Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
5
Replies

SA question/issue

cmgowcity
Level 1
Level 1

‎11-11-2008 03:09 AM

Hi everybody

I am having a lot of trouble with a IPSec site-to-site between an ASA and an ISA server. The is established and can work for hours but, I think, when the IKE/IPSec SA's re-negotiate there can be a dropout. I have tried deleting all IKE and IPSec SAs (clear crypto ipsec/isakmp ...) at both ends and the tunnel then re-negotiates without a problem. However, when I look at active SA's there is 1 active IKE SA but 2 active IPSec SA's... Is this normal? Could this be causing a problem when the SA's timout and try to renegotiate? I am very new to this so any help would be much appreciated.

Thanks a lot

Colin

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎11-11-2008 04:05 AM

Colin

The SA's used in phase 2 ie. what you call the IPSEC SA's are unidirectional. So to eastablish 2 way communication between 2 devices you need 2 SA's. So this is normal behaviour.

Sounds like what may be happening is that one end times out but the other end doesn't. The end that has timed out tries to renegotiate but the other end rejects it because as far as it is concerned the tunnel is still up. Perhaps your timers for tunnel establishement/teardown do not match on both devices.

IPSEC can be very picky between different vendor devices. In addition to Cisco's site you may want to visit Microsoft site and look for ISA to Pix/ASA configurations. If i get time later i'll have a look but both Cisco's and Microsoft's site have a lot of good resources.

Jon

0 Helpful

cmgowcity
Level 1
Level 1
In response to Jon Marshall

‎11-11-2008 04:18 AM

Thanks Jon for clearing that up. I will check the differences in the lifetimes at each side - I can see this easily on the ASA but will need to try and find it on the ISA Server...

Cheers

Colin

0 Helpful

cmgowcity
Level 1
Level 1
In response to Jon Marshall

‎11-11-2008 06:01 AM

I have attached the oakley.log starting just before the tunnel went down and finishing just after the tunnel came backup - without intervention of any kind... I realise it is a lot to look through but if anybody can see what is happening while it is down it would be a great help - as I said I am very new to all this.

Thanks a lot

Colin

0 Helpful

cmgowcity
Level 1
Level 1
In response to cmgowcity

‎11-11-2008 06:16 AM

oakley log attached

Thanks a lot

Colin

0 Helpful

cmgowcity
Level 1
Level 1
In response to cmgowcity

‎11-11-2008 07:26 AM

Please ignore the oakley log as the ASA was re-booted by somebody on site!

Thanks

Colin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents