Multiple IPSec session issue

Unanswered Question
Feb 17th, 2009


I have an IPSec tunnel from my Cisco 3845 router to a remote vendor Cisco Concentrator.

I have two data streams from 2 hosts on my side that should go through this tunnel.

Both data streams work, however, once the first data stream brings up the tunnel, and the second data stream starts, it looks like it's trying to initiate a new IKE session to the remote peer instead of using the existing tunnel. A show crypto isa sa reveals multiple MM_Init sessions. This of course fails. And it doesn't matter which data stream starts first.

I have other IPSec tunnels on my router, with multiple data streams, and have no issues with them.

Could this be something to do with the concenterator?

We've confirmed ACLs and ISA/IPSec parameters on both ends match.

Any insite is greatly appreciated!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JamesLuther Wed, 02/18/2009 - 01:48


If you type "sh crypto ipsec sa" and look at the local/remote ident values are they using /32 subnet masks?

It may be that you are trying to negotiate new keys per host pair instead of per network subnet.


rkallas Wed, 02/18/2009 - 07:23

Yes, they have /32 masks on my end and on the remote end.

interface: GigabitEthernet0/0.925

Crypto map tag: B2B_VPN, local addr

protected vrf: (none)

local ident (addr/mask/prot/port): (

remote ident (addr/mask/prot/port): (

current_peer port 4500

PERMIT, flags={origin_is_acl,}

protected vrf: (none)

local ident (addr/mask/prot/port): (

remote ident (addr/mask/prot/port): (

current_peer port 500

PERMIT, flags={origin_is_acl,}


This Discussion