cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1058
Views
0
Helpful
1
Replies

IOS to ASA VPN Creating Multiple ISAKMP SAs

Keith Nelson
Level 1
Level 1

Hello. I'm running a IPSec VPN between a 5520 ASA and a 2811 router. The ASA has a static IP and the router has a DHCP interface.

The VPN seems to work fine once I get done clearing old SAs, but each new IPSEC SA creates a new ISAKMP SA on the router?  There are multiple subnets that need to create multiple IPSEC SAs. Eventually I can clear the older ISAKMP SAs and get all the traffic on one ISAKMP SA, but until I clear older SAs, new associations won't form. Does anyone know why the router (initiator) would keep creating new ISAKMP SAs and not use an established one? 

Using PSK, aggressive mode and no PFS. ASA has another dynamic crypto map with lower priority than this one. Using FQDN for identity on the router. Anyone seen this problem?  ASA version 8.2(5) and IOS is 12.4(20)T1.

Must be something I'm not understanding. The ASA says no established SA and drops the new SA attempt until I clear older ISAKMP SAs out of the router. Interesting, the first few IPSec SAs form when the tunnel initially comes up. I assume the initial requests are getting cached and work immediately after the first ISAKMP SA forms, but subsequent IPSec SA attempts will fail. Once all subnets are talking with 1 ISAKMP SA, rekeys don't cause any problems. Since the router subnets have to instantiate the new IPSec SAs, this is a real pain to go through anytime the WAN/VPN fails.

Thanks for any ideas,

Keith

1 Reply 1

cflory
Level 1
Level 1

Keith,

Would you happen to have a snippet of your config on your router?  Debugging logs from the router would help as well.

And perhaps a 'show crypto isakmp sa' and 'show crypto ipsec sa'

-Chris

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: