cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2343
Views
5
Helpful
1
Replies
Highlighted
Beginner

IPSec VPN - Duplicate isakmp sa sessions causing issues

Hi, I'm currently having some issues with an ipsec tunnel that came out of nowhere. Here's the situation, if my side initiates the IKE negotiation, multiple isakmp sa's are created. If the other side initiates, multiple isakmp sa's get created as well, but if they keep clearing the isakmp connection, the tunnel becomes stable and only 1 isakmp sa is active. If my side tries to rekey, it will break the tunnel again.

 

Here's how it looks from a show crypto isakmp sa:

 

A.A.A.A is my peer

B.B.B.B is the remote peer

 

IPv4 Crypto ISAKMP SA
dst             src           state           conn-id  status
A.A.A.A     B.B.B.B     QM_IDLE    89350    ACTIVE
B.B.B.B     A.A.A.A     QM_IDLE    89201    ACTIVE

 

As I said previously, if they bounce the tunnel multiple times, this will clear out and only 1 isakmp sa will appear active, and then they will rekey to keep the tunnel alive.

 

I've checked all the encryption/authentication/hashing/etc and I've made sure that the "interesting" traffic ACLs match perfectly.  When it is in this state, phase 2 appears to be up and running, I have valid SPIs.

 

We have a lot of other VPN tunnels connected to this peer, and they do not have any issues.  This issue came up out of nowhere, and this tunnel was active for quite some time before this happened.  Does anyone know why there would be multiple isakmp sa's associated with this peer?

 

Everyone's tags (4)
1 REPLY 1
Highlighted
Participant

Re: IPSec VPN - Duplicate isakmp sa sessions causing issues

Hello Babinyecz,

 

I hope you are doing great,

 

Usually what could cause this is not a mismatch of the config, it could be due to many factors, let me present you with some of them and you can see what might be the issue:

1. Both peers try to initiate the phase 1 SA, and that´s where the 2 SA ISAKMP are created, and here is where one of the routers should send a "delete" to the other to remove the duplicate entry, but sometimes they send the delete and the SA is no removed until the lifetime expires and well this causes disruption, below a bug reference:

   Duplicated ipsec sa does not fully delete isakmp sa

     - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus96078/?rfs=iqvred

 

2. Also having many L2Ls where by mistake 2 of them have a same ACL entry, for example:

 

crypto map CRYPTO 10 ipsec-isakmp 
 description "site to site 1"
 set peer XX.XX.XX.XX
 set transform-set trans1 
 match address 150
crypto map CRYPTO 30 ipsec-isakmp 
 description "site to site 2"
 set peer YY.YY.YY.YY
 set transform-set trans2 
 match address 180

!

access-list 150 permit ip host 172.24.3.5 host 172.22.83.149  ##### Delete this entry!
!
access-list 180 permit ip host 172.24.3.5 host 172.22.83.149

 

This can cause a behavior where there is a confusion and well it triggers another SA whether on the first Site to site, or the second one, depending on which one came up first.

 

3. Now I have seen this issue to be sometimes random where changing the PSK on both sides would make it work just fine, or by clearing the IKE sessions and it works just fine, below the commands:

 

clear crypto session remote

You could probably also use command

clear crypto isakmp

Then check the results

show crypto isakmp sa

 

Keep me posted, please qualify all of the helpful answers!

 

Thanks,


David Castro,