This is an old revision of the document!
Resources for scripting in cisco:
IPSEC uses “Security Associations” (SA) - An SA is a relationship between two or more potential VPN endpoints, which determines what encryption algorithms to use, and the two endpoints exchange session keys. (more info)
You can see the SAs with the command: show crypto isakmp sa
Sometimes an endpoint will reconnect to the Internet and reconnect with a different session key, and the other endpoint will think that nothing even happened, so both endpoints have different session keys and can't talk. You can clear the SA with this command: clear crypto ipsec sa
Or in Cisco's words: An IPSec “black hole” occurs when one IPSec peer “dies” (for example, a peer can “die” if a reboot occurs or if an IPSec peer somehow gets reset). Because one of the peers (the receiving peer) is completely reset, it loses its IKE SA with the other peer. Generally, when an IPSec peer receives a packet for which it cannot find an SA, it tries to send an IKE “INVALID SPI NOTIFY” message to the data originator. This notification is sent using the IKE SA. If there is no IKE SA available, the receiving peer drops the packet. Source: Invalid SPI Recovery - this may be a feature we can turn on so we never see this problem…
When typing any command, you can press ? to show help information. This can show available commands, and also syntax for specific commands. You can also use TAB to complete commands.
Reload the Router
Show the Running Config
Insert ACLs using Line Numbers