View Security Association Time

Unanswered Question
May 14th, 2009

In the PIX 6.x code, one could type the following: sho crypto map

and recieve output like:

Current peer: 192.168.0.1

Security association lifetime: 4608000 kilobytes/28800 seconds

PFS (Y/N): N

Transform sets={ cisco, }

question: How does one view the same information in the PIX 7.x code? I am looking to view the actual Security association lifetime value...

thx,

Jim

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
pstebner10 Thu, 05/14/2009 - 11:32

Hey Jim-

Try this: "sh isakmp sa detail"

You'll get info like this:

IKE Peer: www.xxx.yyy.zzz

Type : user Role : responder

Rekey : no State : AM_ACTIVE

Encrypt : 3des Hash : MD5

Auth : preshared Lifetime: 86400

Lifetime Remaining: 28750

HTH,

Paul

cdcjim2877 Thu, 05/14/2009 - 23:21

Paul,

Is the Auth: preshared Lifetime: 86400 the same as the SA time?

The reason I ask, is that in the 6.3 code, ISAKMP time is 86400, however the SA time is something different. I am having an issue with SA time discrepancy between my PIX (7.2.4 code) and my vpnsm (6500), and I want to make sure that the SA time values are the same. Currently on the 6500 vpnsm, the SA time is 460800 Kb/3600 sec...

thx,

Jim

pstebner10 Fri, 05/15/2009 - 10:06

Jim-

There are 2 SAs - There's an IKE (Phase 1) SA and there is an IPSec (phase 2) SA. The one shown above is the time for the phase 1 SA. I believe that you are looking for the phase 2 SA time.

It's not as pretty looking as the command above, but if you do a "sh ipsec sa map "

You'll get a ton of information, but included in it will be something like this:

inbound esp sas:

spi: 0xBF7A83D6 (3212477398)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 72687616, crypto-map: mymap

sa timing: remaining key lifetime (kB/sec): (4373964/16578)

IV size: 8 bytes

replay detection support: Y

It doesn't give you the settings, but it does tell you the remaining kB/sec, from which you should be able to extrapolate the original values. The above was 460800/28800

HTH,

Paul

cdcjim2877 Fri, 05/15/2009 - 14:16

Thank you for the clarification Paul. It has been most helpful.

Jim

Actions

This Discussion