Has anyone run across the situation where you see multiple phase 1 tunnels in QM_IDLE going to the same peer? We have a VPN configured between a 3745 and a customer's Watchguard firewall. Traffic across the tunnel works fine but I'm seeing a new phase 1 sa created every few minutes. After a couple of hours it gets up to around 40 isakmp SA's. Since the phase 1 lifetime is 24 hours all these SA's keep piling up. I've verified the phase 2 lifetimes between the two IPSEC peers match and we see normal IPSEC tunnels with the "sh crypto ipsec sa" command. The Watchguard just shows one isakmp SA connection. We already have a project in place to replace the Watchguard with a PIX-515 but I'm just curious if the condition we are in has been seen by others or if I should just consider it a vendor issue between Cisco and this old Watchguard.