2 IPSEC sessions for 1 Tunnel

Unanswered Question
Sep 8th, 2008
User Badges:

3002-->5520.


Under system status of the 3002. I have:


IKE | public ip of 5520 | etc....

IPSEC | public ip of 5520 | 3DES | HMAC/SHA-1| 0 | 0 | 0 | 0

IPSEC | 0.0.0.0/0.0.0.0 | etc....


Why do i have an ipsec tunnel with a remote address for the public interface of my ASA? I don't have any split tunneling configured either?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Mon, 09/08/2008 - 11:31
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Marshall


Perhaps there is something that I am not understanding correctly. I thought that you were indicating that the 3002 has a VPN connection to the ASA (when you say 3002-->5520)


So why are you surprised that the 3002 has an IKE (ISAKMP) and an IPSec SA to the ASA?


If I have failed to understand some aspect of the question then please clarify.


HTH


Rick

marshall.blanco... Mon, 09/08/2008 - 11:36
User Badges:

Correct. The 3002 hardware client connects to an ASA 5520. Once the tunnel is established, i see 1 IKE session and 2 IPSEC sessions.


For a regular VPN user, i have 1 IKE and 1 IPSEC session...

acomiskey Mon, 09/08/2008 - 11:39
User Badges:
  • Green, 3000 points or more

Looks like you have multiple security assocations defined for the tunnel.

marshall.blanco... Mon, 09/08/2008 - 11:44
User Badges:

How do i define what SA's go with each tunnel? Is this done through the ASA or the hardware client?

acomiskey Mon, 09/08/2008 - 11:52
User Badges:
  • Green, 3000 points or more

In the ASA, each sa would be a separate entry in the crytpo match access list. The example below would be 2 sa's.


access-list outside_cryptomap_1 extended permit ....

access-list outside_cryptomap_1 extended permit ....


crypto map outside_map 1 match address outside_cryptomap_1


marshall.blanco... Mon, 09/08/2008 - 12:48
User Badges:

Attached is what is currently configured as far as access-list outside_cryptomaps and crypto maps.


the subnet in question would be the 10.0.29.0 subnet? I just noticed there was 2 entries for that subnet as well?


Would that be the reason why?



Attachment: 
acomiskey Mon, 09/08/2008 - 13:43
User Badges:
  • Green, 3000 points or more

If there are no corresponding lines like these...


crypto map outside_map x match address Outside_cryptomap_2


or


crypto map outside_map x match address Outside_cryptomap_3


...then these lines are doing nothing at all.



Actions

This Discussion