ASA ipsec SA has not been recreated

realvitya · ‎08-11-2009

Hello,

I hope someone has met this issue and found a solution.

We have two sites with an ASA 5520 in each. We use ipsec l2l between the sites. My problem is that after upgrading to 8.2 an interesting and pesky problem arised. After the SA expires it remains active on the appliances and no new SA is created. If I clear ipsec SAs between the peers, everything starts working.

This is a snippet from the sh cryp ips sa:

outbound esp sas:

spi: 0x4B9D1295 (1268585109)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 1597440, crypto-map: vpls_map

sa timing: remaining key lifetime (kB/sec): (0/232515)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

As we can see the Kb entry is 0. On the other device this is the same for inbound.

After upgrading I turned on 'sysopt connection preserve-vpn-flows'. Maybe this could be the problem. Anyway it seems to be a bug in my opinion. Has anyone met this problem?

Thanks!!!

owillins · ‎08-18-2009

To initiate a ping and only then the IPSec SA between inside hosts would be created.

Please makesure you are hitting this bug CSCsu58733 L2TP IPSec ASA send ESP packet with using old SA pair.

realvitya · ‎08-18-2009

There was intensive traffic meanwhile so new SA should have been created. Now I tried turn off sysopt connection preserve-vpn-flows and it seems the problem got away. Maybe it is a bug related to this feature.