Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

No SA's(connection id's) found on using "sh crypto isakmp sa" command

I have configured a VPN(GRE tunnel) between my location and a remote location.I m able to ping the remote location.

Also the "tracert" command shows me favourable result.Can anyone tell me some other ways to test wheather the VPN(tunnel) is working fine i.e some debug or show commands.

Input:I used the command "sh crypto isakmp sa" and it did'nt showed me any connection id etc.Also if i use command "sh crypto engine connections active",it shows me no active connections.This created a doubt

in my mind wheather the VPN is configured properly or not.

3 REPLIES
New Member

Re: No SA's(connection id's) found on using "sh crypto isakmp sa

If your doing just GRE there will be no sa's to look at as its only with ipsec that you will see sa's. When using GRE you can do a show ip route as your best bet. What your looking for is a route statement for your remote network pointing out your tunnel interface.

Here's a sample with ipsec and ospf: http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html

Kurtis Durrett

New Member

Re: No SA's(connection id's) found on using "sh crypto isakmp sa

Hi Kurtis,

I m not doing only GRE.It is ipsec.I m pasting the ipsec config that i have made on my router.

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key OAK-NOI&234TEST address a.b.c.d

!

crypto ipsec transform-set EXL ah-md5-hmac esp-des esp-md5-hmac

mode transport

!

crypto map exl_test_map 1 ipsec-isakmp

set peer a.b.c.d

set transform-set EXL

match address 101

!

!

interface Tunnel1

bandwidth 128

ip address w.x.y.z 255.255.255.252

tunnel source e.f.g.h

tunnel destination a.b.c.d

crypto map exl_test_map

well as far as i know this ipsec.also kurtis i m not able to see any debug outputs using any of the debug crypto commands.Also i dont see any output on using "sh crypto isakmp sa" but i do see favourable output on using "sh crypto ipsec sa".Is this some ios issue or some config mistake kindly help buddy.its urgent.

thanks.

kapil

New Member

Re: No SA's(connection id's) found on using "sh crypto isakmp sa

Kapil,

I've seen some IOS versions that when doing a "show crypto engine connections active" didnt show any active tunnels, but this was cosmetic. You can do a "show crypto ipsec sa" and what your looking for is your tunnel that you've defined with encrypted/decrypted packets. This counter should increase when pinging.

Unfortunately, the information you provided isn't enough to determine if you have a configuration problem. From what you did provide, the only thing that I would remove is your third transform set "ah-md5-hmac". But since your doing gre/ipsec, there is alot more information needed to find out if at least the configuration should be working. Need to see your routes, routing table, access-list, your NAT(if your running any), pretty much the whole configuration as well as the peers configuration. Otherwise there is just too little information to make any determination.

Kurtis Durrett

779
Views
0
Helpful
3
Replies
CreatePlease to create content