One SA per subnet pair.....

Unanswered Question
Oct 1st, 2009
User Badges:

Hi All,

I'll shortly be setting up a new L2L VPN between a Checkpoint and an ASA. To cut a long story short, the Checkpoint end is configured to negogiate 'one SA per subnet pair' within it's tunnel management settings. This will have to stay this way.

So the question is: Is there an equivalant setting for an ASA (ASDM and/or CLI) or failing that, does anyone knows it's default behaviour regarding SA creation?

Just trying to avoid pitfalls before I start.

Many thanks,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Thu, 10/01/2009 - 11:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


IPSEC SAs are neogotiated per entry in your acl on the ASA. So if you have a crypto map acl with 3 entries that will create 2 SAs per acl entry, 2 because IPSEC SAs are unidirectional.

So it sounds like the checkpoint is behaving in exactly the same way as it should as IPSEC is a standard.



This Discussion