Re: "show crypto isakmp sa" command on PIX

From: Sam Munzani (sam@munzani.com)
Date: Mon Oct 13 2003 - 12:08:33 GMT-3

• Next message: boby2kusa@hotmail.com: "Re: rescore policy"
• Previous message: Thomas Larus: "Re: rescore policy"
• Maybe in reply to: Sam Munzani: ""show crypto isakmp sa" command on PIX"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Chris,

This is site to site VPN between 2 /24 subnets. The number keeps
incrementing for some peers. I don't have PFS on either. Any ideas?

Sam

> Basically that will tell you how many SA's have been "established".
> When you build your SA, you probably have an access list that permits
> several different subnets to be "protected" as you go across the VPN.
>
> Say you are a vpngroup user. You VPN in. You hit a machine on the
> 192.168.10.0/24 net and you will see you get 1 created. Ping something
> on the 192.168.20.0/24 net and it will increment to 2 created and so on.
>
> ==================================================================
>
> Chris Johnston / Senior Systems Engineer <chris@routerguy.com>
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Sam Munzani
> Sent: Friday, October 10, 2003 1:42 PM
> To: ccielab@groupstudy.com
> Cc: cciesecurity@yahoogroup.com
> Subject: "show crypto isakmp sa" command on PIX
>
>
> Hi,
>
> What does last column represent in "show crypto isakmp sa" command of
> PIX. Below is an output from my PIX with IP address changed. PIX# sh
> crypto isakmp sa
> Total : 5
> Embryonic : 0
> dst src state pending created
> 12.67.55.23 12.207.183.209 QM_IDLE 0 1
> 12.67.55.23 12.160.196.102 QM_IDLE 0 3
> 12.67.55.23 65.23.110.6 QM_IDLE 0 2
> 12.67.55.23 12.134.222.126 QM_IDLE 0 1
>
> All 5 sites works great. However one of my friend with similar
> configuration has last field incrementing. His site is PIX to NetScreen
> and works too.
>
> I could not find any reference in PIX documentations.
>
> Thanks
> Sam
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***

• Next message: boby2kusa@hotmail.com: "Re: rescore policy"
• Previous message: Thomas Larus: "Re: rescore policy"
• Maybe in reply to: Sam Munzani: ""show crypto isakmp sa" command on PIX"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:53:01 GMT-3