Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1597
Views
50
Helpful
13
Replies

Command show crypto isakmp sa in router XE 03.16.05

Go to solution
Leftz
Level 4
Level 4

‎04-04-2022 07:57 AM

Hi In router XE, the command " XE Software, Version 03.16.05." output is like below. but show crypto ikev2 sa shows nothing and show crypto ikev1 sa cannot be entered. Is this due to different version? or what is relation among the three? Thank you

 

A01#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
5.1.1.8 3.2.2.2 MM_NO_STATE 0 ACTIVE
5.1.1.8 3.2.2.2 MM_NO_STATE 0 ACTIVE (deleted)

2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to Leftz

‎04-07-2022 02:10 AM

Both are main mode but other peer initiate new phase1 and this peer still have some time before start new phase1, 

if you do show again after a while it will show you only one. 
if these two line appear always then you must check the ISKAMP lifetime in both peer.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

‎04-08-2022 12:41 AM

@Leftz on an IOS router if the IKE SA has already been established it will not show you whether MM or AM was used. You'd only be able to confirm that in the debugs when the IKE SA is being established. The output of "show crypto isakmp sa" would only provide a clue if MM was used if there was a problem and was tuck in one of the states as per the table provided above.

 

Normally the output of "show crypto isakmp sa" would display QM_IDLE, this confirms you've establish IKE SA (Phase 1) and IPSec SA (Phase 2) - the VPN should now be established.

 

Agressive Mode (AM) is generally only used in a an IKEv1 Remote Access VPN and can be disabled.

View solution in original post

13 Replies 13

Go to solution
Rob Ingram
VIP
VIP

‎04-04-2022 08:04 AM

@Leftz IKEv1 and ISAKMP are basically the same, with older versions of software you need to use "show crypto isakmp sa", but on newer release you must use "show crypto ikev1 sa".

 

IKEv2 is completely different, if you are not using IKEv2 proposals you will not get any output, therefore you are using IKEv1/ISAKMP policies.

Go to solution
MHM Cisco World
VIP
VIP

‎04-04-2022 08:49 AM

I see MM_NO_State and two line for same peer I think your phase2 is failed, 
check 
1- ACL in both peer they must be mirror 
2- password

Go to solution
Leftz
Level 4
Level 4

‎04-05-2022 08:46 AM

@MHM Cisco World Why do you say phase2 is failed? How about the below? 

 

RT-B#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
50.1.1.1 52.2.2.2 QM_IDLE 14526 ACTIVE

Go to solution
MHM Cisco World
VIP
VIP
In response to Leftz

‎04-05-2022 09:17 AM

gggg.png

 

State of ISAKMP must be end with QM_IDLE  if it success.

from above you success, 
but still you must check both IPSec SA selector "policy ACL" for local and remote.

then finally do ping, check the VPN encrypt and decrypt traffic count is increase or not.

Go to solution
Leftz
Level 4
Level 4

‎04-06-2022 08:46 AM

Thank you for your explanation. 

Why the below has two modes, Main mode and Quick mode? can we say the main mode is active and Quick mode is inactive? 

 

CO1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
50.1.1.1 60.1.1.2 QM_IDLE 25861 ACTIVE
50.1.1.1 60.1.1.2 MM_NO_STATE 25860 ACTIVE (deleted)

 

 

 

Go to solution
MHM Cisco World
VIP
VIP
In response to Leftz

‎04-07-2022 02:10 AM

Both are main mode but other peer initiate new phase1 and this peer still have some time before start new phase1, 

if you do show again after a while it will show you only one. 
if these two line appear always then you must check the ISKAMP lifetime in both peer.

Go to solution
Leftz
Level 4
Level 4

‎04-07-2022 07:15 AM - edited ‎04-07-2022 01:55 PM

@MHM Cisco World these two line appear always, then I check the ISKAMP lifetime is 28800 sec, I cannot check other side config since I cannot reach it. but the both side should be same.

 

I cannot find what looks like with entering command "show crypto isakmp sa" if we use Aggressive mode? Anyone can show it here? Thank you very much!!

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

‎04-08-2022 12:41 AM

@Leftz on an IOS router if the IKE SA has already been established it will not show you whether MM or AM was used. You'd only be able to confirm that in the debugs when the IKE SA is being established. The output of "show crypto isakmp sa" would only provide a clue if MM was used if there was a problem and was tuck in one of the states as per the table provided above.

 

Normally the output of "show crypto isakmp sa" would display QM_IDLE, this confirms you've establish IKE SA (Phase 1) and IPSec SA (Phase 2) - the VPN should now be established.

 

Agressive Mode (AM) is generally only used in a an IKEv1 Remote Access VPN and can be disabled.

Go to solution
Leftz
Level 4
Level 4

‎04-08-2022 07:42 AM

Thanks Rob for your very good explanation! Another way to identify the mode is to show run and see its configuration where crypto isakmp key is MM and crypto isakmp peer is AM

0 Helpful

Go to solution
Leftz
Level 4
Level 4

‎04-14-2022 12:17 PM

@Rob Ingram There is another way to identify whether it is  MM or AM. Check its configuration. If there is key word "aggressive-mode" in its configuration, we can say the vpn is aggression mode, otherwise its MM, Am i right? Thank you!

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

‎04-14-2022 12:26 PM

@Leftz yes, something like this

 

crypto isakmp peer address 10.4.4.1
set aggressive-mode client-endpoint user-fqdn user@cisco.com
set aggressive-mode password cisco123

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-3s/sec-ike-for-ipsec-vpns-xe-3s-book/sec-aggr-mde-ike.pdf

 

So do you have agressive mode configured? Your initial post indicated you are using Main Mode.

Go to solution
Leftz
Level 4
Level 4

‎04-18-2022 07:27 AM

Thanks Rob. It does not have aggressive mode. This matches what we expected.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents