Multiple IPSec session issue

rkallas · ‎02-17-2009

HI,

I have an IPSec tunnel from my Cisco 3845 router to a remote vendor Cisco Concentrator.

I have two data streams from 2 hosts on my side that should go through this tunnel.

Both data streams work, however, once the first data stream brings up the tunnel, and the second data stream starts, it looks like it's trying to initiate a new IKE session to the remote peer instead of using the existing tunnel. A show crypto isa sa reveals multiple MM_Init sessions. This of course fails. And it doesn't matter which data stream starts first.

I have other IPSec tunnels on my router, with multiple data streams, and have no issues with them.

Could this be something to do with the concenterator?

We've confirmed ACLs and ISA/IPSec parameters on both ends match.

Any insite is greatly appreciated!

Ray

JamesLuther · ‎02-18-2009

Hello,

If you type "sh crypto ipsec sa" and look at the local/remote ident values are they using /32 subnet masks?

It may be that you are trying to negotiate new keys per host pair instead of per network subnet.

Regards

rkallas · ‎02-18-2009

Yes, they have /32 masks on my end and on the remote end.

interface: GigabitEthernet0/0.925

Crypto map tag: B2B_VPN, local addr 207.131.207.136

protected vrf: (none)

local ident (addr/mask/prot/port): (207.130.16.36/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (63.111.231.25/255.255.255.255/0/0)

current_peer 65.201.27.46 port 4500

PERMIT, flags={origin_is_acl,}

protected vrf: (none)

local ident (addr/mask/prot/port): (170.108.4.1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (63.111.231.35/255.255.255.255/0/0)

current_peer 65.201.27.46 port 500

PERMIT, flags={origin_is_acl,}