show crypto isakmp sa
Displays the current state of Internet Key Exchange (IKE) Security Associations (SAs) used for IPsec VPN tunnels, allowing verification of Phase 1 tunnel establishment.
show crypto isakmp saWhen to Use This Command
- Verify that an IPsec VPN peer has successfully established Phase 1 (IKE) after configuring a site-to-site VPN.
- Troubleshoot a VPN that is not coming up by checking if IKE SAs are in MM_ACTIVE state.
- Monitor active VPN tunnels to ensure they are still established and not idle or deleted.
- Check the encryption and authentication algorithms negotiated with a remote peer.
Command Examples
Basic show crypto isakmp sa output
show crypto isakmp saIPv4 Crypto ISAKMP SA dst src state conn-id slot status 192.168.1.1 10.0.0.1 MM_ACTIVE 1001 0 ACTIVE 10.0.0.1 192.168.1.1 MM_ACTIVE 1002 0 ACTIVE
Line 1: Header for IPv4 IKE SAs. Line 2: dst=remote peer IP, src=local IP, state=MM_ACTIVE (Phase 1 complete), conn-id=unique SA ID, slot=hardware slot (0 for software), status=ACTIVE (SA is usable). Line 3: Reverse direction SA (bidirectional).
Troubleshooting a failed IKE SA
show crypto isakmp saIPv4 Crypto ISAKMP SA dst src state conn-id slot status 192.168.1.1 10.0.0.1 MM_NO_STATE 1001 0 DELETED
state=MM_NO_STATE indicates Phase 1 negotiation failed or never started. status=DELETED means the SA was removed. This output suggests a configuration mismatch (e.g., pre-shared key, encryption algorithm) or connectivity issue.
Understanding the Output
The command output lists all IKE SAs (Phase 1) that the router has negotiated. Each row represents a unidirectional SA; typically two rows appear for a bidirectional tunnel. The 'dst' column shows the remote peer IP, 'src' the local IP. The 'state' column is critical: 'MM_ACTIVE' means Phase 1 is complete and the SA is ready for Phase 2 (IPsec). Other states like 'MM_NO_STATE', 'MM_KEY_EXCH', or 'MM_WAIT_MSG' indicate negotiation is in progress or failed. 'conn-id' is a local identifier for the SA. 'slot' is usually 0 for software-based crypto. 'status' shows 'ACTIVE' if the SA is usable, or 'DELETED' if it has been removed. In a healthy VPN, you should see at least one pair of SAs in MM_ACTIVE and ACTIVE status. If you see DELETED or non-ACTIVE states, check IKE configuration (pre-shared keys, algorithms, peer reachability).
CCNA Exam Tips
CCNA exam tip: The state 'MM_ACTIVE' confirms Phase 1 is complete; if you see 'MM_NO_STATE', the IKE negotiation hasn't started or failed.
CCNA exam tip: Two SAs (one for each direction) are normal for a single VPN tunnel; don't be alarmed by duplicate entries.
CCNA exam tip: If the status is 'DELETED', the SA was removed due to timeout or manual clear; check crypto isakmp policy and pre-shared keys.
CCNA exam tip: The command does not show Phase 2 (IPsec) SAs; use 'show crypto ipsec sa' for that.
Common Mistakes
Mistake 1: Assuming a single SA is enough; forgetting that IKE creates two unidirectional SAs (one for each direction).
Mistake 2: Misinterpreting 'MM_NO_STATE' as a temporary state; it often indicates a configuration error that prevents negotiation.
Mistake 3: Not checking the 'status' column; a SA in 'ACTIVE' state but with 'DELETED' status is not usable.
Related Commands
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions