03-21-2016 07:17 PM - edited 03-05-2019 03:37 AM
Hi
Does QM_IDLE mean that phase 1 & phase 2 has been established?
Or does it just mean phase 1 have been established?
cisco-pre-mmh#show cry
IPv4 Crypto ISAKMP SA
10.2.0.1 200.84.0.30 QM_IDLE 1047 ACTIVE
Does the following command show that phase2 is established? Or is this the right command to use?
If I am unable to connect to the remote encryption domain, I would like to be able to tell if the problem was in phase 2 or was the remote host.
cisco-pre-mmh#show cry session
Crypto session current status
Interface: GigabitEthernet1
Session status: DOWN
Peer: 200.84.0.30 port 500
IPSEC FLOW: permit
Active SAs: 0, origin: crypto map
03-21-2016 07:46 PM
"show cry isa sa" only shows phase 1, so it only indicates that phase 1 is established.
"show crypto ipsec sa" will show you the phase 2 results. You want to see that it has negotiated a compatible set of crypto settings.
03-22-2016 03:09 AM
03-22-2016 12:02 PM
Correct, if you see a negotiated set of settings in "show crypto ipsec sa" phase 2 is up.
What if the encryption domain is wrong? A slightly more complex question. The devices can negotiate a more restrictive encryption domain if the two domains have some overlap but are different, but otherwise if there is no overlap it will fail to negotiate phase 2 and nothing will show up as negotiated in "show crypto ipsec sa".
03-21-2016 07:47 PM
Actually the "Active SAs: 0" indicates phase 2. And in this case, there is no active phase 2.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: