a question about output of show isakmp sa

fly · ‎11-28-2014

I couldn't find any detail explanation of show isakmp sa output on ASA platform on CCO,

from ASA show isakmp sa, i can find some SA Type is user,some SAs type is l2l

all ipsec vpn configured type on this ASA is L2L, why the type of SA is user under some SA,

what is means of type is user?

thank you!

ASA# show isakmp sa

IKEv1 SAs:

Active SA: 5
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 5

1   IKE Peer: 1.1.1.1
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2
2   IKE Peer: 2.2.2.2
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG3
3   IKE Peer: 3.3.3.3
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
4   IKE Peer: 4.4.4.4
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
5   IKE Peer: 5.5.5.5
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

ghostinthenet · ‎11-28-2014

Type "user" usually indicates a Cisco VPN Client connection. The fact that these SAs haven't aren't in an active state could indicate unauthorized users attempting to connect.

fly · ‎11-28-2014

we have many ipsec vpn connection configuration, same config, but only some of them showing Type: User,

I find when ipsec connection not in active state. show isakmp sa show Type:user.

is this a default state.

I haven't found detail explanation from CCO ASA document?

ghostinthenet · ‎11-28-2014

Are any of the addresses associated with the "user" SAs configured in your ASA's crypto maps?

fly · ‎11-28-2014

yes, all configured in my ASA.

But my all configuration are L2L type in tunnel-group config.

i noticed before isakmp SA MM_active, such as MM_mesage_wait etc.

the TYPE always is user , after SA transform to MM_active, SA Type change to l2l.

it is fantastics