Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to clear ISAKMP and IPSec SAs on PIX Firewalls and routers

What is ISAKMP?

ISAKMP is differnet from key exchange protocols.There are many different key exchange protocols, with different security properties.  However, a common framework is used for agreeing to the format of SA attributes, and for negotiating, modifying, and deleting SAs.  ISAKMP serves as this common framework.

ISAKMP helps in negotiation of SAs for security protocols at all the seven layers of the network stack. By centralizing the management of the security associations, ISAKMP reduces the amount of duplicated functionality within each security protocol.  ISAKMP can also reduce connection setup time, by negotiating a whole stack of services at once.

What is IPSec?

IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force, to provide IP security at the network layer.

An IPsec based VPN is made up by two parts:

  • Internet Key Exchange protocol (IKE)
  • IPsec protocols (AH/ESP/both)

Resolution

Both Internet Key Exchange (IKE) and IPSec use Security Associations (SAs), although SAs are independent of one another. IPSec SAs are unidirectional, and they are unique in each security protocol. A set of SAs are needed for a protected data pipe, one per direction per protocol.

For example, if there is a pipe that supports Encapsulating Security Payload (ESP) between peers, one ESP SA is required for each direction. SAs are uniquely identified by destination (IPSec endpoint) address, security protocol (Authentication Header [AH] or ESP), and Security Parameter Index (SPI).

If one peer reboots or breaks association with the other peer, the SAs for one side are lost. In that case, the SAs on both ends must be cleared to ensure that there is a new pair of SAs generated in order for both peers to form a secure tunnel once again.

To display the settings used by the current IPSec SAs, issue the show crypto ipsec sa command.

To display all of the current IKE SAs at a peer, issue the show crypto isakmp sa command.

Issue these commands to clear the IPSec and ISAKMP security associations on the PIX Firewall:

  • clear crypto ipsec sa-This command deletes the active IPSec security associations.

  • clear crypto ipsec sa peer-This command deletes the active IPSec security associations for the specified peer.

  • clear crypto isakmp sa-This command deletes the active IKE security associations.

    Issue these commands to clear the IPSec and Internet Security Association and Key Management Protocol (ISAKMP) security associations on the router:

  • clear crypto isakmp-This command deletes the active IKE security associations.   

  • clear crypto sa-This command deletes the active IPSec security associations.   

This is the command reference for isakmp and ipsec on the PIX.

This is the command reference for isakmp and ipsec on the router.

29825
Views
10
Helpful
0
Comments