SamBizimungu
asked on
VPN Aggressive MOde
We have a Cisco 3845 router which terminates more than 80 VPN site-to-site tunnels at all the time. However, as all peer routers are configured to use the "Main mode" authorization to connect to this core router, I've disabled the aggressive mode on this Cisco 3845 by using this command: "crypto isakmp aggressive-mode disable". So, from then I assume that no more responding to any aggressive mode requests from any one out there on the internet, and everything continued working fine. BUT, we have lots of notice log messages from this router. Here is the error massage: "CRYPTO-5-IKMP_AG_MODE_DIS ABLED: Unable to initiate or respond to Aggressive Mode while disabled".
So, we are getting more than 300 messages every hour! I need to stop this ASAP as it is filing up our logserver space. Is there anyhwere to go around this without re-enabling aggressive mode which I believe could be somehow a security hole?
Thanks in advance.
So, we are getting more than 300 messages every hour! I need to stop this ASAP as it is filing up our logserver space. Is there anyhwere to go around this without re-enabling aggressive mode which I believe could be somehow a security hole?
Thanks in advance.
ASKER
NO. I will try that and see. That sounds like a plan! I will let you know.
ASKER
Other than checking if there are any VPN debugs running and run "U all", I couldn't find any command to disable VPN debugging or IPSec error output. Is there any particular command that I need to run to stop this?
as you are aware, "no debug all" or "undebug all" stops all debugging
do a shu run and look for commands that start with logging list i.e.
logging list IPSec_critical level critical class vpn (this syntax may vary depending on description of class and router IOS
another useful command is "sh logging" shows buffered logs and should show different types of logging and severity
do a shu run and look for commands that start with logging list i.e.
logging list IPSec_critical level critical class vpn (this syntax may vary depending on description of class and router IOS
another useful command is "sh logging" shows buffered logs and should show different types of logging and severity
ASKER
That's what I meant by "U all" (undebug all). NO debugs are running and there is not logging list listed in sh run output. Besides, we are running 12.4.19b IOS and it doesn't have "logging list" command. I think I will try to upgrade IOS this weekend ( I had this plan anyway) and see how it goes. But any more ideas would be helpful.
are these errors going thru the console, or to a syslog server?
have you tried the no logging monitor alerts? and "no logging console"?
have you tried the no logging monitor alerts? and "no logging console"?
ASKER
There are going to a syslog server. Yes, both monitor/console log are disabled.
have you tried to re-enable agressive mode, reboot router and try to disable?
(just a thought, since debugging and logging disabled)
(just a thought, since debugging and logging disabled)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You are correct about aggressive mode, it is a security vlulnerability. Aggressive mode with PSK (pre-shared key)has been hacked using a program called PGPNet