05-14-2009 01:50 AM
In the PIX 6.x code, one could type the following: sho crypto map
and recieve output like:
Current peer: 192.168.0.1
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ cisco, }
question: How does one view the same information in the PIX 7.x code? I am looking to view the actual Security association lifetime value...
thx,
Jim
05-14-2009 11:32 AM
Hey Jim-
Try this: "sh isakmp sa detail"
You'll get info like this:
IKE Peer: www.xxx.yyy.zzz
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Encrypt : 3des Hash : MD5
Auth : preshared Lifetime: 86400
Lifetime Remaining: 28750
HTH,
Paul
05-14-2009 11:21 PM
Paul,
Is the Auth: preshared Lifetime: 86400 the same as the SA time?
The reason I ask, is that in the 6.3 code, ISAKMP time is 86400, however the SA time is something different. I am having an issue with SA time discrepancy between my PIX (7.2.4 code) and my vpnsm (6500), and I want to make sure that the SA time values are the same. Currently on the 6500 vpnsm, the SA time is 460800 Kb/3600 sec...
thx,
Jim
05-15-2009 10:06 AM
Jim-
There are 2 SAs - There's an IKE (Phase 1) SA and there is an IPSec (phase 2) SA. The one shown above is the time for the phase 1 SA. I believe that you are looking for the phase 2 SA time.
It's not as pretty looking as the command above, but if you do a "sh ipsec sa map
You'll get a ton of information, but included in it will be something like this:
inbound esp sas:
spi: 0xBF7A83D6 (3212477398)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 72687616, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4373964/16578)
IV size: 8 bytes
replay detection support: Y
It doesn't give you the settings, but it does tell you the remaining kB/sec, from which you should be able to extrapolate the original values. The above was 460800/28800
HTH,
Paul
05-15-2009 02:16 PM
Thank you for the clarification Paul. It has been most helpful.
Jim
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: