Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 Remote Access VPN becomes IKE initiator on re-key

I am using an ASA 5505, running version 8.2(1), as a IPSec RA VPN gateway.  Remote access clients connect successfully and pass IP traffic through the ASA.  The IPSec SAs are renegotiated correctly at expected intervals.  When the IKE SA is about to expire, the ASA times out before the client and starts the IKE re-keying as the "initiator" rather than the responder.  The clients (racoon and charon) are not configured as responders because we expect them to be initiators only.

According to the manual:

    In IPsec client-to-LAN connections, the security appliance functions only as responder.

Here is a log entry showing that the ASA is becoming the Initiator:

    5   Jul 16 2012 11:06:57    713041                  Username = XXX, IP = x.x.x.x, IKE Initiator: Rekeying Phase 1, Intf outside, IKE Peer x.x.x.x  local Proxy Address N/A, remote Proxy Address N/A,  Crypto map (N/A)

How can I prevent the ASA from changing roles?

Everyone's tags (3)
CreatePlease to create content