Check VPN tunnel status and/or uptime on PIX 506e

Posted on 2008-06-23
Last Modified: 2008-06-23
Hopefully a nice and simple one; what is the recommended way to check the current status and/or uptime of a given tunnel through the CLI?

Question by:jimbobmcgee
  • 3
  • 2

Accepted Solution

AugustTen earned 250 total points
ID: 21845150
'sh crypto ipsec sa' will give you all the info you need, including remaining key lifetime. Uptime can be calculated from the remaining lifetime, but you will only get uptime for the current security association.

LVL 16

Author Comment

ID: 21846441
That command certainly spools a lot.  Is there any way to summarise it?  Is there a grep that will tell me categorically whether the tunnel is up or down?  Or should I assume that, if it's not in the spool, it's not up?

Or, are there any articles on how to decipher that output anywhere?  

Expert Comment

ID: 21846522
You can check how many are up with 'sh crypto ipsec sa summ'.

Remember you have two SA's for each tunnel (unidirectional).

And if it does not show up with 'sh crypto ipsec sa'  means the tunnel is down.
LVL 16

Author Comment

ID: 21847747

I think v6.3 is missing the 'summ' subcommand; it didn't seem to like it.  
I've gone with 'sh cry ips sa | grep current\_peer'; this seems to give me the list that I'm looking for.

Unless you can think of any reason why it wouldn't?


Expert Comment

ID: 21847794
You are probably  right, I am looking at v 7.2 ASA's.

But your solution is also good, that will give you the peers that are up.

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now