Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1446
Views
0
Helpful
1
Replies

Multiple isakmp SA's to the same peer

ron_brewer
Level 1
Level 1

‎03-10-2006 09:56 PM - edited ‎03-09-2019 02:13 PM

Has anyone run across the situation where you see multiple phase 1 tunnels in QM_IDLE going to the same peer? We have a VPN configured between a 3745 and a customer's Watchguard firewall. Traffic across the tunnel works fine but I'm seeing a new phase 1 sa created every few minutes. After a couple of hours it gets up to around 40 isakmp SA's. Since the phase 1 lifetime is 24 hours all these SA's keep piling up. I've verified the phase 2 lifetimes between the two IPSEC peers match and we see normal IPSEC tunnels with the "sh crypto ipsec sa" command. The Watchguard just shows one isakmp SA connection. We already have a project in place to replace the Watchguard with a PIX-515 but I'm just curious if the condition we are in has been seen by others or if I should just consider it a vendor issue between Cisco and this old Watchguard.

1 person had this problem
Labels:
0 Helpful
1 Reply 1

b.speltz
Level 4
Level 4

‎03-16-2006 11:30 AM

While processing initial contact notify messages the PIX does not delete duplicate ISAKMP SA's with the peer. This vulnerability can be exploited to initiate a Man-In-The-Middle attack for VPN sessions to the PIX.

http://www.cisco.com/warp/public/707/pix-multiple-vuln-pub.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents