ASA ipsec SA has not been recreated

Unanswered Question
Aug 11th, 2009
User Badges:


I hope someone has met this issue and found a solution.

We have two sites with an ASA 5520 in each. We use ipsec l2l between the sites. My problem is that after upgrading to 8.2 an interesting and pesky problem arised. After the SA expires it remains active on the appliances and no new SA is created. If I clear ipsec SAs between the peers, everything starts working.

This is a snippet from the sh cryp ips sa:

outbound esp sas:

spi: 0x4B9D1295 (1268585109)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 1597440, crypto-map: vpls_map

sa timing: remaining key lifetime (kB/sec): (0/232515)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

As we can see the Kb entry is 0. On the other device this is the same for inbound.

After upgrading I turned on 'sysopt connection preserve-vpn-flows'. Maybe this could be the problem. Anyway it seems to be a bug in my opinion. Has anyone met this problem?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
owillins Tue, 08/18/2009 - 08:43
User Badges:
  • Silver, 250 points or more

To initiate a ping and only then the IPSec SA between inside hosts would be created.

Please makesure you are hitting this bug CSCsu58733 L2TP IPSec ASA send ESP packet with using old SA pair.

realvitya Tue, 08/18/2009 - 15:07
User Badges:

There was intensive traffic meanwhile so new SA should have been created. Now I tried turn off sysopt connection preserve-vpn-flows and it seems the problem got away. Maybe it is a bug related to this feature.


This Discussion