just curious here if anyone knows if this is right or not. Today in the lab i was testing out tunnel mode ipsec on two 501 pix's. using ipsec crypto maps and isakmp negotiation. For some reason once we finally got it working the connections only stated as having 1 sa. I know the communication requires 2 in order to encrypt and decrypt properly, as the are unidirectional. Can anyone provide any help on this?