Hello

Has anyone come across this one before, I have moved a VPN IPSEC peering from a cisco ASA to a checkpoint appliance and getting some strange Phase 1, seems to be forming alot of iskamp sa more than I would expect, router is a Cisco 881 runing: c880data-universalk9-mz.151-4.M4.bin

<cisco router>#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst                            src                            state                         conn-id status

Cisco local router   cisco ASA                     MM_NO_STATE          0 ACTIVE (deleted)

Cisco local router   cisco ASA                     MM_NO_STATE          0 ACTIVE (deleted)

Cisco local router   Checkoint appliance      QM_IDLE                     2014 ACTIVE

Cisco local router   Checkoint appliance       QM_IDLE                     2013 ACTIVE

Cisco local router   Checkoint appliance       QM_IDLE                     2012 ACTIVE

Cisco local router   Checkoint appliance       QM_IDLE                     2011 ACTIVE

Cisco local router   Checkoint appliance       QM_IDLE                     2010 ACTIVE

I have removed the ip address but it seems to be creating more ISKAMP SA, my config are basic see below

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key < preshare key > address < checkpoint ip >

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set NR-secure esp-3des esp-md5-hmac

mode transport

!

crypto map nrremote 10 ipsec-isakmp

set peer < checkpoint ip >

set transform-set <name>

match address acl_vpn