Solved: How long is a Lan2Lan VPN UP?

Oscar Cardiel · ‎04-01-2014

I guys,

I need to kwon how long we have already working UP a site-to-site VPN tunnel between two ASRs or how long it is UP without any disconnection. Do you know how could I check it?

Thank you very much in advance for your suggest

Oscar Cardiel

Marvin Rhoads · ‎04-01-2014

I don't have a router with active VPN to check on and confirm at the moment but I believe if you add the "detail" keyword at the end of "show crypto isakmp sa" or "show crypto ipsec sa" it will show you the lifetime to date of the tunnel.

The command reference (link) indicates it should return the "lifetime" field.

View solution in original post

Marvin Rhoads · ‎04-01-2014

A couple of show commands will indicate the status of Phase 1 and Phase 2 security associations (SAs):

show crypto isakmp sa

show crypto ipsec sa

In order to see the time you'd need to either dedug during establishment or check the log for establishment time. I believe the default is 86400 seconds for phase 1 and 3600 seconds for phase 2. As long as there is interesting traffic and no clearing of the connection (and connectivity of cousrse), those will automatically be renewed.

See the following for more info:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#isakmp_sa

Oscar Cardiel · ‎04-01-2014

Hi,

That’s a good point about timing of remaining key but I wanted to say I am if exist any command to check straight away if the ipsec tunnel is working perfectly for 2 hours or 5 hours or 4 days without any loss of service. Do you know if is it possible to check?

Thanks a lot, Marvin.

Marvin Rhoads · ‎04-01-2014

I don't have a router with active VPN to check on and confirm at the moment but I believe if you add the "detail" keyword at the end of "show crypto isakmp sa" or "show crypto ipsec sa" it will show you the lifetime to date of the tunnel.

The command reference (link) indicates it should return the "lifetime" field.