Categories
Welcome Center
Education & Development
Cyber Security
Virtualization
General
Certification Preparation
Project Management
Posts
Groups
Training Resources
Infosec
IT & Security Bootcamps
Practice Exams
Security Awareness Training
About Us
Home
Certification Preparation
Cisco
CCNP
VPN... which policy is used?
mikearama
Techies.
Just got asked a question and I can't find an answer.
We are about to migrate our last Pix pairs to ASA's, and the question of whether we need new certs came up.
On the Pixen, I have several policies available, using both pre-share keys and a cert. I cannot find a command that shows which policy got selected and is in use for LIVE vpn tunnels.
When I do a
sh crypto ipsec sa
or a
sh crypto isakmp sa
, I see beaucoup information, but not which policy is in use, and whether the key or the cert was selected.
Anyone help me out?
Find more posts tagged with
Comments
aaron0011
I'd not sure if this command works on PIX or not but on ASA the command
show vpn-sessionsdb
will give you stats on each connected VPN tunnel and applied Group Policy is one of the listed parameters.
mikearama
None of the above commands show the policy in use. LOTS of info from the "sh isakmp policy" options... but all static config.
And no, in these pixes, sh vpn-sessiondb is not viable.
I posted the same in the cisco forums, and the response I got was that with the pix firewalls, you need to run a debug to see the negotiation. So I guess I gotta schedule a tunnel to break, and watch the rebuild. Ugh.
Thanks for the input guys.
Mike
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
