Open In App

How to Check the Status of the Tunnel’s Phase 1 and 2?

Answer: Use the command `show crypto isakmp sa` for Phase 1 and `show crypto ipsec sa` for Phase 2 to check the status of the tunnel’s phases on a Cisco device.

Checking the status of an IPSec VPN tunnel involves two phases, Phase 1 (IKE or ISAKMP) and Phase 2 (IPSec).

Check Phase 1 Status

Use the command `show crypto isakmp sa` on a Cisco device. This command displays the current IKE Security Associations (SAs) built between your device and the peer. A state of “QM_IDLE” indicates a successful Phase 1.

Check Phase 2 Status

Execute `show crypto ipsec sa` on a Cisco device to inspect the IPSec Security Associations. This command shows details about the Phase 2 tunnel, including the encryption and authentication methods, key lifetimes, and packets encrypted/decrypted.


By executing specific commands on your network device, you can efficiently check the operational status and health of both Phase 1 and Phase 2 of an IPSec VPN tunnel. These checks are crucial for troubleshooting and ensuring the secure and efficient transmission of data across the network.

Article Tags :