Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA ipsec SA has not been recreated

Hello,

I hope someone has met this issue and found a solution.

We have two sites with an ASA 5520 in each. We use ipsec l2l between the sites. My problem is that after upgrading to 8.2 an interesting and pesky problem arised. After the SA expires it remains active on the appliances and no new SA is created. If I clear ipsec SAs between the peers, everything starts working.

This is a snippet from the sh cryp ips sa:

outbound esp sas:

spi: 0x4B9D1295 (1268585109)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 1597440, crypto-map: vpls_map

sa timing: remaining key lifetime (kB/sec): (0/232515)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

As we can see the Kb entry is 0. On the other device this is the same for inbound.

After upgrading I turned on 'sysopt connection preserve-vpn-flows'. Maybe this could be the problem. Anyway it seems to be a bug in my opinion. Has anyone met this problem?

Thanks!!!

2 REPLIES
Silver

Re: ASA ipsec SA has not been recreated

To initiate a ping and only then the IPSec SA between inside hosts would be created.

Please makesure you are hitting this bug CSCsu58733 L2TP IPSec ASA send ESP packet with using old SA pair.

New Member

Re: ASA ipsec SA has not been recreated

There was intensive traffic meanwhile so new SA should have been created. Now I tried turn off sysopt connection preserve-vpn-flows and it seems the problem got away. Maybe it is a bug related to this feature.

187
Views
0
Helpful
2
Replies
CreatePlease to create content