How can I detect how long the IPSEC tunnel has been up on the router? Is there any similiar command such as "show vpn-sessiondb l2l" on the router?
You can do a "show crypto ipsec sa detail" and a "show crypto isakmp sa detail" both of them will give you the remaining time of the configured lifetime. By default the router has 3600 seconds as lifetime for ipsec and 86400 seconds for IKE.
¿When the life time finish the tunnel is retablished causing a cut on it?
¿if the tunnel is passing traffic the tunnel stays active and working?
You can use the command :
sh cry isa sa detailed
sh cry sess remote <ip> detailed
Please rate helpful and mark correct answers
I suppose that when I type the command sh cry sess remote <ip>, detailed "uptime" means that the tunnel is established that period of time and there were no downs.
On the other side, when the lifetime of the SA is over, ¿ the tunnel goes down?
This is the only command to check the uptime.
In case you need to check the SA timers for Phase 1 and Phase 2
sh cry ipsec sa peer <>
Ok thanks ¡¡
When the lifetime of the SA is over, the tunnel goes down? or not?
It depends if traffic is passing through the tunnel or not.
With a ping passing about the tunnel and the timer explired, the SA are renegotiated but the tunnel stay UP and the ping not losses any packet.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: