unexpected ISAKMP sessions

david.sua · ‎10-02-2006

Hi all!

I've a IPSEC vpn with a Cisco 1812 in the local side and about ten Draytek Vigor in remote side.

I dont know why but i have multiple ISAKMP sessions for the same peer and i have connection problems.

This is the output of a show crypto session detail. how can i set a maximun ISAKMP session per peer?

anandacentral#sh crypto session remote x.x.x.x detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: Loopback0

Session status: UP-ACTIVE

Peer: x.x.x.x port 500 fvrf: (none) ivrf: (none)

Phase1_id: x.x.x.x

Desc: (none)

IKE SA: local y.y.y.y/500 remote x.x.x.x/500 Active

Capabilities:(none) connid:2393 lifetime:23:25:17

IKE SA: local y.y.y.y/500 remote x.x.x.x/500 Active

Capabilities:(none) connid:2378 lifetime:23:20:57

IKE SA: local y.y.y.y/500 remote x.x.x.x/500 Active

Capabilities:(none) connid:2244 lifetime:23:15:47

IKE SA: local y.y.y.y/500 remote x.x.x.x/500 Active

Capabilities:(none) connid:2334 lifetime:23:10:35

IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.3.0/255.255.255.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 8480 drop 0 life (KB/Sec) 4390959/1518

Outbound: #pkts enc'ed 9687 drop 9 life (KB/Sec) 4390993/1518

thanks in advance

sbilgi · ‎10-06-2006

Router(config-crypto-map)# set security-association idle-time 600

Specifies the maximum amount of time for which the current peer can be idle before the default peer is used.

david.sua · ‎10-13-2006

Thanks sbilgi but this command is not valid for my purposes. With this command i set the timeout for ipsec tunnel but my problem is with isakmp sessions, i have a lot of Active isakmp sessions and i don?t know how finish it.