Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
5
Helpful
3
Replies

HA VPN Setup - 4 Routers side to side.

Sbutzek
Level 1
Level 1

‎11-04-2004 04:05 AM

Hello,

i have 4 VPN Routers, 2 on both sides configured with HSRP for redundancy

After i changed my accesslists for the Crypto Tunnel, i get messages like this on both sides.

The Accesslists are symetric on both sides of the VPN Tunnel.

%CRYPTO-4-IKMP_NO_SA: IKE message from 172.29.102.142 has no SA and is not an initialization offer

In the docs i found only:

%CRYPTO-4-IKMP_NO_SA : IKE message from [IP_address] has no SA and is not an initialization offer

Explanation IKE maintains state information for a communication in the form of security associations. No security association exists for this packet and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.

Recommended Action Contact the remote peer or the administrator of the remote peer

Because i am the Admin of both sides, i'm not sure, how i can troubleshoot this Problem.

Have anyone a idea whats going wrong there?

Best Regards

Sven Butzek

Labels:
0 Helpful
3 Replies 3

sachinraja
Level 9
Level 9

‎11-06-2004 03:16 AM

Helo Sven,

seems to be some problem with your SA parameters. What is this IP 172.29.102.142 ? what is ur exact problem ? are you not able to communicate with the server on the remote peer or is it related with authentication etc ?

I had seen this error here on the caveats of a 7500 router. This is a open caveat in that particular IOS.

These messages can be observed if the standby High Availability (HA) enabled router has a peer that does NAT-T, but no Dead Peer Detection (DPD). Currently, all routers running Cisco IOS software and Cisco VPN Clients that support NAT-T also support DPD.

Workaround: Use a DPD enabled router when using NAT-T, or ensure that router is on the public network, i.e. outside the NAT gateway.

Are you doing NAT-T with this router ?

0 Helpful

Sbutzek
Level 1
Level 1
In response to sachinraja

‎11-07-2004 11:58 PM

Hello,

nothing of them. I found the Problem.

One ACL of the 4 Routers had a deny ip any any.

After i removed the line, the messages stopped.

Best Regards

0 Helpful

sachinraja
Level 9
Level 9
In response to Sbutzek

‎11-08-2004 12:21 AM

Hi sbutzek,

cool. as I told you before, the SA's will not negotiate unless the parameters at both the routers are the same. Good that it worked out for you.

Anyway, please close the post, saying that it solved your issue and rate if required.

Customers Also Viewed These Support Documents