cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
407
Views
5
Helpful
2
Replies

PIX 525 6.3 VPN "sh crypto isakmp sa" question

wilson_1234_2
Level 3
Level 3

If you issue the "sh crypto isakmp sa" command, what determines whether the tunnel shows up in the list?

For example:

When I issue this command, I see some as QM_IDLE and

MM_NO_STATE,

But I have one tunnel that just gets dropped from the list.

Does this mean there is no peer connectivity?

Or if I have my end configured correctly and there is no peer connectivity or traffic and the lifetime of the tunnel expires with no traffic, does it get dropped from the list completely?

2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

Hi

QM_IDLE means phase 1 of the IPSEC tunnel setup has establised successfully. Anything else eg. MM_ACTIVE, MM_NO_STATE means that the tunnel has not establised successfully.

When the tunnel disappears from your list are you saying you still have an active IPSEC tunnel. Usually if it isn't there in the list it means it is not established.

It will get dropped if there is no peer connectivity or if the lifetime expires and there is no traffic it will terminate the tunnel.

HTH

Jon

Thanks for the reply,

That is what i was looking for.

I figured that if everything was configured correctly and the peer was available and it was configured correctly, there was no traffic.

I was thinking the lifetime has expired and it was removed from the list.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: