Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
4
Replies

Crypto ISAKMP SA

Go to solution
navneet_78
Level 1
Level 1

‎12-23-2008 05:11 AM - edited ‎03-04-2019 12:48 AM

Hi All,

I have configured a tunnel between 2 sites. I had originally configured Diffie Hellman Group 1 on the ISAKMP policy on remote and Hub end.

I have changed the DH group to 2 now. I can see that the Tunnels and Eigrp are up still, and traffic is flowing across as well (getting encrypted etc ).

But, when I do a "Show crypto isakmp sa", I do not get any output. Does that mean there is no SA running between these 2 devices?? How can the tunnels be UP if there is no SA?

Appreciate your reply.

Cheers

Navneet

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎12-23-2008 06:17 AM

Navneet

There are perhaps 2 parts in the answer to your question.

1) there is an SA for ISAKMP and an SA for IPSec. Encryption of traffic uses the IPSec SA and not the ISAKMP SA. So it is possible that traffic is being encrypted because there is an IPSec SA while there may not be an ISAKMP SA.

2) an SA has a lifetime and then it expires. It is possible that there was an ISAKMP SA (which is required to negotiate the IPSec SA) and that the ISAKMP SA expired by the time you looked for it.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
4 Replies 4

Go to solution
navneet_78
Level 1
Level 1

‎12-23-2008 06:16 AM

Appreciate if someone replies to the query above.

Thanks in advance

Regards

Navneet

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎12-23-2008 06:17 AM

Navneet

There are perhaps 2 parts in the answer to your question.

1) there is an SA for ISAKMP and an SA for IPSec. Encryption of traffic uses the IPSec SA and not the ISAKMP SA. So it is possible that traffic is being encrypted because there is an IPSec SA while there may not be an ISAKMP SA.

2) an SA has a lifetime and then it expires. It is possible that there was an ISAKMP SA (which is required to negotiate the IPSec SA) and that the ISAKMP SA expired by the time you looked for it.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
navneet_78
Level 1
Level 1
In response to Richard Burts

‎12-23-2008 06:28 AM

Hi rick,

Thanks for your reply!! I checked on the crypto ACLs and could see that the traffic count was increasing. Also, on the IPSEC SA, i could see the packets getting encrypted. So I guess, iam safe with the configs.

Thanks for your answer ;)

Cheers

Navneet

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to navneet_78

‎12-23-2008 06:35 AM

Navneet

Probably you are safe with the configs. But be aware that there is a possibility that the IPSec SAs were negotiated with the old setting in the config. You could wait a bit and see if the SA expires and a new SA gets negotiated. Or you could clear the crypto IPSec SAs, send some traffic, and verify that new SAs get negotiated.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card