%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to Aggressive Mode while disabled
I don't understand why it has to be me every time to run into wired issues like this:
I have a router and I disabled AM mode using command : crypto isakmp aggressive-mode disable
Well, then I see these logging messages and they don't stop:
I was just looking if there is a way I can disable this message. Then I found this information:
I have a router and I disabled AM mode using command : crypto isakmp aggressive-mode disable
Well, then I see these logging messages and they don't stop:
"%CRYPTO-5-IKMP_AG_MODE_DISABLED: Unable to initiate or respond to
Aggressive Mode while disabled"
I was just looking if there is a way I can disable this message. Then I found this information:
Router checks for aggressive-mode during initiating or responding IKE requests. If you are getting this message, it means that some unauthorized remote-peer
keeps trying to initiate IPSec to this router. You can use interface access-list to block these addresses. 'show crypto isakmp sa' will show you the incomplete session for such traffic from which IP address can be obtained.
you could also use "logging discriminator" feature, available since 12.4(11). You should be able to use it to drop messages in the buffer as well as in syslog server, here is an example (not tested) for buffer logging:
1) Configure a discriminator:
logging discriminator IKMP-AG mnemonics drops IKMP_AG_MODE_DISABLED
2) Apply it to logging buffer:
logging buffered discriminator IKMP-AG 4096
logging buffered discriminator IKMP-AG 4096" will set the logging buffer to 4096 this may not be what you want, use what is configured on your router currently, and add the discriminator to that line:
show run | i logging buffered
0 comments:
Post a Comment