Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
0
Helpful
0
Replies

IPsec Duplicate Isakmp sa and duplicate IPsec SA?

Joebananas
Level 1
Level 1

‎07-29-2020 09:13 PM

Hi all, hopefully someone can provide some clarity on what is happening.

I have two routers, R1 and R2, tunneling to eachother R1 - R3 - R2

I am labbing some IPsec tunnels using Crypto maps, IPsec profiles, and VTI.

When I use a crypto MAP, I get a single isakmp SA and a single IPsec SA (outbound and inbound)

When I use IPsec profiles I end up seeing duplicate isakmp sa on each router with a single IPsec SA (inbound and outbound)

R1

dst             src             state          conn-id status
200.200.200.1   200.200.200.6   QM_IDLE           1030 ACTIVE
200.200.200.6   200.200.200.1   QM_IDLE           1031 ACTIVE

R2

dst             src             state          conn-id status
200.200.200.6   200.200.200.1   QM_IDLE           1031 ACTIVE
200.200.200.1   200.200.200.6   QM_IDLE           1030 ACTIVE

 

When I do IPsec using VTI, I see the same duplicate isakmp SA but I also see duplicate IPsec SA (2 inbound and 2 outbound)

I am clearing my crypto sessions in between each re configuration using clear crypto session.

Can anyone explain what is going on here? Thanks for any help

 

Attached are my running configs for the VTI configuration:

 

 

Labels:
Preview file
2 KB
Preview file
2 KB
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card