I am having a lot of trouble with a IPSec site-to-site between an ASA and an ISA server. The is established and can work for hours but, I think, when the IKE/IPSec SA's re-negotiate there can be a dropout. I have tried deleting all IKE and IPSec SAs (clear crypto ipsec/isakmp ...) at both ends and the tunnel then re-negotiates without a problem. However, when I look at active SA's there is 1 active IKE SA but 2 active IPSec SA's... Is this normal? Could this be causing a problem when the SA's timout and try to renegotiate? I am very new to this so any help would be much appreciated.
Thanks a lot