Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 525 6.3 VPN "sh crypto isakmp sa" question

If you issue the "sh crypto isakmp sa" command, what determines whether the tunnel shows up in the list?

For example:

When I issue this command, I see some as QM_IDLE and

MM_NO_STATE,

But I have one tunnel that just gets dropped from the list.

Does this mean there is no peer connectivity?

Or if I have my end configured correctly and there is no peer connectivity or traffic and the lifetime of the tunnel expires with no traffic, does it get dropped from the list completely?

2 REPLIES
Hall of Fame Super Blue

Re: PIX 525 6.3 VPN "sh crypto isakmp sa" question

Hi

QM_IDLE means phase 1 of the IPSEC tunnel setup has establised successfully. Anything else eg. MM_ACTIVE, MM_NO_STATE means that the tunnel has not establised successfully.

When the tunnel disappears from your list are you saying you still have an active IPSEC tunnel. Usually if it isn't there in the list it means it is not established.

It will get dropped if there is no peer connectivity or if the lifetime expires and there is no traffic it will terminate the tunnel.

HTH

Jon

New Member

Re: PIX 525 6.3 VPN "sh crypto isakmp sa" question

Thanks for the reply,

That is what i was looking for.

I figured that if everything was configured correctly and the peer was available and it was configured correctly, there was no traffic.

I was thinking the lifetime has expired and it was removed from the list.

224
Views
5
Helpful
2
Replies