Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Multiple isakmp SA's to the same peer

Has anyone run across the situation where you see multiple phase 1 tunnels in QM_IDLE going to the same peer? We have a VPN configured between a 3745 and a customer's Watchguard firewall. Traffic across the tunnel works fine but I'm seeing a new phase 1 sa created every few minutes. After a couple of hours it gets up to around 40 isakmp SA's. Since the phase 1 lifetime is 24 hours all these SA's keep piling up. I've verified the phase 2 lifetimes between the two IPSEC peers match and we see normal IPSEC tunnels with the "sh crypto ipsec sa" command. The Watchguard just shows one isakmp SA connection. We already have a project in place to replace the Watchguard with a PIX-515 but I'm just curious if the condition we are in has been seen by others or if I should just consider it a vendor issue between Cisco and this old Watchguard.

1 REPLY
Bronze

Re: Multiple isakmp SA's to the same peer

While processing initial contact notify messages the PIX does not delete duplicate ISAKMP SA's with the peer. This vulnerability can be exploited to initiate a Man-In-The-Middle attack for VPN sessions to the PIX.

http://www.cisco.com/warp/public/707/pix-multiple-vuln-pub.shtml

940
Views
0
Helpful
1
Replies
CreatePlease to create content