PIX 525 6.3 VPN "sh crypto isakmp sa" question

Unanswered Question
Jul 10th, 2007
User Badges:

If you issue the "sh crypto isakmp sa" command, what determines whether the tunnel shows up in the list?

For example:

When I issue this command, I see some as QM_IDLE and


But I have one tunnel that just gets dropped from the list.

Does this mean there is no peer connectivity?

Or if I have my end configured correctly and there is no peer connectivity or traffic and the lifetime of the tunnel expires with no traffic, does it get dropped from the list completely?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Tue, 07/10/2007 - 04:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


QM_IDLE means phase 1 of the IPSEC tunnel setup has establised successfully. Anything else eg. MM_ACTIVE, MM_NO_STATE means that the tunnel has not establised successfully.

When the tunnel disappears from your list are you saying you still have an active IPSEC tunnel. Usually if it isn't there in the list it means it is not established.

It will get dropped if there is no peer connectivity or if the lifetime expires and there is no traffic it will terminate the tunnel.



wilson_1234_2 Tue, 07/10/2007 - 07:37
User Badges:

Thanks for the reply,

That is what i was looking for.

I figured that if everything was configured correctly and the peer was available and it was configured correctly, there was no traffic.

I was thinking the lifetime has expired and it was removed from the list.


This Discussion