11-28-2014 12:13 AM
I couldn't find any detail explanation of show isakmp sa output on ASA platform on CCO,
from ASA show isakmp sa, i can find some SA Type is user,some SAs type is l2l
all ipsec vpn configured type on this ASA is L2L, why the type of SA is user under some SA,
what is means of type is user?
thank you!
ASA# show isakmp sa
IKEv1 SAs:
Active SA: 5
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 5
1 IKE Peer: 1.1.1.1
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
2 IKE Peer: 2.2.2.2
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3
3 IKE Peer: 3.3.3.3
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
4 IKE Peer: 4.4.4.4
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
5 IKE Peer: 5.5.5.5
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
11-28-2014 04:55 AM
Type "user" usually indicates a Cisco VPN Client connection. The fact that these SAs haven't aren't in an active state could indicate unauthorized users attempting to connect.
11-28-2014 05:13 PM
we have many ipsec vpn connection configuration, same config, but only some of them showing Type: User,
I find when ipsec connection not in active state. show isakmp sa show Type:user.
is this a default state.
I haven't found detail explanation from CCO ASA document?
11-28-2014 06:32 PM
Are any of the addresses associated with the "user" SAs configured in your ASA's crypto maps?
11-28-2014 08:18 PM
yes, all configured in my ASA.
But my all configuration are L2L type in tunnel-group config.
i noticed before isakmp SA MM_active, such as MM_mesage_wait etc.
the TYPE always is user , after SA transform to MM_active, SA Type change to l2l.
it is fantastics
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide