Hi,
We are facing issues wherein we have IPSEC S2S VPN connectivity between our 3rd party (10.100.26.96/27) and us (10.46.0.0/16). There is one branch site 10.46.80.0/24 and 3rd party is facing intermittent icmp reachability from their end (10.100.26.96/27). Both these subnets (10.100.26.96/27) and us (10.46.0.0/16) are added in Encryption domain both at our end (Cisco ASA) as well 3rd party end (Checkpoint). We can see two SAs forming at our end one for this problematic site (10.46.80.0.24) and other for all branch sites (10.46.0.0/16), see below.
1. First SA
local ident (addr/mask/prot/port): (10.46.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.100.26.96/255.255.255.224/0/0)
2. Other SA for problematic site
local ident (addr/mask/prot/port): (10.46.80.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.100.26.96/255.255.255.224/0/0)
We have checked all configurations on both ends of firewall and they are fine. Is there a way we can remove second SA from firewall. This issue is intermittent and 3rd party doesn't always face this issue.
Can you please advise how we can resolve this issue and delete this unwanted SA from Cisco ASA for this problematic site?