Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1633
Views
0
Helpful
6
Replies

Syslog error and DOS attack

sajsoft
Level 1
Level 1

‎08-31-2005 09:11 PM

I am continuously receiving the following Syslog error messages from the location routers given below

2005-09-01 09:28:50 Syslog.Warning 10.0.0.1 71528: .Sep 1 09:29:22.862 IST: %CRYPTO-4-IKMP_NO_SA: IKE message from 202.101.231.4 has no SA and is not an initialization offer

This IP " 202.101.231.4 " does not belongs to my network .Can this be a spoofed IP ?

Cisco's Explanation for the Syslog message is the following .

Error Message

%CRYPTO-4-IKMP_NO_SA : IKE message from [IP_address] has no SA and is not an initialization offer

Explanation IKE maintains the current state for a communication in the form of security associations. No security association exists for the specified packet, and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.

Recommended Action Contact the remote peer and the administrator of the remote peer.

What preventive actions I have to take for the same.Please help

Thanks

Sajith

Labels:
0 Helpful
6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

‎09-01-2005 09:57 AM

Sajith

I sometimes see messages like this on my VPN routers. But usually the address is the address of one of my peer routers. And it usually is an indication that there has been a temporary interruption in operation of the tunnel. I gather from your message that the address in the message is not one that you recognize. So it may be something different than my experience.

When you get these messages is it consistently the same address in the message or is 202.101.231.4 just an example of an address of which you see many?

If there is a consistent address in the error messages and it is not part of your network, is it possible that it is from the network of a business partner or of some network that has a legitimate need to send packets into your network?

If there is a consistent address and if you can not establish that there is a legitimate reason for it to be sending packets to you, you might configure an access list on the inbound interface and deny packets with this source address.

HTH

Rick

HTH

Rick
0 Helpful

jackko
Level 7
Level 7
In response to Richard Burts

‎09-01-2005 03:35 PM

is it possible that the ip belongs to a remote user with home internet connection?

0 Helpful

rating_is_vital
Level 1
Level 1

‎09-01-2005 04:40 PM

Hi Sajith,

How often do you see the message? DoS attack is extremely difficult to prevent. In case you are 100% certain that the IP is not legitimate, then one way is to configure inbound acl to deny all traffic from this particular IP or alternatively enable ids feature.

0 Helpful

sajsoft
Level 1
Level 1
In response to rating_is_vital

‎09-01-2005 08:11 PM

Dear Friends ,

Thanks alot for your replies.

We don't have any IPsec Site to Site or Remote Access VPNs configured on these routers .

I am 100 % sure that this IP is does not belongs to our network.

Whois results for the IP shows this IP is from China.We don't have any customers from China.

Once in a week I am getting the same Syslog messages

Saj

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to sajsoft

‎09-02-2005 04:50 AM

Saj

If you do not have any site to site VPN and do not have Remote Access VPN configured on those routers then I am very surprised that you are getting the error message. My experience of it is that this message is generated when the router is configured to expect traffic from this address to be protected by IPSec and the peer does not have a Security Association. I do not see how that message could get generated if there were not a VPN configured. Could you tell us what is configured on these routers? Perhaps even post configs so that we might be able to help you better?

HTH

Rick

HTH

Rick
0 Helpful

sajsoft
Level 1
Level 1
In response to Richard Burts

‎09-02-2005 07:33 AM

I have only GRE tunnels configured on this link .Planning to Convert to IPsec tunnels.

When tried searching for message I found posts in some discussion forums.Posts are there from some people whose has got the same Syslog messages from router without configuring IPsec VPNs.

As per these posts It might be due to the UDP port 500 scanning or ISAKMP scanning done by a tool.

I found the below link from one of the posts

http://www.nta-monitor.com/ike-scan/

NTA Monitor, Europe's leading Internet security testing company, has launched a tool to enable network administrators to scan and identify virtual private network (VPN) servers within their networks. The security-auditing tool will enable users to take corrective action if they identify VPN servers that have known flaws

Please share your views on the same.

Thanks

Saj

0 Helpful
Customers Also Viewed These Support Documents