Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
544
Views
0
Helpful
0
Replies

Deleting Security association (SA) forming at one end of firewall in IPSEC S2S VPN tunnel

bilaljmi786
Level 1
Level 1

‎12-18-2018 07:54 AM - edited ‎03-22-2019 09:53 AM

Hi,

 

We are facing issues wherein we have IPSEC S2S VPN connectivity between our 3rd party (10.100.26.96/27) and us (10.46.0.0/16). There is one branch site 10.46.80.0/24 and 3rd party is facing intermittent icmp reachability from their end (10.100.26.96/27). Both these subnets (10.100.26.96/27) and us (10.46.0.0/16) are added in Encryption domain both at our end (Cisco ASA) as well 3rd party end (Checkpoint). We can see two SAs forming at our end one for this problematic site (10.46.80.0.24) and other for all branch sites (10.46.0.0/16), see below.

 

1. First SA


local ident (addr/mask/prot/port): (10.46.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.100.26.96/255.255.255.224/0/0)

 

2. Other SA for problematic site

 

local ident (addr/mask/prot/port): (10.46.80.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.100.26.96/255.255.255.224/0/0)

 

We have checked all configurations on both ends of firewall and they are fine. Is there a way we can remove second SA from firewall. This issue is intermittent and 3rd party doesn't always face this issue.

 

Can you please advise how we can resolve this issue and delete this unwanted SA from Cisco ASA for this problematic site?

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents