August 5, 2008
Posted by bcarroll
Hit a Wall- EasyVPN problems
Anyone know what this means?
r3#cry ipsec client ezvpn connect
r3#
*Mar 2 03:50:02.867: %CRYPTO-4-IKMP_NO_SA: IKE message from
136.8.113.11 has no SA and is not an initialization offer
I have no idea whats going on.
Its a VPN from the R3 seen here to a 3000 series concentrator. IKEDBG on the concentrator says IKE is successful. I think its the ipsec SA but not sure. I guess Ill put some fresh eyes on it tomorrow.
3 Comments
August 6, 2008
Just a shot in the dark, but it could be that the local and remote peers had an ISAKMP SA established at one point and the local peer tore it down uncleanly for whatever reason. The remote peer, thinking it still has an active SA, continues to send ISAKMP traffic to the local peer. So when the local peer receives an ISAKMP packet even though it doesn’t currently have an SA with that peer, it goes “WTF, mate?” and drops it.
August 6, 2008
@stretch Thanks for that stretch. I’m gonna jump back on the racks as soon as I get into the office and see what goes. its weird that an IKEDBG shows phase 1 looking ok but absolutley NOTHING for phase 2.
August 6, 2008
Stretch is on the right track afaik. If it hasn’t cleared itself by the time you get back to it you may want to shut the tunnels, clear crypto, wait a few and open the tunnels back up. Usually does the trick…
Leave a comment