[c-nsp] ASA EZVPN config

Christian Zeng christian at zengl.net
Tue May 1 04:41:13 EDT 2007


Hi,

* Ahmad Cheikh Moussa <acm at netuse.de> wrote:
>ok, but why active and not idle ?
>Why shows the ASA AM_Active and the IOS Gateway qm_idle ?
>On both I used the command "show crypto isakmp sa".

I think its cosmetic. There is no *_IDLE, at least not in PIX OS 7.2; a
strings on the unzipped image does not reveal such a name.

For routers, you will find some information about IKE SA states here:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017cf1d.html#wp1074075

Also, RFC 2409 is a good resource.

Note that once a IKE SA is established, either via Main Mode or
Aggressive Mode, Quick Mode (QM) is used to negotiate the IPSec SAs
(Phase 2), so this is the reason you'll see the IOS router showing
QM_IDLE nearly all the time. A deb cry isa should show the state
transition in great detail.

Depending on the interpretation of the developer, you will find the
initial IKE SA in its current state (QM_*) or reflecting the initial
exchange type that was used (MM_*, AM_*) in the show output.

But this is only guessing; I dont have the equipment to play with it
right now :)

Regards,


Christian


More information about the cisco-nsp mailing list