Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Show crypto isakmp sa - where has my sa gone?

Hi. We are setting up a group of vpns between routers with cryptography enabled IOS.

Routers get conected with FR over ChannelB.

After the router is connected to the ISDN, it works fine. And if I type show crypto ipsec sa I have the expected sa. However if we telnet the router a time later (few hours or a day), the sa has dissapeared, there´s no even (deleted) state or MM_STATE it simply has gone. It is happening in some of this routers.

Perhaps if ISDN hangs maybe isakmp is not being renegotiated?? how can I know or test that?

Also if I type show crypto ipsec sa..there is something weird in the output, for each interface I find two outputs!

For example:

Dialer1:[...] #encrypt packets 32200

but some lines after that in the same output (not in another Interface I swear) appears

[...] #encrypt packets 0

A buggy version? but debug isakmp or debug isakmp don´t complain.

Please if you know how can I continue this troubleshooting it would be great.


New Member

Re: Show crypto isakmp sa - where has my sa gone?

Well, I think if your lifetimes expire and there is no interesting traffic, the tunnel may be torn down, depending on your configuration. Will the tunnel reestablish if you try to send traffic over it?

Also, as for the SAs, there should be two SAs per peer/interface, I believe inbound and outbound.

CreatePlease to create content