cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1239
Views
25
Helpful
5
Replies

IKEv1 and IKEv2 session in ASDM Monitor?

david
Level 1
Level 1

Hi all, have a question.  I have a L2L tunnel setup between two ASA's (v8.4).  I used the wizard to set these up and selected the defaults of both IKEv1 and IKEv2, thinking that it would select one or the other.  The strange thing is that now I see a separate session between these ASA's, one for IKEv1 and one for IKEv2.  Both are passing traffic.  Is this expected behavior?  Should I disable IKEv1 to force only v2 since both are v8.4?

pic attached to help explain.

2 Accepted Solutions

Accepted Solutions

If both versions are configured then two IKE tunnels will be established.

I'm not so sure this is expected behavior. On ASA tune tunnel manager should try first IKEv2 and if it fails try IKEv1.

There might be some concurrency problems in which one side would initiate IKEv1 while other does IKEv2.

It's something can we can investigate by debugging tunnel manager and both IKEs.

debug crypto ike-common 5

debug crypto ....

I think you might want to open a TAC case so we can check this out thoroughly.

View solution in original post

Marcin,

I believe I have seen this in a previous situation. I agree with you about the concurrency problems and a TAC case would probably be the best way to go.

Thanks for the input mate, 5 stars!

View solution in original post

5 Replies 5

Hi David,

If both versions are configured then two IKE tunnels will be established.

I suggest to disable IKEv1 and only maintain IKEv2.

HTH.

Portu.

Please rate any helpful posts.

If both versions are configured then two IKE tunnels will be established.

I'm not so sure this is expected behavior. On ASA tune tunnel manager should try first IKEv2 and if it fails try IKEv1.

There might be some concurrency problems in which one side would initiate IKEv1 while other does IKEv2.

It's something can we can investigate by debugging tunnel manager and both IKEs.

debug crypto ike-common 5

debug crypto ....

I think you might want to open a TAC case so we can check this out thoroughly.

Marcin,

I believe I have seen this in a previous situation. I agree with you about the concurrency problems and a TAC case would probably be the best way to go.

Thanks for the input mate, 5 stars!

Thanks All, I disabled IKEv1 on the remote ASA and that removed the redundant tunnels.  All seems well now.

Sweet

Thanks for sharing the fix.

Have a nice weekend!