Showing results for 
Search instead for 
Did you mean: 

ASA ipsec SA has not been recreated

Level 1
Level 1


I hope someone has met this issue and found a solution.

We have two sites with an ASA 5520 in each. We use ipsec l2l between the sites. My problem is that after upgrading to 8.2 an interesting and pesky problem arised. After the SA expires it remains active on the appliances and no new SA is created. If I clear ipsec SAs between the peers, everything starts working.

This is a snippet from the sh cryp ips sa:

outbound esp sas:

spi: 0x4B9D1295 (1268585109)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 1597440, crypto-map: vpls_map

sa timing: remaining key lifetime (kB/sec): (0/232515)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

As we can see the Kb entry is 0. On the other device this is the same for inbound.

After upgrading I turned on 'sysopt connection preserve-vpn-flows'. Maybe this could be the problem. Anyway it seems to be a bug in my opinion. Has anyone met this problem?


2 Replies 2

Level 6
Level 6

To initiate a ping and only then the IPSec SA between inside hosts would be created.

Please makesure you are hitting this bug CSCsu58733 L2TP IPSec ASA send ESP packet with using old SA pair.

There was intensive traffic meanwhile so new SA should have been created. Now I tried turn off sysopt connection preserve-vpn-flows and it seems the problem got away. Maybe it is a bug related to this feature.

Review Cisco Networking products for a $25 gift card