disable, what will happen?

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to hongsang

‎03-18-2019 06:15 AM

Hi,

The Firewall where you disabled the Aggressive Mode, will try with only Main Mode. And another side there where both modes are working will respond to the Main mode (Becuase he got packets in the main mode only).

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎03-18-2019 08:19 AM

Cisco ASA typically use Main Mode for Site-to-Site VPNs and only use aggressive mode for Remote Access VPNs. You can determine if your current VPNs are using MM by using the command show crypto ikev1 sa

 

ASA-1(config-tunnel-ipsec)# show crypto ikev1 sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 3.3.3.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

 

If you see MM_ACTIVE the IKEv1 SA was established using Main Mode. Therefore you can disable aggressive mode using the command crypto ikev1 am-disable. You should be able to disable this without impacting the current tunnel, as this would only affect the establishment of an IKE SA - not the IPSec SA which data is being tunnelled.

 

Although obviously do take care when making the changes in a production environment, as recommended make the change in a maintenance window and ensure you have connectivity to the remote device via ssh (not through the tunnel).

 

HTH

Go to solution
hongsang
Level 1
Level 1
In response to Rob Ingram

‎03-20-2019 09:12 PM

I checked it is MM_Active. It should be safe to disable Aggressive Mode.

Thanks for your support.

0 Helpful
Customers Also Viewed These Support Documents