1841 VPN to ASA 5550

Unanswered Question
Aug 27th, 2010
User Badges:

We currently have a Cisco 1841 configured with an L2L VPN to an ASA 5550.  All appears to be working, but sometimes on the router I issue the "sh crypto ipsec sa" command and I see the association, but if I then issue "crypto isakmp sa" it shows no associations..

Why would there be IPSEC associations but no ISAKMP association?

Can anyone point me in the right direction?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Yudong Wu Fri, 08/27/2010 - 10:03
User Badges:
  • Gold, 750 points or more

I think this might be an expected behavoir.

show crypto isa sa --> phase 1 status

show crypto ipsec sa ---> phase 2 status.

Phase 1 and phase 2 have different timeout value.

Before phase 2 SA is close to expiration, system will negociate a new one since we need it to encrypted and decrypted the traffic.

But we don't do the same on phase 1 SA. We will re-negociate phase 1 SA only when we need re-build phase 2 SA and find no phase 1 SA existing.

You can confirm the above the behavior by checking both phase 1 (show crypt isa sa detail) and phase 2 timer.

Phase 2 use both KB/second as timer, default is about 4G/1 hours.

Phase 1's timer by default is 24 hours.


This Discussion