Monitoring and Managing Management Connections
In the next two sections I'll discuss some show, clear, and debug commands you can use to view and manage your ISAKMP/IKE Phase 1 management connections. This chapter introduces these commands and Chapter 19, "Troubleshooting Router Connections," will provide an in-depth coverage of these commands as they relate to troubleshooting IPsec sessions.
Viewing ISAKMP/IKE Phase 1 Connections
When a management connection is being built, it will go through various states. The current state of this connection can be seen with this command:
Router# show crypto isakmp sa [detail]
Example 16-26 illustrates the use of this command. In this example, only one management connection exists. The state column indicates what state the connection is in. Table 16-1 explains the various states a connection can be in.
Example 16-26. Viewing Management Connections
r3640# show crypto isakmp sa dst src state conn-id slot status 192.1.1.40 192.1.1.20 QM_IDLE 1 0 ACTIVE
|
State |
Explanation |
|---|---|
|
MM_NO_STATE |
When using main mode, the ISAKMP SA is in an infancy state and has not completed; you'll typically see this appear when a management connection fails to establish. |
|
MM_SA_SETUP |
When using main mode, the policy parameters have been negotiated between the peers successfully. |
|
MM_KEY_EXCH |
When using main mode, the peers have performed DH and created a shared secret key, but device authentication hasn't occurred yet. |
|
MM_KEY_AUTH |
When using main mode, the peers have passed authentication and will transition to a QM_IDLE state. |
|
AG_NO_STATE |
When using aggressive mode, the ISAKMP SA is in an infancy state and has not completed; you'll typically see this appear when a management connection fails to establish. |
|
AG_INIT_EXCH |
The first exchange in aggressive mode has completed, but device authentication hasn't been performed yet. |
|
AG_AUTH |
When using aggressive mode, the peers have passed authentication and will transition to a QM_IDLE state. |
|
QM_IDLE |
The management connection has been built and can be used during ISAKMP/IKE Phase 2 to build data connections. This is commonly referred to as quiescent mode. |
You can view more details about the management connections by adding the detail parameter to the show crypto isakmp sa command, as illustrated in Example 16-27. Here you can see information like the type of encryption algorithm used ("aes"), the HMAC function used ("md5"), the authentication method ("psk," which stands for pre-shared keys), the DH key group ("2"), and the remaining lifetime of the connection (a little over 11 hours). Also, at the bottom, you can see if encryption is being performed in software or hardware: in this example, it's being done in software.
Example 16-27. Viewing Details of Management Connections
r3640# show crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap 1 192.1.1.40 192.1.1.20 ACTIVE aes md5 psk 2 23:02:47 Connection-id:Engine-id = 1:1(software)
Managing ISAKMP/IKE Phase 1 Connections
To tear down a management connection, use the following clear command:
Router# clear crypto isakmp [conn_ID]
If you don't enter a specific connection ID, all management connections are torn downConnection IDs can be found in the show crytpo isakmp sa command.
If you are having problems establishing a management connection, you can use the debug crypto isakmp command. I'll discuss this command in much more depth in Chapter 19, "Troubleshooting Router Connections."