Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7666
Views
5
Helpful
8
Replies

How to find out which isakmp policy is in use?

Go to solution
arfett111
Level 1
Level 1

‎11-17-2010 01:09 PM

If you have a fully established (phase 1 and 2) VPN, is there a show command that lets you see which isakmp policy is being selected for that tunnel?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cashqoo
Level 1
Level 1
In response to arfett111

‎11-17-2010 07:15 PM

maybe you would like to try using "debug crypto isakmp" to see the phase 1 negotiation, if you have the chance to disconnect and re-establish the tunnel.

hope this helps

http://www.cisco.com/en/US/docs/ios/12_3t/debug/command/reference/dbg_c3gt.html#wp1114438

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Yudong Wu
Level 7
Level 7

‎11-17-2010 01:17 PM

try "show crypto isa sa detail".

Go to solution
arfett111
Level 1
Level 1
In response to Yudong Wu

‎11-17-2010 01:34 PM

I've already tried this one and it shows you the values for encryption, hash, etc., but does not provide you with the number of the isakmp policy in use.

0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to arfett111

‎11-17-2010 01:37 PM

based "encrypted, hash ...", you can know which isakmp policy is matched. It just does not tell you exactly the number.

0 Helpful

Go to solution
arfett111
Level 1
Level 1
In response to Yudong Wu

‎11-17-2010 01:42 PM

Thank you.  I am aware of this.  If the command I am looking for does not exist it is not the end of the world, but I am trying to reproduce an issue where a router may not be using the proper isakmp policy and simply matching the values does not help.

0 Helpful

Go to solution
apothula
Level 1
Level 1
In response to arfett111

‎11-17-2010 06:36 PM

Generally, in a VPN negotiation all the ISAKMP policies and IPSec transform sets configured on the device are used.

So, there is no way a pariicular ISAKMP policy would be skipped unless it is some kind of bug.

Please start a discussion on the community about the issue are trying to recreate. May be we can wrap our heads around it and see what's going on.


Cheers,

Nash.

0 Helpful

Go to solution
cashqoo
Level 1
Level 1
In response to arfett111

‎11-17-2010 07:15 PM

maybe you would like to try using "debug crypto isakmp" to see the phase 1 negotiation, if you have the chance to disconnect and re-establish the tunnel.

hope this helps

http://www.cisco.com/en/US/docs/ios/12_3t/debug/command/reference/dbg_c3gt.html#wp1114438

0 Helpful

Go to solution
arfett111
Level 1
Level 1
In response to cashqoo

‎11-17-2010 07:37 PM

I actually realized the "debug crypto isakmp" process showed the router going through each individual policy until finding a matching one right after making my last post.  The problem I was looking into was seemingly bogus to me, I just needed a way to show it.  Thanks for the effort.

0 Helpful

Go to solution
LCSTech
Level 1
Level 1
In response to Yudong Wu

‎03-14-2018 07:40 AM

This command shows each IKE connection and what policy is being used without going into debug and reconnecting the tunnel.
0 Helpful
Customers Also Viewed These Support Documents