PIX 525 6.3 VPN "sh crypto isakmp sa" question

Unanswered Question
Jul 10th, 2007

If you issue the "sh crypto isakmp sa" command, what determines whether the tunnel shows up in the list?

For example:

When I issue this command, I see some as QM_IDLE and

MM_NO_STATE,

But I have one tunnel that just gets dropped from the list.

Does this mean there is no peer connectivity?

Or if I have my end configured correctly and there is no peer connectivity or traffic and the lifetime of the tunnel expires with no traffic, does it get dropped from the list completely?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 07/10/2007 - 04:34

Hi

QM_IDLE means phase 1 of the IPSEC tunnel setup has establised successfully. Anything else eg. MM_ACTIVE, MM_NO_STATE means that the tunnel has not establised successfully.

When the tunnel disappears from your list are you saying you still have an active IPSEC tunnel. Usually if it isn't there in the list it means it is not established.

It will get dropped if there is no peer connectivity or if the lifetime expires and there is no traffic it will terminate the tunnel.

HTH

Jon

wilson_1234_2 Tue, 07/10/2007 - 07:37

Thanks for the reply,

That is what i was looking for.

I figured that if everything was configured correctly and the peer was available and it was configured correctly, there was no traffic.

I was thinking the lifetime has expired and it was removed from the list.

Actions

This Discussion