Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

View Security Association Time

In the PIX 6.x code, one could type the following: sho crypto map

and recieve output like:

Current peer: 192.168.0.1

Security association lifetime: 4608000 kilobytes/28800 seconds

PFS (Y/N): N

Transform sets={ cisco, }

question: How does one view the same information in the PIX 7.x code? I am looking to view the actual Security association lifetime value...

thx,

Jim

4 REPLIES
New Member

Re: View Security Association Time

Hey Jim-

Try this: "sh isakmp sa detail"

You'll get info like this:

IKE Peer: www.xxx.yyy.zzz

Type : user Role : responder

Rekey : no State : AM_ACTIVE

Encrypt : 3des Hash : MD5

Auth : preshared Lifetime: 86400

Lifetime Remaining: 28750

HTH,

Paul

New Member

Re: View Security Association Time

Paul,

Is the Auth: preshared Lifetime: 86400 the same as the SA time?

The reason I ask, is that in the 6.3 code, ISAKMP time is 86400, however the SA time is something different. I am having an issue with SA time discrepancy between my PIX (7.2.4 code) and my vpnsm (6500), and I want to make sure that the SA time values are the same. Currently on the 6500 vpnsm, the SA time is 460800 Kb/3600 sec...

thx,

Jim

New Member

Re: View Security Association Time

Jim-

There are 2 SAs - There's an IKE (Phase 1) SA and there is an IPSec (phase 2) SA. The one shown above is the time for the phase 1 SA. I believe that you are looking for the phase 2 SA time.

It's not as pretty looking as the command above, but if you do a "sh ipsec sa map "

You'll get a ton of information, but included in it will be something like this:

inbound esp sas:

spi: 0xBF7A83D6 (3212477398)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 72687616, crypto-map: mymap

sa timing: remaining key lifetime (kB/sec): (4373964/16578)

IV size: 8 bytes

replay detection support: Y

It doesn't give you the settings, but it does tell you the remaining kB/sec, from which you should be able to extrapolate the original values. The above was 460800/28800

HTH,

Paul

New Member

Re: View Security Association Time

Thank you for the clarification Paul. It has been most helpful.

Jim

125
Views
5
Helpful
4
Replies