Posted 05 November 2008 - 09:37 PM
I have ssh from hub via wan and when clear crypto sa and clear crypto iskmp sa or reload router everything ok.
%CRYPTO-4-IKMP_NO_SA : IKE message from [IP_address] has no SA and is not an initialization offer
Explanation IKE maintains the current state for a communication in the form of security associations. No security association exists for the specified packet, and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.
Recommended Action Contact the remote peer and the administrator of the remote peer.
But this is no Dos attack.
Keepalives enabled and spoke routers has shared IPSEC profiles "tunnel protection ipsec profile XXXXX shared"
Can you help me
Thanks in advance
Posted 10 November 2008 - 12:13 AM
How IPSec prevents: Authentication methods limit access from unauthorized users
Check the following:
Phase I and Phase II when establishing connection
Authentication: (Pre-shared Keys)
Diffie-Hellman Group: Group 2
PFS: Group 2
ESP, DES, SHA
Posted 10 November 2008 - 08:51 AM
Can usually be ignored, unless you have tunnels not coming up. In your case, you say it happens when the tunnel goes down, before it comes back up? Basically, it is probably telling you that one side of the connection hasn't terminated the tunnel yet and is still trying to send traffic over a tunnel it thinks is still established. So your router is receiving packets that fit the form of an established tunnel, but it doesn't have that tunnel established.
I wouldn't care too much about it, unless it's indicating your tunnels are taking too long to recover when they need to reform (whether they were cleared, dropped, etc). Then you could consider some high availability options, IP SLA, GRE over IPSEC with an IGP, or something of that nature.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users