why does show isakmp sa shows multiple ISAKMP key exchanges for same peer
I have a site-2-site vpn tunnel between a Pix 506e 6.3(3) and an ASA 5510 running 9.0(3)6. I can control both sides of the config.
This tunnel worked fine until we did a firmware update on the ASA which was originally running 8.4(2). I have 3 tunnels which terminate at our ASA with peer Ips that are on device pix 506e models having issues and I cant figure out why. I will focus on one tunnel in particular in hopes that someone can help me fix it and I can try to apply the fix to the other two acting up.
The symptoms are as follows:
Tunnel will come up with Phase 1 and Phase 2. Everything will work fine for a variable amount of time then the tunnel will drop. I see this over and over again in the logs of the ASA
Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel
If I go into the ASA and I remove the crypto map and then re-add it. The tunnel comes back up and remains active for a variable amount of time once again. And when I say variable I mean it can stay up and working for as long as a half a day or as little as 15 min .
During the outage if I do a show isakmp sa on the pix I get the following
pix# show isakmp sa Total : 6 Embryonic : 0 dst src state pending created 66.1x3.93.212 207.207.x.146 QM_IDLE 0 115 66.1x3.93.212 207.207.x.146 QM_IDLE 0 254 66.1x3.93.212 207.207.x.146 QM_IDLE 0 123 66.1x3.93.212 207.207.x.146 QM_IDLE 0 108 66.1x3.93.212 207.207.x.146 QM_IDLE 0 224 66.1x3.93.212 207.207.x.146 QM_IDLE 0 129
On the ASA doing the same cmd will get me
IKE Peer: 22.214.171.124 Type : L2L Role : initiator Rekey : no State : MM_WAIT_MSG2
If I want to bring the tunnel back up right away, I can remove the crypto map from the ASA and then re-add it and everything will work again for a bit. What should I be checking?
Is there some kind of difference I should now be aware of between the isakmp config on pix and ikev1 on ASA? It was all working before when the ASA was on 8.4(2) and this is ONLY happening to my tunnels that are terminating on the PIX 506 e devices running 6.3(3) . Thats a clue I know, I just don't understand what I should be looking at to figure out how to fix it.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...