Crypto ISAKMP SA

Answered Question
Dec 23rd, 2008
User Badges:

Hi All,


I have configured a tunnel between 2 sites. I had originally configured Diffie Hellman Group 1 on the ISAKMP policy on remote and Hub end.


I have changed the DH group to 2 now. I can see that the Tunnels and Eigrp are up still, and traffic is flowing across as well (getting encrypted etc ).


But, when I do a "Show crypto isakmp sa", I do not get any output. Does that mean there is no SA running between these 2 devices?? How can the tunnels be UP if there is no SA?


Appreciate your reply.



Cheers

Navneet

Correct Answer by Richard Burts about 8 years 5 months ago

Navneet


There are perhaps 2 parts in the answer to your question.

1) there is an SA for ISAKMP and an SA for IPSec. Encryption of traffic uses the IPSec SA and not the ISAKMP SA. So it is possible that traffic is being encrypted because there is an IPSec SA while there may not be an ISAKMP SA.

2) an SA has a lifetime and then it expires. It is possible that there was an ISAKMP SA (which is required to negotiate the IPSec SA) and that the ISAKMP SA expired by the time you looked for it.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
navneet_78 Tue, 12/23/2008 - 06:16
User Badges:

Appreciate if someone replies to the query above.


Thanks in advance


Regards

Navneet

Correct Answer
Richard Burts Tue, 12/23/2008 - 06:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Navneet


There are perhaps 2 parts in the answer to your question.

1) there is an SA for ISAKMP and an SA for IPSec. Encryption of traffic uses the IPSec SA and not the ISAKMP SA. So it is possible that traffic is being encrypted because there is an IPSec SA while there may not be an ISAKMP SA.

2) an SA has a lifetime and then it expires. It is possible that there was an ISAKMP SA (which is required to negotiate the IPSec SA) and that the ISAKMP SA expired by the time you looked for it.


HTH


Rick

navneet_78 Tue, 12/23/2008 - 06:28
User Badges:

Hi rick,


Thanks for your reply!! I checked on the crypto ACLs and could see that the traffic count was increasing. Also, on the IPSEC SA, i could see the packets getting encrypted. So I guess, iam safe with the configs.


Thanks for your answer ;)


Cheers

Navneet

Richard Burts Tue, 12/23/2008 - 06:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Navneet


Probably you are safe with the configs. But be aware that there is a possibility that the IPSec SAs were negotiated with the old setting in the config. You could wait a bit and see if the SA expires and a new SA gets negotiated. Or you could clear the crypto IPSec SAs, send some traffic, and verify that new SAs get negotiated.


HTH


Rick

Actions

This Discussion