IPSec VPN - Duplicate isakmp sa sessions causing issues
Hi, I'm currently having some issues with an ipsec tunnel that came out of nowhere. Here's the situation, if my side initiates the IKE negotiation, multiple isakmp sa's are created. If the other side initiates, multiple isakmp sa's get created as well, but if they keep clearing the isakmp connection, the tunnel becomes stable and only 1 isakmp sa is active. If my side tries to rekey, it will break the tunnel again.
Here's how it looks from a show crypto isakmp sa:
A.A.A.A is my peer
B.B.B.B is the remote peer
IPv4 Crypto ISAKMP SA dst src state conn-id status A.A.A.A B.B.B.B QM_IDLE 89350 ACTIVE B.B.B.B A.A.A.A QM_IDLE 89201 ACTIVE
As I said previously, if they bounce the tunnel multiple times, this will clear out and only 1 isakmp sa will appear active, and then they will rekey to keep the tunnel alive.
I've checked all the encryption/authentication/hashing/etc and I've made sure that the "interesting" traffic ACLs match perfectly. When it is in this state, phase 2 appears to be up and running, I have valid SPIs.
We have a lot of other VPN tunnels connected to this peer, and they do not have any issues. This issue came up out of nowhere, and this tunnel was active for quite some time before this happened. Does anyone know why there would be multiple isakmp sa's associated with this peer?
Re: IPSec VPN - Duplicate isakmp sa sessions causing issues
I hope you are doing great,
Usually what could cause this is not a mismatch of the config, it could be due to many factors, let me present you with some of them and you can see what might be the issue:
1. Both peers try to initiate the phase 1 SA, and that´s where the 2 SA ISAKMP are created, and here is where one of the routers should send a "delete" to the other to remove the duplicate entry, but sometimes they send the delete and the SA is no removed until the lifetime expires and well this causes disruption, below a bug reference:
Duplicated ipsec sa does not fully delete isakmp sa
2. Also having many L2Ls where by mistake 2 of them have a same ACL entry, for example:
crypto map CRYPTO 10 ipsec-isakmp description "site to site 1" set peer XX.XX.XX.XX set transform-set trans1 match address 150 crypto map CRYPTO 30 ipsec-isakmp description "site to site 2" set peer YY.YY.YY.YY set transform-set trans2 match address 180
access-list 150 permit ip host 172.24.3.5 host 172.22.83.149 ##### Delete this entry! ! access-list 180 permit ip host 172.24.3.5 host 172.22.83.149
This can cause a behavior where there is a confusion and well it triggers another SA whether on the first Site to site, or the second one, depending on which one came up first.
3. Now I have seen this issue to be sometimes random where changing the PSK on both sides would make it work just fine, or by clearing the IKE sessions and it works just fine, below the commands:
clear crypto session remote
You could probably also use command
clear crypto isakmp
Then check the results
show crypto isakmp sa
Keep me posted, please qualify all of the helpful answers!
As of June 2020, the Cisco ISE pxGrid App for QRadar Ver 1.1.0 is officially Validated and released by IBM, available for download from IBM XFE. Access the link to download app here.
The Cisco ISE pxGrid App V1.1 supports Cisco Identity Se...
i have an ip that is part of our internal network, i configured route map on the core to redirect the traffic to the firewall for further inspection.i checked the firewall logs i can see the traffic is redirect to the firewall successfully. i could ping o...
Hi, 1)May I know wht it means when context visibility Status showing 'disconnected" and '(blank)'?Difference between 'disconnected" and '(blank)'. Since both devices also not connected.I found tht these devices are no longer connected to the swi...
Hi ,I would like to configure multiple public ip (same subnet) on outside interface of ASA.I want to use static NAT for specific purpose.For example i have 8 public IP and I want to use 1 is internet ,1 for VPN ,1 for DMZ server and all ip want to a...
Hi all, Is it a way to retrieve the IPS policies from our IPS Appliance or censor? I have tried to look for a way but I am not able to do so. May I knwo any way can retrieve the policies from the Appliance either from the Appliance itself o...