cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13610
Views
10
Helpful
8
Replies

How can I detect how long the IPSEC tunnel has been up on the router?

yuhuiyao
Level 1
Level 1

How can I detect how long the IPSEC tunnel has been up on the router? Is there any similiar command such as "show vpn-sessiondb l2l" on the router?

Thanks,

8 Replies 8

Ivan Martinon
Level 7
Level 7

You can do a "show crypto ipsec sa detail" and a "show crypto isakmp sa detail" both of them will give you the remaining time of the configured lifetime. By default the router has 3600 seconds as lifetime for ipsec and 86400 seconds for IKE.

¿When the life time finish the tunnel is retablished causing a cut on it?

¿if the tunnel is passing traffic the tunnel stays active and working?

Hi,

You can use the command :

sh cry isa sa detailed

sh cry sess remote <ip> detailed

Regards,

Aditya

Please rate helpful and mark correct answers

Thanks Aditya. 

I suppose that when I type the command sh cry sess remote <ip>,  detailed "uptime" means that the tunnel is established that period of time and there were no downs.

On the other side, when the lifetime of the SA is over, ¿ the tunnel goes down?

Hi,

This is the only command to check the uptime.

In case you need to check the SA timers for Phase 1 and Phase 2

sh cry isa sa detailed

sh cry ipsec sa peer <>

Regards,

Aditya

Please rate helpful and mark correct answers

Ok thanks ¡¡

When the lifetime of the SA is over, the tunnel goes down? or not?

Hi,

It depends if traffic is passing through the tunnel or not.

Regards,

Aditya

Please rate helpful and mark correct answers

With a ping passing about the tunnel and the timer explired, the SA are renegotiated but the tunnel stay UP and the ping not losses any packet.