Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1239
Views
25
Helpful
5
Replies

IKEv1 and IKEv2 session in ASDM Monitor?

Go to solution
david
Level 1
Level 1

‎10-25-2012 10:31 AM

Hi all, have a question.  I have a L2L tunnel setup between two ASA's (v8.4).  I used the wizard to set these up and selected the defaults of both IKEv1 and IKEv2, thinking that it would select one or the other.  The strange thing is that now I see a separate session between these ASA's, one for IKEv1 and one for IKEv2.  Both are passing traffic.  Is this expected behavior?  Should I disable IKEv1 to force only v2 since both are v8.4?

pic attached to help explain.

Labels:
Preview file
30 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Javier Portuguez

‎10-25-2012 01:25 PM 

If both versions are configured then two IKE tunnels will be established.

I'm not so sure this is expected behavior. On ASA tune tunnel manager should try first IKEv2 and if it fails try IKEv1.

There might be some concurrency problems in which one side would initiate IKEv1 while other does IKEv2.

It's something can we can investigate by debugging tunnel manager and both IKEs.

debug crypto ike-common 5
debug crypto ....

I think you might want to open a TAC case so we can check this out thoroughly.

View solution in original post

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Marcin Latosiewicz

‎10-25-2012 01:36 PM

Marcin,

I believe I have seen this in a previous situation. I agree with you about the concurrency problems and a TAC case would probably be the best way to go.

Thanks for the input mate, 5 stars!

View solution in original post

5 Replies 5

Go to solution
Javier Portuguez
Level 9
Level 9

‎10-25-2012 11:07 AM

Hi David,

If both versions are configured then two IKE tunnels will be established.

I suggest to disable IKEv1 and only maintain IKEv2.

HTH.

Portu.

Please rate any helpful posts.

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Javier Portuguez

‎10-25-2012 01:25 PM 

If both versions are configured then two IKE tunnels will be established.

I'm not so sure this is expected behavior. On ASA tune tunnel manager should try first IKEv2 and if it fails try IKEv1.

There might be some concurrency problems in which one side would initiate IKEv1 while other does IKEv2.

It's something can we can investigate by debugging tunnel manager and both IKEs.

debug crypto ike-common 5
debug crypto ....

I think you might want to open a TAC case so we can check this out thoroughly.

Go to solution
Javier Portuguez
Level 9
Level 9
In response to Marcin Latosiewicz

‎10-25-2012 01:36 PM

Marcin,

I believe I have seen this in a previous situation. I agree with you about the concurrency problems and a TAC case would probably be the best way to go.

Thanks for the input mate, 5 stars!

Go to solution
david
Level 1
Level 1
In response to Javier Portuguez

‎10-26-2012 06:49 AM

Thanks All, I disabled IKEv1 on the remote ASA and that removed the redundant tunnels.  All seems well now.

Go to solution
Javier Portuguez
Level 9
Level 9
In response to david

‎10-26-2012 06:59 AM

Sweet

Thanks for sharing the fix.

Have a nice weekend!

Customers Also Viewed These Support Documents