cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
556
Views
0
Helpful
1
Replies

IPSEC tunnel works C887VA to Palo Alto, got IPSEC SA, but not ISAKMP SA?

aleksa
Level 1
Level 1

Hi all,

got just a bit confused:

Got a working tunnel, it doesn't drop a single ping after days of inactivity.

In other words, the tunnel didn't seem to establish at the time of ping, seemed it was up already.

On Cisco router, I don't have ISAKMP SA, only IPSEC SA.

On Palo Alto, I do have IKEv2 SA.

Is this OK?

Any thoughts?

Thanks!

Alex

1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

It's OK to have just the ipsec sa. Your traffic just needs the ipsec sa to be up. One possible reason why you have just the ipsec sa is that the  isakmp rekey might have failed and the existing sa might have expired. If this is happening every time, you might want to check the logs on both sides during the time of rekey.