Crypto ISAKMP SA

Answered Question
Dec 23rd, 2008

Hi All,

I have configured a tunnel between 2 sites. I had originally configured Diffie Hellman Group 1 on the ISAKMP policy on remote and Hub end.

I have changed the DH group to 2 now. I can see that the Tunnels and Eigrp are up still, and traffic is flowing across as well (getting encrypted etc ).

But, when I do a "Show crypto isakmp sa", I do not get any output. Does that mean there is no SA running between these 2 devices?? How can the tunnels be UP if there is no SA?

Appreciate your reply.

Cheers

Navneet

I have this problem too.
0 votes
Correct Answer by Richard Burts about 8 years 3 weeks ago

Navneet

There are perhaps 2 parts in the answer to your question.

1) there is an SA for ISAKMP and an SA for IPSec. Encryption of traffic uses the IPSec SA and not the ISAKMP SA. So it is possible that traffic is being encrypted because there is an IPSec SA while there may not be an ISAKMP SA.

2) an SA has a lifetime and then it expires. It is possible that there was an ISAKMP SA (which is required to negotiate the IPSec SA) and that the ISAKMP SA expired by the time you looked for it.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
navneet_78 Tue, 12/23/2008 - 06:16

Appreciate if someone replies to the query above.

Thanks in advance

Regards

Navneet

Correct Answer
Richard Burts Tue, 12/23/2008 - 06:17

Navneet

There are perhaps 2 parts in the answer to your question.

1) there is an SA for ISAKMP and an SA for IPSec. Encryption of traffic uses the IPSec SA and not the ISAKMP SA. So it is possible that traffic is being encrypted because there is an IPSec SA while there may not be an ISAKMP SA.

2) an SA has a lifetime and then it expires. It is possible that there was an ISAKMP SA (which is required to negotiate the IPSec SA) and that the ISAKMP SA expired by the time you looked for it.

HTH

Rick

navneet_78 Tue, 12/23/2008 - 06:28

Hi rick,

Thanks for your reply!! I checked on the crypto ACLs and could see that the traffic count was increasing. Also, on the IPSEC SA, i could see the packets getting encrypted. So I guess, iam safe with the configs.

Thanks for your answer ;)

Cheers

Navneet

Richard Burts Tue, 12/23/2008 - 06:35

Navneet

Probably you are safe with the configs. But be aware that there is a possibility that the IPSec SAs were negotiated with the old setting in the config. You could wait a bit and see if the SA expires and a new SA gets negotiated. Or you could clear the crypto IPSec SAs, send some traffic, and verify that new SAs get negotiated.

HTH

Rick

Actions

This Discussion