IPSec VPN - Duplicate isakmp sa sessions causing issues
Hi, I'm currently having some issues with an ipsec tunnel that came out of nowhere. Here's the situation, if my side initiates the IKE negotiation, multiple isakmp sa's are created. If the other side initiates, multiple isakmp sa's get created as well, but if they keep clearing the isakmp connection, the tunnel becomes stable and only 1 isakmp sa is active. If my side tries to rekey, it will break the tunnel again.
Here's how it looks from a show crypto isakmp sa:
A.A.A.A is my peer
B.B.B.B is the remote peer
IPv4 Crypto ISAKMP SA dst src state conn-id status A.A.A.A B.B.B.B QM_IDLE 89350 ACTIVE B.B.B.B A.A.A.A QM_IDLE 89201 ACTIVE
As I said previously, if they bounce the tunnel multiple times, this will clear out and only 1 isakmp sa will appear active, and then they will rekey to keep the tunnel alive.
I've checked all the encryption/authentication/hashing/etc and I've made sure that the "interesting" traffic ACLs match perfectly. When it is in this state, phase 2 appears to be up and running, I have valid SPIs.
We have a lot of other VPN tunnels connected to this peer, and they do not have any issues. This issue came up out of nowhere, and this tunnel was active for quite some time before this happened. Does anyone know why there would be multiple isakmp sa's associated with this peer?
Usually what could cause this is not a mismatch of the config, it could be due to many factors, let me present you with some of them and you can see what might be the issue:
1. Both peers try to initiate the phase 1 SA, and that´s where the 2 SA ISAKMP are created, and here is where one of the routers should send a "delete" to the other to remove the duplicate entry, but sometimes they send the delete and the SA is no removed until the lifetime expires and well this causes disruption, below a bug reference:
Duplicated ipsec sa does not fully delete isakmp sa
2. Also having many L2Ls where by mistake 2 of them have a same ACL entry, for example:
crypto map CRYPTO 10 ipsec-isakmp description "site to site 1" set peer XX.XX.XX.XX set transform-set trans1 match address 150 crypto map CRYPTO 30 ipsec-isakmp description "site to site 2" set peer YY.YY.YY.YY set transform-set trans2 match address 180
access-list 150 permit ip host 172.24.3.5 host 172.22.83.149 ##### Delete this entry! ! access-list 180 permit ip host 172.24.3.5 host 172.22.83.149
This can cause a behavior where there is a confusion and well it triggers another SA whether on the first Site to site, or the second one, depending on which one came up first.
3. Now I have seen this issue to be sometimes random where changing the PSK on both sides would make it work just fine, or by clearing the IKE sessions and it works just fine, below the commands:
clear crypto session remote
You could probably also use command
clear crypto isakmp
Then check the results
show crypto isakmp sa
Keep me posted, please qualify all of the helpful answers!
IntroductionPrerequisitesConfigurationVerify the configuration
With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to create a BYOD Flow to provide Wireless network access using an employee’s Azure...
The table below shows the whole Cisco Security solutions + Splunk integrations add-ons. Kindly let me know if I have missed some add-ons or if there are any new updates. Thank you!
Hope this will be helpful for everyone who is looking for Splunk in...
A python based script to generate report if there are disabled rules under an Access Control Policy and an option to delete those rules in bulk.
Step 1 Download the script on PCStep 2 Make sure python3 is installed on PC and have reach...
A python based script to generate report if there are double logging on FMC ACP (logging at beginning and end), having rule action "Allow" or "Trust". (Option1 )
Also, the logging at the begging will be disabled if logging is detected for both beginning ...
Meet the Authors Slides - CCIE Security in a Remote and Cloud Driven Network: SASE and Beyond
(Live event – Thursday, 29th, 2021 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 7:00 p.m. Paris)
This event had place on Thursday 29th, April 2021 at 10hrs P...