cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
461
Views
5
Helpful
4
Replies

View Security Association Time

cdcjim2877
Level 1
Level 1

In the PIX 6.x code, one could type the following: sho crypto map

and recieve output like:

Current peer: 192.168.0.1

Security association lifetime: 4608000 kilobytes/28800 seconds

PFS (Y/N): N

Transform sets={ cisco, }

question: How does one view the same information in the PIX 7.x code? I am looking to view the actual Security association lifetime value...

thx,

Jim

4 Replies 4

pstebner10
Level 1
Level 1

Hey Jim-

Try this: "sh isakmp sa detail"

You'll get info like this:

IKE Peer: www.xxx.yyy.zzz

Type : user Role : responder

Rekey : no State : AM_ACTIVE

Encrypt : 3des Hash : MD5

Auth : preshared Lifetime: 86400

Lifetime Remaining: 28750

HTH,

Paul

Paul,

Is the Auth: preshared Lifetime: 86400 the same as the SA time?

The reason I ask, is that in the 6.3 code, ISAKMP time is 86400, however the SA time is something different. I am having an issue with SA time discrepancy between my PIX (7.2.4 code) and my vpnsm (6500), and I want to make sure that the SA time values are the same. Currently on the 6500 vpnsm, the SA time is 460800 Kb/3600 sec...

thx,

Jim

Jim-

There are 2 SAs - There's an IKE (Phase 1) SA and there is an IPSec (phase 2) SA. The one shown above is the time for the phase 1 SA. I believe that you are looking for the phase 2 SA time.

It's not as pretty looking as the command above, but if you do a "sh ipsec sa map "

You'll get a ton of information, but included in it will be something like this:

inbound esp sas:

spi: 0xBF7A83D6 (3212477398)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 72687616, crypto-map: mymap

sa timing: remaining key lifetime (kB/sec): (4373964/16578)

IV size: 8 bytes

replay detection support: Y

It doesn't give you the settings, but it does tell you the remaining kB/sec, from which you should be able to extrapolate the original values. The above was 460800/28800

HTH,

Paul

Thank you for the clarification Paul. It has been most helpful.

Jim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: