cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1427
Views
50
Helpful
13
Replies

Command show crypto isakmp sa in router XE 03.16.05

Leftz
Enthusiast
Enthusiast

Hi In router XE, the command " XE Software, Version 03.16.05." output is like below. but show crypto ikev2 sa shows nothing and show crypto ikev1 sa cannot be entered. Is this due to different version? or what is relation among the three? Thank you

 

A01#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
5.1.1.8 3.2.2.2 MM_NO_STATE 0 ACTIVE
5.1.1.8 3.2.2.2 MM_NO_STATE 0 ACTIVE (deleted)

2 Accepted Solutions

Accepted Solutions

Both are main mode but other peer initiate new phase1 and this peer still have some time before start new phase1, 

if you do show again after a while it will show you only one. 
if these two line appear always then you must check the ISKAMP lifetime in both peer.

View solution in original post

@Leftz on an IOS router if the IKE SA has already been established it will not show you whether MM or AM was used. You'd only be able to confirm that in the debugs when the IKE SA is being established. The output of "show crypto isakmp sa" would only provide a clue if MM was used if there was a problem and was tuck in one of the states as per the table provided above.

 

Normally the output of "show crypto isakmp sa" would display QM_IDLE, this confirms you've establish IKE SA (Phase 1) and IPSec SA (Phase 2) - the VPN should now be established.

 

Agressive Mode (AM) is generally only used in a an IKEv1 Remote Access VPN and can be disabled.

View solution in original post

13 Replies 13

@Leftz IKEv1 and ISAKMP are basically the same, with older versions of software you need to use "show crypto isakmp sa", but on newer release you must use "show crypto ikev1 sa".

 

IKEv2 is completely different, if you are not using IKEv2 proposals you will not get any output, therefore you are using IKEv1/ISAKMP policies.

I see MM_NO_State and two line for same peer I think your phase2 is failed, 
check 
1- ACL in both peer they must be mirror 
2- password

Leftz
Enthusiast
Enthusiast

@MHM Cisco World Why do you say phase2 is failed? How about the below? 

 

RT-B#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
50.1.1.1 52.2.2.2 QM_IDLE 14526 ACTIVE

gggg.png

 

State of ISAKMP must be end with QM_IDLE  if it success.

from above you success, 
but still you must check both IPSec SA selector "policy ACL" for local and remote.

then finally do ping, check the VPN encrypt and decrypt traffic count is increase or not.

Leftz
Enthusiast
Enthusiast

Thank you for your explanation. 

Why the below has two modes, Main mode and Quick mode? can we say the main mode is active and Quick mode is inactive? 

 

CO1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
50.1.1.1 60.1.1.2 QM_IDLE 25861 ACTIVE
50.1.1.1 60.1.1.2 MM_NO_STATE 25860 ACTIVE (deleted)

 

 

 

Both are main mode but other peer initiate new phase1 and this peer still have some time before start new phase1, 

if you do show again after a while it will show you only one. 
if these two line appear always then you must check the ISKAMP lifetime in both peer.

Leftz
Enthusiast
Enthusiast

@MHM Cisco World these two line appear always, then I check the ISKAMP lifetime is 28800 sec, I cannot check other side config since I cannot reach it. but the both side should be same.

 

I cannot find what looks like with entering command "show crypto isakmp sa" if we use Aggressive mode? Anyone can show it here? Thank you very much!!

@Leftz on an IOS router if the IKE SA has already been established it will not show you whether MM or AM was used. You'd only be able to confirm that in the debugs when the IKE SA is being established. The output of "show crypto isakmp sa" would only provide a clue if MM was used if there was a problem and was tuck in one of the states as per the table provided above.

 

Normally the output of "show crypto isakmp sa" would display QM_IDLE, this confirms you've establish IKE SA (Phase 1) and IPSec SA (Phase 2) - the VPN should now be established.

 

Agressive Mode (AM) is generally only used in a an IKEv1 Remote Access VPN and can be disabled.

Leftz
Enthusiast
Enthusiast

Thanks Rob for your very good explanation! Another way to identify the mode is to show run and see its configuration where crypto isakmp key is MM and crypto isakmp peer is AM

Leftz
Enthusiast
Enthusiast

@Rob Ingram There is another way to identify whether it is  MM or AM. Check its configuration. If there is key word "aggressive-mode" in its configuration, we can say the vpn is aggression mode, otherwise its MM, Am i right? Thank you!

@Leftz yes, something like this

 

crypto isakmp peer address 10.4.4.1
set aggressive-mode client-endpoint user-fqdn user@cisco.com
set aggressive-mode password cisco123

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-3s/sec-ike-for-ipsec-vpns-xe-3s-book/sec-aggr-mde-ike.pdf

 

So do you have agressive mode configured? Your initial post indicated you are using Main Mode.

Leftz
Enthusiast
Enthusiast

Thanks Rob. It does not have aggressive mode. This matches what we expected.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: