I have an achitecture hub and spoke with IPSec VTI tunnel.

I noticed that on my routers I have duplicated isakmp security assosication.

The result is as follow:

VPN-ROUTER1-TEST#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
C.C.C.C                     A.A.A.A             QM_IDLE 2569 ACTIVE
B.B.B.B                      A.A.A.A             QM_IDLE 2566 ACTIVE
A.A.A.A                     B.B.B.B             QM_IDLE 2567 ACTIVE
D.D.D.D                    A.A.A.A             QM_IDLE 2568 ACTIVE

My hub is configured as follow:

crypto ipsec transform-set T1 esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile P1
set transform-set T1
responder-only

if I make a #sh cry ipsec sa count

i get
IPsec SA total: 6, active: 6, rekeying: 0, unused: 0, invalid: 0

my questions are the following:

1) is it a problem or a normal behaviour?

2) I have 3 tunnel but sh crypto ipsec shows 6 IPSec SA total, as my router is licensed for 10 tunnels, how many tunnels can I add to my hub?

thanks johnny