F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Command Reference-6PW100
38
Usage guidelines
If you do not specify any parameters or keywords, the command displays brief information about the
current IKE SAs.
Examples
# Display brief information about the current IKE SAs.
<Sysname> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
1 202.38.0.2 RD|ST 1 IPSEC
2 202.38.0.2 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT
# Display brief information about IKE SAs in an IPsec stateful failover scenario.
<Sysname> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi status
--------------------------------------------------------------------
1 202.38.0.2 RD|ST 1 IPSEC ACTIVE
2 202.38.0.2 RD|ST 2 IPSEC ACTIVE
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—-TIMEOUT
Table 9 Command output
Field Descri
p
tion
total phase-1 SAs Total number of SAs for phase 1.
connection-id Identifier of the ISAKMP SA.
peer Remote IP address of the SA.
flag
Status of the SA:
• RD (READY)—The SA has been established.
• ST (STAYALIVE)—This end is the initiator of the tunnel negotiation.
• RL (REPLACED)—The tunnel has been replaced by a new one and will be deleted
later.
• FD (FADING)—The soft lifetime is over but the tunnel is still in use. The tunnel will
be deleted when the hard lifetime is over.
• TO (TIMEOUT)—The SA has received no keepalive packets after the last
keepalive timeout. If no keepalive packets are received before the next keepalive
timeout, the SA will be deleted.
phase
The phase the SA belongs to:
• Phase 1—The phase for establishing the ISAKMP SA.
• Phase 2—The phase for negotiating the security service. IPsec SAs are
established in this phase.
doi Interpretation domain the SA belongs to.
status
Stateful failover status of the SA, active or standby.
This field appears only in an IPsec stateful failover scenario.