Monitoring and Managing Management Connections

In the next two sections I'll discuss some show, clear, and debug commands you can use to view and manage your ISAKMP/IKE Phase 1 management connections. This chapter introduces these commands and Chapter 19, "Troubleshooting Router Connections," will provide an in-depth coverage of these commands as they relate to troubleshooting IPsec sessions.

Viewing ISAKMP/IKE Phase 1 Connections

When a management connection is being built, it will go through various states. The current state of this connection can be seen with this command:

Router# show crypto isakmp sa [detail]

Example 16-26 illustrates the use of this command. In this example, only one management connection exists. The state column indicates what state the connection is in. Table 16-1 explains the various states a connection can be in.

Example 16-26. Viewing Management Connections

r3640# show crypto isakmp sa
dst             src             state          conn-id slot status
192.1.1.40      192.1.1.20      QM_IDLE              1    0 ACTIVE

Table 16-1. Management Connection States

State	Explanation
MM_NO_STATE	When using main mode, the ISAKMP SA is in an infancy state and has not completed; you'll typically see this appear when a management connection fails to establish.
MM_SA_SETUP	When using main mode, the policy parameters have been negotiated between the peers successfully.
MM_KEY_EXCH	When using main mode, the peers have performed DH and created a shared secret key, but device authentication hasn't occurred yet.
MM_KEY_AUTH	When using main mode, the peers have passed authentication and will transition to a QM_IDLE state.
AG_NO_STATE	When using aggressive mode, the ISAKMP SA is in an infancy state and has not completed; you'll typically see this appear when a management connection fails to establish.
AG_INIT_EXCH	The first exchange in aggressive mode has completed, but device authentication hasn't been performed yet.
AG_AUTH	When using aggressive mode, the peers have passed authentication and will transition to a QM_IDLE state.
QM_IDLE	The management connection has been built and can be used during ISAKMP/IKE Phase 2 to build data connections. This is commonly referred to as quiescent mode.

You can view more details about the management connections by adding the detail parameter to the show crypto isakmp sa command, as illustrated in Example 16-27. Here you can see information like the type of encryption algorithm used ("aes"), the HMAC function used ("md5"), the authentication method ("psk," which stands for pre-shared keys), the DH key group ("2"), and the remaining lifetime of the connection (a little over 11 hours). Also, at the bottom, you can see if encryption is being performed in software or hardware: in this example, it's being done in software.

Example 16-27. Viewing Details of Management Connections

r3640# show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
C-id Local      Remote    I-VRF Status Encr Hash Auth DH Lifetime Cap
1    192.1.1.40 192.1.1.20      ACTIVE aes  md5  psk  2  23:02:47
       Connection-id:Engine-id =  1:1(software)

Managing ISAKMP/IKE Phase 1 Connections

To tear down a management connection, use the following clear command:

Router# clear crypto isakmp [conn_ID]

If you don't enter a specific connection ID, all management connections are torn downConnection IDs can be found in the show crytpo isakmp sa command.

If you are having problems establishing a management connection, you can use the debug crypto isakmp command. I'll discuss this command in much more depth in Chapter 19, "Troubleshooting Router Connections."