December 2006
Intermediate to advanced
1188 pages
72h 8m
English
Content preview from Cisco IOS Cookbook, 2nd Edition
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Checking IPSec Protocol Status
Problem
You want to check the status of a VPN.
Solution
There are several useful commands for displaying IPSec parameters.
The command show crypto isakmp sa shows all of the ISAKMP security associations.
Router1#show crypto isakmp saAnd you can look at the IPSec security associations with this command:
Router1#show crypto ipsec saEven if you aren’t using a key management protocol such as ISAKMP, you can see information on all of the active IPSec connections with the following command:
Router1#show crypto engine connections activeAnd this closely related command will tell you about packet drops within the encryption engine:
Router1#show crypto engine connections dropped-packet The show crypto map command gives information about all of the IPSec crypto maps that you have configured on your router, whether or not they are in use:
Router1#show crypto mapAnd you can specify a particular crypto map with the tag keyword:
Router1#show crypto map tag TUNNELMAPFor information about dynamic crypto maps, you can use the following command:
Router1#show crypto dynamic-map Discussion
The show crypto isakmp sa command lets you see information about the current state of any ISAKMP key exchanges that the router is involved in:
Router1#show crypto isakmp sa
dst src state conn-id slot
172.22.1.4 172.22.1.3 QM_IDLE 1 0
Router1#Table 12-3 shows all of the possible ISAKMP SA states.
Table 12-3. ISAKMP SA states
| Mode | State name | Description |
|---|---|---|
| Main Mode | MM_NO_STATE | There is an ISAKMP SA, but none ... |