1841 VPN to ASA 5550

networker99 · ‎08-27-2010

We currently have a Cisco 1841 configured with an L2L VPN to an ASA 5550. All appears to be working, but sometimes on the router I issue the "sh crypto ipsec sa" command and I see the association, but if I then issue "crypto isakmp sa" it shows no associations..

Why would there be IPSEC associations but no ISAKMP association?

Can anyone point me in the right direction?

Thanks

Yudong Wu · ‎08-27-2010

I think this might be an expected behavoir.

show crypto isa sa --> phase 1 status

show crypto ipsec sa ---> phase 2 status.

Phase 1 and phase 2 have different timeout value.

Before phase 2 SA is close to expiration, system will negociate a new one since we need it to encrypted and decrypted the traffic.

But we don't do the same on phase 1 SA. We will re-negociate phase 1 SA only when we need re-build phase 2 SA and find no phase 1 SA existing.

You can confirm the above the behavior by checking both phase 1 (show crypt isa sa detail) and phase 2 timer.

Phase 2 use both KB/second as timer, default is about 4G/1 hours.

Phase 1's timer by default is 24 hours.