2 IPSEC sessions for 1 Tunnel

Unanswered Question
Sep 8th, 2008
User Badges:


Under system status of the 3002. I have:

IKE | public ip of 5520 | etc....

IPSEC | public ip of 5520 | 3DES | HMAC/SHA-1| 0 | 0 | 0 | 0

IPSEC | | etc....

Why do i have an ipsec tunnel with a remote address for the public interface of my ASA? I don't have any split tunneling configured either?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Mon, 09/08/2008 - 11:31
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Perhaps there is something that I am not understanding correctly. I thought that you were indicating that the 3002 has a VPN connection to the ASA (when you say 3002-->5520)

So why are you surprised that the 3002 has an IKE (ISAKMP) and an IPSec SA to the ASA?

If I have failed to understand some aspect of the question then please clarify.



marshall.blanco... Mon, 09/08/2008 - 11:36
User Badges:

Correct. The 3002 hardware client connects to an ASA 5520. Once the tunnel is established, i see 1 IKE session and 2 IPSEC sessions.

For a regular VPN user, i have 1 IKE and 1 IPSEC session...

acomiskey Mon, 09/08/2008 - 11:39
User Badges:
  • Green, 3000 points or more

Looks like you have multiple security assocations defined for the tunnel.

marshall.blanco... Mon, 09/08/2008 - 11:44
User Badges:

How do i define what SA's go with each tunnel? Is this done through the ASA or the hardware client?

acomiskey Mon, 09/08/2008 - 11:52
User Badges:
  • Green, 3000 points or more

In the ASA, each sa would be a separate entry in the crytpo match access list. The example below would be 2 sa's.

access-list outside_cryptomap_1 extended permit ....

access-list outside_cryptomap_1 extended permit ....

crypto map outside_map 1 match address outside_cryptomap_1

marshall.blanco... Mon, 09/08/2008 - 12:48
User Badges:

Attached is what is currently configured as far as access-list outside_cryptomaps and crypto maps.

the subnet in question would be the subnet? I just noticed there was 2 entries for that subnet as well?

Would that be the reason why?

acomiskey Mon, 09/08/2008 - 13:43
User Badges:
  • Green, 3000 points or more

If there are no corresponding lines like these...

crypto map outside_map x match address Outside_cryptomap_2


crypto map outside_map x match address Outside_cryptomap_3

...then these lines are doing nothing at all.


This Discussion