Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to determine last time IPSEC SA was established with peer?

I have a cisco ASA with several ipsec peer configurations.  I suspect that a portion of these are obsolete and am going through the cleanup process.  The firewall has been up for over a year so I have a good timeframe of statistics covered, but I cannot figure out a way to show the last time the sa was active.  Any suggestions?


You would need to setup

You would need to setup syslogging of IPSEC VPN connections to an external server to record a history of the connections.

Hall of Fame Super Silver

Besides what jjohnston

Besides what jjohnston suggested, you could always remark out their cryptomaps and see who complains. :)

It might be good to take his suggestion for a week or two and the communicate to your users that maintenance may affect their VPN connections and be ready to restore them in a moment if need be.

Going forward, it might be useful to give their access-list elements descriptive object-group names so that the connections's idientities are more obvious. I've always disliked how site-site VPN tunnel-groups need to be named after the remote peer IP.

In a previous position when I had occasion to do the same thing I also looked up the peer IP addresses in the whois databases ( and equivalents at RIPE and APNIC etc.). Sometimes that will point you to the remote partner identity

CreatePlease to create content