Providing site-to-site redundancy, Viewing an ipsec configuration, Clearing security associations – Cisco ASA 5505 User Manual

Page 1386

Advertising
background image

64-34

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 64 Configuring IPsec and ISAKMP

Clearing Security Associations

Providing Site-to-Site Redundancy

You can define multiple IKEv1 peers by using crypto maps to provide redundancy. This configuration is
useful for site-to-site VPNs. This feature is not supported with IKEv2.

If one peer fails, the ASA establishes a tunnel to the next peer associated with the crypto map. It sends
data to the peer that it has successfully negotiated with, and that peer becomes the active peer. The active
peer is the peer that the ASA keeps trying first for follow-on negotiations until a negotiation fails. At
that point the ASA goes on to the next peer. The ASA cycles back to the first peer when all peers
associated with the crypto map have failed.

Viewing an IPsec Configuration

Table 64-6

lists commands that you can enter to view information about your IPsec configuration.

Clearing Security Associations

Certain configuration changes take effect only during the negotiation of subsequent SAs. If you want the
new settings to take effect immediately, clear the existing SAs to reestablish them with the changed
configuration. If the ASA is actively processing IPsec traffic, clear only the portion of the SA database
that the configuration changes affect. Reserve clearing the full SA database for large-scale changes, or
when the ASA is processing a small amount of IPsec traffic.

Table 64-7

lists commands you can enter to clear and reinitialize IPsec SAs.

Table 64-6

Commands to View IPsec Configuration Information

Command

Purpose

show running-configuration crypto

Displays the entire crypto configuration,
including IPsec, crypto maps, dynamic crypto
maps, and ISAKMP.

show running-config crypto ipsec

Displays the complete IPsec configuration.

show running-config crypto isakmp

Displays the complete ISAKMP configuration.

show running-config crypto map

Displays the complete crypto map configuration.

show running-config crypto dynamic-map

Displays the dynamic crypto map configuration.

show all crypto map

Displays all of the configuration parameters,
including those with default values.

Table 64-7

Commands to Clear and Reinitialize IPsec SAs

Command

Purpose

clear configure crypto

Removes an entire crypto configuration, including IPsec,
crypto maps, dynamic crypto maps, and ISAKMP.

clear configure crypto ca trustpoint

Removes all trustpoints.

clear configure crypto dynamic-map

Removes all dynamic crypto maps. Includes keywords that
let you remove specific dynamic crypto maps.

Advertising