show crypto isakmp sa
Displays the current Internet Key Exchange (IKE) Phase 1 security associations (SAs) on the Cisco ASA Firewall, showing the status of ISAKMP negotiations.
Overview
The 'show crypto isakmp sa' command is a fundamental troubleshooting tool for VPN operations on Cisco ASA Firewalls. It displays the status of Internet Key Exchange (IKE) Phase 1 security associations, which are the initial negotiations that establish a secure channel between two VPN peers. IKE Phase 1, also known as ISAKMP (Internet Security Association and Key Management Protocol), authenticates the peers and negotiates encryption, hash, Diffie-Hellman group, and other parameters. This command is essential for verifying that Phase 1 has completed successfully before moving on to Phase 2 (IPsec SA). On the ASA, the command shows active SAs, including the peer IP, connection type (LAN-to-LAN or remote access), role (initiator or responder), and the current state of negotiation. The state field is the most critical: 'MM_ACTIVE' indicates a fully established Phase 1 SA, while other states like 'MM_WAIT_MSG_2' or 'MM_NO_STATE' indicate ongoing negotiation or failure. The detailed version adds negotiated parameters such as encryption algorithm (e.g., AES, 3DES), hash algorithm (SHA, MD5), Diffie-Hellman group, and lifetime. This command is used in troubleshooting workflows to isolate whether a VPN issue lies in Phase 1 or Phase 2. For example, if 'show crypto isakmp sa' shows no SA for a peer, the problem is likely in Phase 1 (e.g., mismatched pre-shared key, ACL issues, or connectivity). If Phase 1 is active but the tunnel is down, the issue is in Phase 2. The ASA platform behaves similarly to Cisco IOS but uses slightly different state names and output formatting. Understanding this command is crucial for CCNP Security candidates and network engineers managing ASA VPNs.
show crypto isakmp sa [detail] [active | standby]When to Use This Command
- Verify that IKE Phase 1 negotiation completed successfully for a remote VPN peer.
- Troubleshoot VPN connectivity issues when a tunnel fails to establish.
- Monitor the number of active IKE SAs during peak VPN usage.
- Check the encryption and hash algorithms negotiated with a specific peer.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| detail | detail | Displays additional information for each IKE SA, including encryption algorithm, hash algorithm, Diffie-Hellman group, and lifetime. Useful for verifying policy matches. |
| active | active | Shows only active IKE SAs on the active unit in a failover pair. Used in high-availability environments. |
| standby | standby | Shows IKE SAs on the standby unit in a failover pair. Requires failover configuration. |
Command Examples
Basic IKE SA Status
show crypto isakmp sa Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 203.0.113.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Shows one active IKE SA with peer 203.0.113.1. The state MM_ACTIVE indicates Phase 1 is complete. Role shows this ASA initiated the connection.
Detailed IKE SA Information
show crypto isakmp sa detail Active SA: 1
Rekey SA: 0
Total IKE SA: 1
1 IKE Peer: 203.0.113.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes Hash : sha
DH Group : 2 Lifetime: 86400
Session-id: 1
Adds encryption (AES), hash (SHA), Diffie-Hellman group (2), and lifetime details. Useful for verifying policy match.
Understanding the Output
The output of 'show crypto isakmp sa' lists all active IKE Phase 1 security associations. The first line shows the count of active SAs and rekey SAs. Each entry includes the peer IP address, connection type (L2L for LAN-to-LAN or RAVPN for remote access), role (initiator or responder), rekey status, and the current state. The state is critical: MM_ACTIVE means Phase 1 is complete and the SA is established. Other states like MM_WAIT_MSG_* or MM_NO_STATE indicate negotiation is in progress or has failed. In the detailed output, additional fields show the negotiated encryption algorithm (e.g., aes, 3des), hash algorithm (sha, md5), Diffie-Hellman group, and lifetime in seconds. A healthy output shows at least one SA in MM_ACTIVE state for each expected peer. Problematic values include states stuck in MM_WAIT_MSG_2 or MM_NO_STATE, which suggest configuration mismatches or connectivity issues. Multiple SAs for the same peer may indicate rekey in progress (one Active, one Rekey).
Configuration Scenarios
Site-to-Site VPN with Pre-Shared Key
Two ASAs connected via site-to-site VPN using pre-shared key authentication.
Topology
[ASA-A]---Internet---[ASA-B]
10.1.1.0/24 10.2.2.0/24Steps
- 1.Configure ISAKMP policy on both ASAs with matching parameters.
- 2.Configure tunnel group with pre-shared key.
- 3.Apply crypto map to outside interface.
- 4.Verify with 'show crypto isakmp sa'.
! ASA-A crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 86400 tunnel-group 203.0.113.2 type ipsec-l2l tunnel-group 203.0.113.2 ipsec-attributes ikev1 pre-shared-key Cisco123 crypto map MYMAP 10 match address VPN_ACL crypto map MYMAP 10 set peer 203.0.113.2 crypto map MYMAP 10 set ikev1 transform-set AES-SHA crypto map MYMAP interface outside
Verify: Run 'show crypto isakmp sa' on both ASAs. Expect to see an SA with state MM_ACTIVE for the peer IP.
Watch out: Ensure the pre-shared key matches exactly; case-sensitive. Also verify that the crypto map is applied to the correct interface.
Troubleshooting with This Command
When a VPN tunnel fails to establish, 'show crypto isakmp sa' is the first command to check. If no SA appears for the peer, the issue is likely in Phase 1. Common causes include: mismatched pre-shared keys, incorrect ISAKMP policy parameters (encryption, hash, DH group), ACLs blocking UDP port 500 (ISAKMP) or UDP 4500 (NAT-T), or the peer being unreachable. If the SA state is stuck in 'MM_WAIT_MSG_2' or 'MM_NO_STATE', the ASA is waiting for a response from the peer, indicating a connectivity or policy mismatch. Use 'debug crypto isakmp' to see detailed negotiation messages. If the SA shows 'MM_ACTIVE' but the tunnel is down, the problem is in Phase 2; check 'show crypto ipsec sa'. Also, during rekey, you may see two SAs for the same peer (one Active, one Rekey). If the Rekey SA count is high or SAs are stuck, it may indicate a rekey failure. On the ASA, you can clear all IKE SAs with 'clear crypto isakmp sa' to force renegotiation. For remote access VPNs, the peer IP will be the client's public IP. Always check the 'detail' output to verify negotiated parameters match the configured policy.
CCNA Exam Tips
Remember that MM_ACTIVE is the desired state for a completed IKE Phase 1.
Know that 'show crypto isakmp sa detail' reveals negotiated parameters like encryption and hash, which are key for troubleshooting policy mismatches.
On the CCNP Security exam, be able to interpret the state field to identify where in the negotiation process a failure occurs.
Common Mistakes
Confusing IKE Phase 1 (ISAKMP) with Phase 2 (IPsec); use 'show crypto ipsec sa' for Phase 2.
Assuming a single SA means the tunnel is up; both Phase 1 and Phase 2 must be established.
Overlooking the 'Rekey' SA count; during rekey, two SAs exist for the same peer.
Platform Notes
On Cisco ASA, the 'show crypto isakmp sa' command is similar to Cisco IOS but uses different state names. For example, IOS uses 'QM_IDLE' for Phase 1 complete, while ASA uses 'MM_ACTIVE'. The ASA also supports IKEv2, which uses 'show crypto ikev2 sa' instead. In ASA version 9.x and later, IKEv1 is still supported but IKEv2 is preferred. The command output may vary slightly between ASA versions; for instance, older versions may not show the 'Rekey' line. On other platforms like Palo Alto or Juniper, equivalent commands are 'show ike sa' or 'show security ike security-associations'. For ASA in multi-context mode, the command is available within each context but shows only that context's SAs. In failover, the 'active' and 'standby' keywords allow checking the peer unit's SAs.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions