11-04-2004 04:05 AM
Hello,
i have 4 VPN Routers, 2 on both sides configured with HSRP for redundancy
After i changed my accesslists for the Crypto Tunnel, i get messages like this on both sides.
The Accesslists are symetric on both sides of the VPN Tunnel.
%CRYPTO-4-IKMP_NO_SA: IKE message from 172.29.102.142 has no SA and is not an initialization offer
In the docs i found only:
%CRYPTO-4-IKMP_NO_SA : IKE message from [IP_address] has no SA and is not an initialization offer
Explanation IKE maintains state information for a communication in the form of security associations. No security association exists for this packet and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.
Recommended Action Contact the remote peer or the administrator of the remote peer
Because i am the Admin of both sides, i'm not sure, how i can troubleshoot this Problem.
Have anyone a idea whats going wrong there?
Best Regards
Sven Butzek
11-06-2004 03:16 AM
Helo Sven,
seems to be some problem with your SA parameters. What is this IP 172.29.102.142 ? what is ur exact problem ? are you not able to communicate with the server on the remote peer or is it related with authentication etc ?
I had seen this error here on the caveats of a 7500 router. This is a open caveat in that particular IOS.
These messages can be observed if the standby High Availability (HA) enabled router has a peer that does NAT-T, but no Dead Peer Detection (DPD). Currently, all routers running Cisco IOS software and Cisco VPN Clients that support NAT-T also support DPD.
Workaround: Use a DPD enabled router when using NAT-T, or ensure that router is on the public network, i.e. outside the NAT gateway.
Are you doing NAT-T with this router ?
11-07-2004 11:58 PM
Hello,
nothing of them. I found the Problem.
One ACL of the 4 Routers had a deny ip any any.
After i removed the line, the messages stopped.
Best Regards
11-08-2004 12:21 AM
Hi sbutzek,
cool. as I told you before, the SA's will not negotiate unless the parameters at both the routers are the same. Good that it worked out for you.
Anyway, please close the post, saying that it solved your issue and rate if required.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide