Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

why does show isakmp sa shows multiple ISAKMP key exchanges for same peer

I have a site-2-site vpn tunnel between a Pix 506e 6.3(3) and an ASA 5510 running 9.0(3)6. I can control both sides of the config.

This tunnel worked fine until we did a firmware update on the ASA which was originally running 8.4(2).  I have 3 tunnels which terminate at our ASA with peer Ips that are on device  pix 506e models having issues and I cant figure out why. I will focus on one tunnel in particular in hopes that someone can help me fix it and I can try to apply the fix to the other two acting up.

The symptoms are as follows:

Tunnel will come up with Phase 1 and Phase 2. Everything will work fine for a variable amount of time then the tunnel will drop. I see this over and over again in the logs of the ASA

Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel

If I go into the ASA and I remove the crypto map and then re-add it. The tunnel comes back up and remains active for a variable amount of time once again. And when I say variable I mean it can stay up and working for as long as a half a day or as little as 15 min .

During the outage if I do a show isakmp sa on the pix I get the following

pix# show isakmp sa
Total     : 6
Embryonic : 0
        dst               src        state     pending     created
   66.1x3.93.212   207.207.x.146    QM_IDLE         0         115
   66.1x3.93.212   207.207.x.146    QM_IDLE         0         254
   66.1x3.93.212   207.207.x.146    QM_IDLE         0         123
   66.1x3.93.212   207.207.x.146    QM_IDLE         0         108
   66.1x3.93.212   207.207.x.146    QM_IDLE         0         224
   66.1x3.93.212   207.207.x.146    QM_IDLE         0         129


On the ASA doing the same cmd will get me

IKE Peer:
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

If I want to bring the tunnel back up right away, I can remove the crypto map from the ASA and then re-add it and everything will work again for a bit. What should I be checking?

Is there some kind of difference I should now be aware of between the isakmp config on pix and ikev1 on ASA? It was all working before when the ASA was on 8.4(2) and this is ONLY happening to my tunnels that are terminating on the PIX 506 e devices running 6.3(3) . Thats a clue I know, I just don't understand what I should be looking at to figure out how to fix it.

Everyone's tags (1)