Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Are the PIX VPN tunnel peers up?

Posted on 2005-04-29
1
Medium Priority
?
1,990 Views
Last Modified: 2012-06-27
I did a show crypto isakmp sa and see -
# sh cry is sa
Total     : 6
Embryonic : 0
        dst               src        state     pending     created
    68.164.17.54    68.167.103.90    QM_IDLE         0           0
   68.167.103.90     64.253.52.54    QM_IDLE         0           0
   66.208.223.56    68.167.103.90    QM_IDLE         0           0
   66.208.223.56    68.167.103.90    QM_IDLE         0           0
   68.167.103.90    64.253.63.126    QM_IDLE         0           0
   64.253.63.122    68.167.103.90    QM_IDLE         0           0

Yet, show crypto ipsec sa shows current peers are listed, are these tunnels up or not? what do these 2 commands really show as far as the tunnel being active? what is the best way to tell if the tunnel is really up and if not, when it came down? Doesn't Created in the first command which is all 0's mean there are no active peers?

interface: outside
    Crypto map tag: VPNmap, local addr. 68.167.103.90

   local  ident (addr/mask/prot/port): (192.166.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.166.2.0/255.255.255.0/0/0)
   current_peer: 68.164.17.54:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 383172, #pkts encrypt: 383172, #pkts digest 383172
    #pkts decaps: 394111, #pkts decrypt: 394111, #pkts verify 394111
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 1863, #recv errors 0

     local crypto endpt.: 68.167.103.90, remote crypto endpt.: 68.164.17.54
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 5d01a410

     inbound esp sas:
      spi: 0xd47b3826(3564845094)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 9, crypto map: VPNmap
        sa timing: remaining key lifetime (k/sec): (4607995/7878)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x5d01a410(1560388624)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 10, crypto map: VPNmap
        sa timing: remaining key lifetime (k/sec): (4607996/7878)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (192.166.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.166.5.0/255.255.255.0/0/0)
   current_peer: 64.253.52.54:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 97, #pkts encrypt: 97, #pkts digest 97
    #pkts decaps: 90, #pkts decrypt: 90, #pkts verify 90
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 8, #recv errors 0

     local crypto endpt.: 68.167.103.90, remote crypto endpt.: 64.253.52.54
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (192.166.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.166.4.0/255.255.255.0/0/0)
   current_peer: 66.208.223.56:4500
     PERMIT, flags={origin_is_acl,transport_parent,}
    #pkts encaps: 588, #pkts encrypt: 588, #pkts digest 588
    #pkts decaps: 468, #pkts decrypt: 468, #pkts verify 468
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 12, #recv errors 0

     local crypto endpt.: 68.167.103.90, remote crypto endpt.: 66.208.223.56
     path mtu 1500, ipsec overhead 64, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (192.166.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.166.7.0/255.255.255.0/0/0)
   current_peer: 64.253.63.126:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 68.167.103.90, remote crypto endpt.: 64.253.63.126
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (192.166.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.166.6.0/255.255.255.0/0/0)
   current_peer: 64.253.63.122:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 68.167.103.90, remote crypto endpt.: 64.253.63.122
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.166.5.0/255.255.255.0/0/0)
   current_peer: 64.253.52.54:0
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 68.167.103.90, remote crypto endpt.: 64.253.52.54
     path mtu 1500, ipsec overhead 0, media mtu 1500
     current outbound spi: 0

     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.166.2.0/255.255.255.0/0/0)
   current_peer: 68.164.17.54:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 41524634, #pkts encrypt: 41524634, #pkts digest 41524634
    #pkts decaps: 49097056, #pkts decrypt: 49097056, #pkts verify 49097057
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 10403, #recv errors 2

     local crypto endpt.: 68.167.103.90, remote crypto endpt.: 68.164.17.54
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 52f4e693

     inbound esp sas:
      spi: 0x49d4806b(1238663275)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: VPNmap
        sa timing: remaining key lifetime (k/sec): (4605330/7840)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x52f4e693(1391781523)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: VPNmap
        sa timing: remaining key lifetime (k/sec): (4604927/7837)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.166.4.0/255.255.255.0/0/0)
   current_peer: 66.208.223.56:4500
     PERMIT, flags={origin_is_acl,transport_parent,}
    #pkts encaps: 3634027, #pkts encrypt: 3634027, #pkts digest 3634027
    #pkts decaps: 4669681, #pkts decrypt: 4669681, #pkts verify 4669681
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 320, #recv errors 0

     local crypto endpt.: 68.167.103.90, remote crypto endpt.: 66.208.223.56
     path mtu 1500, ipsec overhead 64, media mtu 1500
     current outbound spi: 56bbc25b

     inbound esp sas:
      spi: 0x5184f812(1367668754)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 15, crypto map: VPNmap
        sa timing: remaining key lifetime (k/sec): (4607995/8082)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x56bbc25b(1455145563)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 16, crypto map: VPNmap
        sa timing: remaining key lifetime (k/sec): (4607996/8082)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.166.5.0/255.255.255.0/0/0)
   current_peer: 64.253.52.54:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 310034, #pkts encrypt: 310034, #pkts digest 310034
    #pkts decaps: 331335, #pkts decrypt: 331335, #pkts verify 331335
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 477, #recv errors 0

     local crypto endpt.: 68.167.103.90, remote crypto endpt.: 64.253.52.54
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 5a303e6a

     inbound esp sas:
      spi: 0x9fab7787(2678814599)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 20, crypto map: VPNmap
        sa timing: remaining key lifetime (k/sec): (4607995/8155)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x5a303e6a(1513111146)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 19, crypto map: VPNmap
        sa timing: remaining key lifetime (k/sec): (4607996/8164)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.166.6.0/255.255.255.0/0/0)
   current_peer: 64.253.63.122:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 6391370, #pkts encrypt: 6391370, #pkts digest 6391370
    #pkts decaps: 8235518, #pkts decrypt: 8235518, #pkts verify 8235518
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 240, #recv errors 0

     local crypto endpt.: 68.167.103.90, remote crypto endpt.: 64.253.63.122
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 1e9e4931

     inbound esp sas:
      spi: 0x32c1fb43(851573571)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 13, crypto map: VPNmap
        sa timing: remaining key lifetime (k/sec): (4607998/21928)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x1e9e4931(513689905)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 14, crypto map: VPNmap
        sa timing: remaining key lifetime (k/sec): (4607998/21928)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:



   local  ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.166.7.0/255.255.255.0/0/0)
   current_peer: 64.253.63.126:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 6867871, #pkts encrypt: 6867871, #pkts digest 6867871
    #pkts decaps: 8626079, #pkts decrypt: 8626079, #pkts verify 8626079
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 428, #recv errors 0

     local crypto endpt.: 68.167.103.90, remote crypto endpt.: 64.253.63.126
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 1fe7f6bc

     inbound esp sas:
      spi: 0x1f01fd07(520224007)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 11, crypto map: VPNmap
        sa timing: remaining key lifetime (k/sec): (4605174/8386)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x1fe7f6bc(535295676)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 12, crypto map: VPNmap
        sa timing: remaining key lifetime (k/sec): (4605796/8386)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:

0
Comment
Question by:murphymail
1 Comment
 
LVL 6

Accepted Solution

by:
magicomminc earned 375 total points
ID: 13900185
in "sh cry isa sa" state: QM_IDLE indicating tunnel is up, but even tunnel went down for a while, it may still shows QM_IDLE, so don't count on this. if you want to change any crypto paramters, first "no crypto map <map name> <interface>" , after modify:
clear clear crypto sa
clear crypto ipsec sa
clear crypto isakmp sa
that will clean the left over dead tunnels and when VPN traffic start flow, it will trigger the tunnel creation.

"sh cry ips sa" shows detail about your peers, in your case, at each peers, look at "inbound esp sas:" and "outbound esp sas:" section, those that have values are the active tunnel, for example:
below indicating a active tunnel between 10.0.0.0/8 (ext: 68.167.103.90) and 192.166.2.0/24 (ext:68.164.17.54), transform set: esp-des esp-md5-hmac, crypto map name: VPNmap, etc.:

   local  ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.166.2.0/255.255.255.0/0/0)
   current_peer: 68.164.17.54:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 41524634, #pkts encrypt: 41524634, #pkts digest 41524634
    #pkts decaps: 49097056, #pkts decrypt: 49097056, #pkts verify 49097057
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 10403, #recv errors 2

     local crypto endpt.: 68.167.103.90, remote crypto endpt.: 68.164.17.54
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 52f4e693

     inbound esp sas:
      spi: 0x49d4806b(1238663275)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 1, crypto map: VPNmap
        sa timing: remaining key lifetime (k/sec): (4605330/7840)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x52f4e693(1391781523)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2, crypto map: VPNmap
        sa timing: remaining key lifetime (k/sec): (4604927/7837)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:

0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month11 days, 22 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question