Solved

Check VPN tunnel status and/or uptime on PIX 506e

Posted on 2008-06-23
5
7,153 Views
Last Modified: 2008-06-23
Hopefully a nice and simple one; what is the recommended way to check the current status and/or uptime of a given tunnel through the CLI?

J.
0
Comment
Question by:jimbobmcgee
  • 3
  • 2
5 Comments
 
LVL 3

Accepted Solution

by:
AugustTen earned 250 total points
ID: 21845150
'sh crypto ipsec sa' will give you all the info you need, including remaining key lifetime. Uptime can be calculated from the remaining lifetime, but you will only get uptime for the current security association.


0
 
LVL 16

Author Comment

by:jimbobmcgee
ID: 21846441
That command certainly spools a lot.  Is there any way to summarise it?  Is there a grep that will tell me categorically whether the tunnel is up or down?  Or should I assume that, if it's not in the spool, it's not up?

Or, are there any articles on how to decipher that output anywhere?  
0
 
LVL 3

Expert Comment

by:AugustTen
ID: 21846522
You can check how many are up with 'sh crypto ipsec sa summ'.

Remember you have two SA's for each tunnel (unidirectional).

And if it does not show up with 'sh crypto ipsec sa'  means the tunnel is down.
0
 
LVL 16

Author Comment

by:jimbobmcgee
ID: 21847747
Thanks.

I think v6.3 is missing the 'summ' subcommand; it didn't seem to like it.  
I've gone with 'sh cry ips sa | grep current\_peer'; this seems to give me the list that I'm looking for.

Unless you can think of any reason why it wouldn't?

J.
0
 
LVL 3

Expert Comment

by:AugustTen
ID: 21847794
You are probably  right, I am looking at v 7.2 ASA's.

But your solution is also good, that will give you the peers that are up.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question