05-14-2009 01:50 AM
In the PIX 6.x code, one could type the following: sho crypto map
and recieve output like:
Current peer: 192.168.0.1
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ cisco, }
question: How does one view the same information in the PIX 7.x code? I am looking to view the actual Security association lifetime value...
thx,
Jim
05-14-2009 11:32 AM
Hey Jim-
Try this: "sh isakmp sa detail"
You'll get info like this:
IKE Peer: www.xxx.yyy.zzz
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Encrypt : 3des Hash : MD5
Auth : preshared Lifetime: 86400
Lifetime Remaining: 28750
HTH,
Paul
05-14-2009 11:21 PM
Paul,
Is the Auth: preshared Lifetime: 86400 the same as the SA time?
The reason I ask, is that in the 6.3 code, ISAKMP time is 86400, however the SA time is something different. I am having an issue with SA time discrepancy between my PIX (7.2.4 code) and my vpnsm (6500), and I want to make sure that the SA time values are the same. Currently on the 6500 vpnsm, the SA time is 460800 Kb/3600 sec...
thx,
Jim
05-15-2009 10:06 AM
Jim-
There are 2 SAs - There's an IKE (Phase 1) SA and there is an IPSec (phase 2) SA. The one shown above is the time for the phase 1 SA. I believe that you are looking for the phase 2 SA time.
It's not as pretty looking as the command above, but if you do a "sh ipsec sa map
You'll get a ton of information, but included in it will be something like this:
inbound esp sas:
spi: 0xBF7A83D6 (3212477398)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 72687616, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4373964/16578)
IV size: 8 bytes
replay detection support: Y
It doesn't give you the settings, but it does tell you the remaining kB/sec, from which you should be able to extrapolate the original values. The above was 460800/28800
HTH,
Paul
05-15-2009 02:16 PM
Thank you for the clarification Paul. It has been most helpful.
Jim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide