Last updated on: June 15 2024.

ISAKMP Security Association

This page explains what an ISAKMP Security Association (SA) is and how to read the output of the relevant show commands.

An ISAKMP-SA is sometimes referred to as a “phase 1” SA.

To view ISAKMP SAs see View ISAKMP Security Associations.

For information about ISAKMP configuration see ISAKMP Configuration Explained.

TL;DR

  • Does the ISAKMP SA ever establish? If not, there is likely a config problem.

  • Is the established SA constantly being replaced? If so, it might be an IPsec-SA config issue.

ISAKMP SA Purpose

An ISAKMP SA is a definition of the parameters for sending encrypted ISAKMP packets between two endpoints. The SA describes the authentication and encryption ciphers, ports and more.

An ISAKMP SA is not a tunnel, it describes the parameters for a (normally) encrypted conversation between two IKE peers. This SA describes the channel over which future SAs can be securely brought into existence.

In order for an ISAKMP SA to exist, two peers must negotiate a set of mandatory parameters. If the mandatory parameters do not match, the SA negotiation will fail and mostly likely start again soon after.

Counterintuively, a placeholder IPsec-SA is created before the ISAKMP-SA negotiation starts. If an ISAKMP SA is establishing and constantly being replaced, it is likely a problem with the IPsec-SA negotiation, not the ISAKMP-SA negotiation. Once IPsec-SA negotiation fails or gives up, the underlying ISAKMP-SA may be deleted, it depends on the vendors and IKE version involved.

IKEv1 - racoonctl Output

Source           Destination         Cookies                           ST S  V E Created             Phase2
127.0.0.1.500    10.2.2.2.500        9f7a366492b4f22e:b90b9aa17880beb8  9 R 10 M 2024-11-09 08:58:30      1
10.1.1.1.500     10.3.3.3.500        ef282855139dba4e:b606fea3430c5928  9 I 10 M 2024-11-09 08:50:30      1

There are two ISAKMP-SAs here because there are two different IPsec tunnels on this BIG-IP. One peer is 10.2.2.2 and the other peer is 10.3.3.3, while the BIG-IP has the local IP 10.1.1.1. The presence of 127.0.0.1 is normal when the BIG-IP is the ISAKMP responder, column S is “R”.

The “Phase2” column shows “1”. In this case, there are two IPsec-SAs up. 1 denotes the number of tunnels, in this case two IPsec-SAs. “Tunnels” does not mean SAs in this sense, it means “pairs of IPsec-SAs”.

The output above strongly indicates ISAKMP-SA creation is not a problem, especially since IPsec-SAs were created over these ISAKMP-SAs.

Check every few minutes to see if the “Created” date has changed. If this changes every few minutes, it indicates tunnel negotiation problems, although it only indicates probable ISAKMP-SA negotiation issues if the ISAKMP-SA setup never completes.

A complete SA, as above, will show a Created date and be in “ST” state 9.

Here is a full description of what the columns mean.

Column Displayed Description
ST (Tunnel Status) 1 Start Phase 1 negotiation
2 msg 1 received
3 msg 1 sent
4 msg 2 received
5 msg 2 sent
6 msg 3 received
7 msg 3 sent
8 msg 4 received
9 isakmp tunnel established
10 isakmp tunnel expired
S I Initiator
R Responder
V (Version Number) 10 ISAKMP version 1.0
E (Exchange Mode) M Main (Identity Protection)
A Aggressive
Phase2 Number of Phase 2 tunnels negotiated with this IKE peer

IKEv2 - TMSH Output

-------------------------
IKE::SecurityAssociations
-------------------------
(tmm: 3)
  10.2.2.2/500 -> 10.1.1.1/500
  Version: v2                                         State: ESTABLISHED
  IKE Peer: /Common/ike-10202
  Spi(local): 0xdf5601249fd324ec         Spi(Remote): 0x74c405a807c5226b
  Encryption: aes256                      Authentication: pre-shared-key
  Hash Algorithm: sha256                                 Initiator: TRUE
  Life/Active Time: 28800/14691 seconds                      NAT-T: none
  Traffic Selectors 2                                      Reqid(in/out)
     /Common/selector-10202                                  17131/17132
     /Common/second-selector                                 17129/17130
  Child SA Count: 1

Total records returned: 1

The output does not include the creation date. Instead, the age of the SA is reported instead as “Life/Active Time”:

  • Life Time - The lifetime in seconds that the SA is allowed to exist.

  • Active Time - The number of seconds the SA has been established.

If the “State” is not ESTABLISHED then the SA is in the process of negotiating and not usable yet.

If the Active Time keeps resetting and the “Spi” values keep changing, the SA is flapping. Check every few minutes to see if flapping is happening. If flapping is happening, it indicates tunnel negotiation problems, although it only indicates ISAKMP-SA negotiation issues if the ISAKMP-SA never goes into ESTABLISHED state.

The command also provides useful information about the algorithms in use, whether NAT was detected and whether this BIG-IP was the Initiator.

For information about how to view ISAKMP SAs see View ISAKMP Security Associations.

For information about ISAKMP configuration see ISAKMP Configuration Explained.

Top | Flowchart | Contents