I am having a lot of trouble with a IPSec site-to-site between an ASA and an ISA server. The is established and can work for hours but, I think, when the IKE/IPSec SA's re-negotiate there can be a dropout. I have tried deleting all IKE and IPSec SAs (clear crypto ipsec/isakmp ...) at both ends and the tunnel then re-negotiates without a problem. However, when I look at active SA's there is 1 active IKE SA but 2 active IPSec SA's... Is this normal? Could this be causing a problem when the SA's timout and try to renegotiate? I am very new to this so any help would be much appreciated.
The SA's used in phase 2 ie. what you call the IPSEC SA's are unidirectional. So to eastablish 2 way communication between 2 devices you need 2 SA's. So this is normal behaviour.
Sounds like what may be happening is that one end times out but the other end doesn't. The end that has timed out tries to renegotiate but the other end rejects it because as far as it is concerned the tunnel is still up. Perhaps your timers for tunnel establishement/teardown do not match on both devices.
IPSEC can be very picky between different vendor devices. In addition to Cisco's site you may want to visit Microsoft site and look for ISA to Pix/ASA configurations. If i get time later i'll have a look but both Cisco's and Microsoft's site have a lot of good resources.
I have attached the oakley.log starting just before the tunnel went down and finishing just after the tunnel came backup - without intervention of any kind... I realise it is a lot to look through but if anybody can see what is happening while it is down it would be a great help - as I said I am very new to all this.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :