Although IPSec is a very wide topic to cover but the following few commands and outputs are really helpful in initial troubleshooting.
Troubleshooting Commands : IPSec site to site VPN
(A) “show crypto isakmp sa”
By this command we can test the present status of the IPSec peering. The state should be “QM_IDLE”. Any other state suggests an issue (i.e. issue in crypto map; expired digital certificates; etc)
Router#show crypto isakmp sa
Dst src state conn-id slot status
172.16.x.x 172.16.x.x QM_IDLE 11 0 ACTIVE
172.16.x.x 172.16.x.x QM_IDLE 12 0 ACTIVE
(B) “show crypto isakmp sa detail”
This command shows the time (under lifetime parameter) by which the crypto session is established or stable. This clock runs in opposite manner. For example: – In below output, the time is 23:00:29, it means the crypto is established since 59 minutes 31 seconds. Somewhere it’s configured in span of 8 hrs & somewhere in 24 hrs span.
Router#show crypto isakmp sa detail
Codes: C – IKE configuration mode, D – Dead Peer Detection
K – Keepalives, N – NAT-traversal
X – IKE Extended Authentication
psk – Preshared key, rsig – RSA signature
renc – RSA encryption
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
11 172.16.x.x 172.16.x.x ACTIVE 3des md5 rsig 2 23:00:29 D
I am here to share my knowledge and experience in the field of networking with the goal being - "The more you share, the more you learn."
I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.
I am a strong believer of the fact that "learning is a constant process of discovering yourself."
- Rashmi Bhardwaj (Author/Editor)