IT Knowledge Base

User Tools

Site Tools


This is an old revision of the document!



Config / Firmware / etc

Networking / Routing / etc

Logging etc

Network Services




IPSEC uses “Security Associations” (SA) - An SA is a relationship between two or more potential VPN endpoints, which determines what encryption algorithms to use, and the two endpoints exchange session keys. (more info)

You can see the SAs with the command: show crypto isakmp sa

Sometimes an endpoint will reconnect to the Internet and reconnect with a different session key, and the other endpoint will think that nothing even happened, so both endpoints have different session keys and can't talk. You can clear the SA with this command: clear crypto ipsec sa

Or in Cisco's words: An IPSec “black hole” occurs when one IPSec peer “dies” (for example, a peer can “die” if a reboot occurs or if an IPSec peer somehow gets reset). Because one of the peers (the receiving peer) is completely reset, it loses its IKE SA with the other peer. Generally, when an IPSec peer receives a packet for which it cannot find an SA, it tries to send an IKE “INVALID SPI NOTIFY” message to the data originator. This notification is sent using the IKE SA. If there is no IKE SA available, the receiving peer drops the packet. Source: Invalid SPI Recovery - this may be a feature we can turn on so we never see this problem…

Config Templates

Basic Commands

When typing any command, you can press ? to show help information. This can show available commands, and also syntax for specific commands. You can also use TAB to complete commands.

  • Clear the NAT translation tables: clear ip nat translation *
  • Go to beginning of line: CTRL+A, to end of line: CTRL+E
  • Delete the startup config (will show setup mode after reload): erase startup-config
  • Show host table: show hosts (temp = cached lookup, perm = host added with “ip host”)
  • Disable console logging: no logging console
  • Turn off all debugging: “undebug all” or “un all”

Reload the Router

Show the Running Config

  • Turn off the annoying MORE behaviour:terminal length 0(term len 0)
  • Show the configuration:show running-config(show run)
  • Show the startup config:show startup-config(show start)
  • Revert changes from startup config:copy startup-config running-config(copy start run) - or just reboot the router
  • Commit changes to startup config:copy running-config startup-config(copy run start)
  • Another method (does the same thing):wr
  • Start displaying config at specific line containing word: show run | begin word
  • Display all lines with given word: show run | include word
  • show run | section word


  • Show routes: show ip route


  • List interfaces: show ip int brief
  • Show particular interface: show run interface Dialer0
  • Show trunk ports: show interface trunk

Insert ACLs using Line Numbers

  • To show ACL rules with line numbers: show ip access-list
  • To remove a line (eg. 50): no 50
  • To add a rule at a line number (eg. 50): 50 permit udp any any eq domain
kb/cisco.1475127248.txt.gz · Last modified: 2016/09/29 15:04 by Dan Mundy