VPN Aggressive MOde

SamBizimungu
SamBizimungu used Ask the Experts™
on
We have a Cisco 3845 router which terminates more than 80 VPN site-to-site tunnels at all  the time. However, as all peer routers are configured  to use the  "Main mode"  authorization to connect to this core router, I've disabled the  aggressive mode on this Cisco 3845 by using this command: "crypto isakmp aggressive-mode disable". So, from then I assume that no more responding to any aggressive mode requests from any one out there on the internet, and everything continued working fine. BUT, we have lots of notice log messages from this router. Here is the error massage: "CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled".
So, we are getting more than 300 messages every hour! I need to stop this ASAP as it is filing up our logserver space. Is there anyhwere to go around this without re-enabling aggressive mode which I believe could be somehow a security hole?

Thanks in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
have your tried disabling vpn debugging output or IPSEC errors?

You are correct about aggressive mode, it is a security vlulnerability. Aggressive mode with PSK (pre-shared key)has been hacked using a program called PGPNet

Author

Commented:
NO. I will try that and see. That sounds like a plan! I will let you know.

Author

Commented:
Other than checking if there are any  VPN debugs running and run "U all", I couldn't find any command to disable VPN debugging or IPSec error output. Is there any particular command that I need to run to stop this?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
as you are aware, "no debug all" or "undebug all"  stops all debugging
do a shu run and look for commands that start with logging list  i.e.

logging list IPSec_critical  level critical class vpn  (this syntax may vary depending on description of class and router IOS

another useful command is "sh logging"  shows buffered logs and should show different types of logging and severity

Author

Commented:
That's what I meant by "U all" (undebug all). NO debugs are running and there is not logging list listed in sh run output. Besides, we are running 12.4.19b IOS and it doesn't have "logging list" command. I think I will try to upgrade IOS this weekend ( I had this plan anyway) and see how it goes. But any more ideas would be helpful.

Commented:
are these errors going thru the console, or to a syslog server?

have you tried the no logging monitor alerts?  and "no logging console"?

Author

Commented:
There are going to a syslog server. Yes,  both monitor/console log are disabled.

Commented:
have you tried to re-enable agressive mode, reboot router and try to disable?
(just a thought, since debugging and logging disabled)
Resolved. Changed the "trap facility" level to 4.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial