Jump to content


  • Please log in to reply
2 replies to this topic

#1 vaba



  • Members
  • Pip
  • 3 posts
  • Gender:Male
  • Location:Sofia

Posted 05 November 2008 - 09:37 PM

When connection from ISP to spoke down and then up I received this massage:

I have ssh from hub via wan and when clear crypto sa and clear crypto iskmp sa or reload router everything ok.
Cisco say:

Error Message

%CRYPTO-4-IKMP_NO_SA : IKE message from [IP_address] has no SA and is not an initialization offer

Explanation IKE maintains the current state for a communication in the form of security associations. No security association exists for the specified packet, and it is not an initial offer from the peer to establish one. This situation could indicate a denial-of-service attack.

Recommended Action Contact the remote peer and the administrator of the remote peer.

But this is no Dos attack.
Keepalives enabled and spoke routers has shared IPSEC profiles "tunnel protection ipsec profile XXXXX shared"

Can you help me

Thanks in advance
  • 0

#2 tsp-att



  • Members
  • Pip
  • 23 posts

Posted 10 November 2008 - 12:13 AM

Hello as far as I know the issue behind Denial-of-service It prevents access of network by valid users. An example is to flood the network with packet traffic

How IPSec prevents: Authentication methods limit access from unauthorized users

Check the following:

Phase I and Phase II when establishing connection

Phase 1:
Authentication: (Pre-shared Keys)
Encryption: 3des
Hashing: MD5
Diffie-Hellman Group: Group 2
PFS: Group 2

Phase 2:
  • 0

#3 zcipher


    Advanced Member

  • Members
  • PipPipPip
  • 489 posts
  • Gender:Male
  • Location:Northern VA

Posted 10 November 2008 - 08:51 AM

%CRYPTO-4-IKMP_NO_SA : IKE message from [IP_address] has no SA and is not an initialization offer

Can usually be ignored, unless you have tunnels not coming up. In your case, you say it happens when the tunnel goes down, before it comes back up? Basically, it is probably telling you that one side of the connection hasn't terminated the tunnel yet and is still trying to send traffic over a tunnel it thinks is still established. So your router is receiving packets that fit the form of an established tunnel, but it doesn't have that tunnel established.

I wouldn't care too much about it, unless it's indicating your tunnels are taking too long to recover when they need to reform (whether they were cleared, dropped, etc). Then you could consider some high availability options, IP SLA, GRE over IPSEC with an IGP, or something of that nature.
  • 0

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users