Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

show crypto isakmp sa

When I do a show crypto isakmp sa, there 's no data. But when I do a ping then there's data, does it mean there's no data when there's no activity.

In that case how can I know whether my VPN tunnel is up.

Pls advice.

4 REPLIES
New Member

Re: show crypto isakmp sa

Yes, there will be no entry in the "sho crypto isakmp sa" output, if you are not generating an interesting traffic to be encrypted by the router. To verify your tunnel is up use "sh crypto isakmp sa" for Phase1 SA and "sh crypto ipsec sa" for Phase2 SA. To see whether the traffic is flowing through the tunnel, see if the "encrypt" and "decrypt" counter at sh crypto ipsec sa, are changing.

Hope that helps.

Engel

New Member

Re: show crypto isakmp sa

I have a concentrator located in another country but when I ping to the concentrator ethernet port / private IP, it fail. So what is the best way for me to check whether my router and the concentrator is properly configured.

New Member

Re: show crypto isakmp sa

Failing to create a tunnel means that some of the parameters are not configured the same between the Concentrator and the router. Coordination with the engineer at the Concentrator side is needed, so that parameters are configured correctly at both devices. Check these parameters:

ISAKMP Phase1: Encryption (DES or 3DES), Hash (MD5 or SHA1), Authentication (Pre-shared ), D-H group (group1 or 2), Lifetime,

Phase2: Encryption (DES or 3DES), Hash (MD5 or SHA1), D-H group (group1 or 2), Lifetime, crypto access-list.

Debugging is helpfull also to locate the problem. Try "debug crypto isakmp" and "debug crypto ipsec" , see whether you can locate the problem.

HTH,

Engel

New Member

Re: show crypto isakmp sa

1. What is meant by phase1 and phase2 and how can I check them.

2. After I key in "debug crypto isakmp" and "debug crypto ipsec" , nothing

appear, what command should I issue.

3. Should I use Easy VPN client to configure router to talk to the concentrator,

t is the requirements and how can I obtain the Easy VPN client ?

Pls advice.

849
Views
0
Helpful
4
Replies
CreatePlease to create content