Why does this device have 2 IKE SAs?

Unanswered Question
Mar 6th, 2007

Hi, here is the output. Any explanation?

#sh crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: Ethernet1

Session status: UP-ACTIVE

Peer: <peer ip address>/500 fvrf: (none) ivrf: (none)

Phase1_id: <peer ip address>

Desc: (none)

IKE SA: local <outside address>/500 remote <peer ip address>/500 Active

Capabilities:CD connid:15 lifetime:21:34:29

IKE SA: local <outside address>/500 remote <peer ip address>/500 Active

Capabilities:CD connid:14 lifetime:13:06:25

IPSEC FLOW: permit ip <inside address>/

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 284159 drop 0 life (KB/Sec) 4422709/13337

Outbound: #pkts enc'ed 276100 drop 0 life (KB/Sec) 4432969/13337

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kamal Malhotra Tue, 03/06/2007 - 12:31


Per this information it seems that we only have 1 phase 1 SA and 1 Phase 2 SA, which is normal. For confirmation, issue the following command :

sh cry isak sa

and check the output. If you have only one SA for the pair of IP addresses, then we are fine. Then you can issue the following command :

sh cry ipsec sa

if we have one SA for each pair of private subnets/networks then we are fine too.


Please rate if it helps.



Jon Marshall Wed, 03/07/2007 - 05:16

Hi Kamal

I agree that there is 1 sa for ISAKMP phase. However i believe that for any IPSEC tunnel in phase 2 there will be 2 SAs as these SAs are unidirectional. So for each pair of networks you will have an inbound SA and an outbound SA. Hence the following in the output from original post.

Active SAs: 2, origin: crypto map



Jon Marshall Wed, 03/07/2007 - 05:58


No offence intended. I am perfectly sure you were aware of this, i just thought the way you worded it was a little unclear and the original poster might get the wrong idea.


mnewnam06 Thu, 03/08/2007 - 06:13

Thanks for the replies. Here is the output from two different sites. Why would one site have two entries and the other one? Is it because the site with two SAa is set up for a two-way converstaion and the site with one SA set up for one-way conversation? What does QM_IDLE imply? No traffic?

Site1# sh crypto isakmp sa

dst src state conn-id slot


QM_IDLE 19 0

Site2#sh crypto isakmp sa

dst src state conn-id slot


Kamal Malhotra Thu, 03/08/2007 - 07:17


Not sure why you are seeing 2 IKE SAs on one end. It needs troubleshooting so I would suggest you to open a TAC case. As far as QM_IDLE goes, it means that the Quick Mode is up.


*Please rate if it helps,



ggilbert Thu, 03/08/2007 - 07:31

Running debugs after clearing the tunnel would help to figure out this issue.

The reason you are seeing two SA's is this..

Site 1, got another SA request from the remote peer while there was an existing SA but did not match the values sent by Site2.



mnewnam06 Thu, 03/08/2007 - 09:50

Thanks for all of the replies.

Gilbert, the two sites are remotes site both connecting to the same 3K concentrator. They don't communicate between themselves. My fault for not mentioning this.

Also the IPSec VPN technology being used is Easy VPN. Are there IPSec specific logs that can be turned on like EIGRP logs? Thanks.

ggilbert Fri, 03/09/2007 - 08:18

On the Concentrator - If you go to System | Events | Classes - can you add IKE, IKEDBG, IPSEC and IPSECDBG for severities - 1-13 on Event to log option (you need to do it one by one).

After that, go to Monitoring Filterable event log click on "Clear Log"

Let the remote site connect and after you see two ISAKMP SA's - On the concentrator click on the GET LOG button and send the text file.

Will take a look at it.




This Discussion