Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Are these entries disruptive to active L2L & RA tunnels in session?

We need to add these lines into our ASA to adapt a cloud service tunnel. And those first two lines are not in the current ASA configuration.

Can anyone help me understand this impact to L2L tunnels which are in session? I assume they're defaulting to AUTO and not to ADDRESS.

Does this alter future behavior of all SA with P1 and P2?


crypto isakmp identity address

crypto isakmp enable <outside_interface>

crypto isakmp policy 222

  encryption aes

  authentication pre-share

  group 2

  lifetime 28800

  hash sha


Are these entries disruptive to active L2L & RA tunnels in sessi

The "crypto isakmp identity address" is the default mode of operation and means that the ASA identifies itself towards other IPsec peer with it's IP address within the layer 7 of isakmp.

It should be safe to go without it.

The "crypto isakmp enable outside" is neccessary to process ike/isakmp

It should be save to enable ike/isakmp.

It just occurst to me: maybe you have a version which supports a new syntax... what ASA version are you running? Maybe the config snippet you received to include is intended for an older ASA version.

Could you post your (sanitized!) config snippet to be added and your (sanitized!) exisiting vpn config including version?

New Member

Are these entries disruptive to active L2L & RA tunnels in sessi ASA version is 9.1

So, if I have many other active IKE/ISAKMP tunnels working solid then it seems this statement CRYPTO ISAKMP POLICY 222 can proceed without needing those other two lines.

My biggest concern is adding those two lines and it then disconnects active tunnels.

Super Bronze

Are these entries disruptive to active L2L & RA tunnels in sessi


Since you are using a very new version of the ASA software that means you probably have this configured

crypto ikev1 enable outside

Instead of the command you mentioned. That is the old format as "m.kafka" stated above.

If you DID NOT have the above command no IPsec VPN connection could work even before the addiotion of a new policy.

You can get the output of the main Crypto configurations with the following command

show run crypto

Regarding the new policy, to my understanding the ASA doesnt tie any specific ISAKMP Policy to a certain L2L VPN negotiation but sends all the policys that it has configured and the VPN peers will go through them and find the match. So I don't see that this addiotion should affect anything existing.

Naturally if you want to play it safe you should add the "crypto ikev1 policy 222" with a number that is HIGHER VALUE than any existing policy configured on the ASA. That is unless the value 222 is already higher than anything existing on the ASA. This should mean that it would be used instead of some previous policy you have configured on the ASA.

- Jouni

CreatePlease login to create content