cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4528
Views
0
Helpful
5
Replies

VPN Configured With Aggressive Mode Enabled

networker101
Level 1
Level 1

Hi,

Can anyone tell me whatthe above message means and how to resolve it.

Thanks

1 Accepted Solution

Accepted Solutions

The command will disable inbound aggresive mode connections.

If you want, there's an option to disable inbound aggresive mode connections on the tunnel-group as well.

tunnel-group xxxxxx ipsec-attributes

  isakmp am-disable

In this way you disable inbound aggresive mode connections from an specific peer.

If a peer tries to establish an aggresive mode connection, you should see a message like this in the logs:

''Unable to initiate or respond to Aggressive Mode while disabled''

This command will prevent Easy Virtual Private Network (Easy VPN) clients from connecting if they are using preshared keys because Easy VPN clients (hardware and software) use aggressive mode.

Federico.

View solution in original post

5 Replies 5

Hi,

Both Main Mode and Aggresive Mode are IKE Phase 1 exchange methods.
Main mode is the default and recommended (more secure) exchange method because it consists of six exchange messages.
Aggresive mode squeezes the IKE SA negotiation in three packets.

You can configure the device to use aggresive mode if needed or disable it.
What device are we talking about?

Federico.

Hi,

This is on the ASA5520, how can i change them to normal mode?

Thanks

Ellech

crypto isakmp am-disable
The above command disable inbound aggresive mode connections

Please rate helpful posts.

Federico.

will this automatically change the aggressive mode to normal mode?

The command will disable inbound aggresive mode connections.

If you want, there's an option to disable inbound aggresive mode connections on the tunnel-group as well.

tunnel-group xxxxxx ipsec-attributes

  isakmp am-disable

In this way you disable inbound aggresive mode connections from an specific peer.

If a peer tries to establish an aggresive mode connection, you should see a message like this in the logs:

''Unable to initiate or respond to Aggressive Mode while disabled''

This command will prevent Easy Virtual Private Network (Easy VPN) clients from connecting if they are using preshared keys because Easy VPN clients (hardware and software) use aggressive mode.

Federico.