CSR Router Show Commands
Describes the available CSR Router show commands and their example outputs.
- View all Existing ISAKMP SAs
- View all Existing IPsec SAs
- View Crypto (Encryption) Session Details
- View IKEv2 SAs
- View IKEv2 SA Details
View all Existing ISAKMP SAs
Use the
show crypto isakmp sa
command to view the
ISAKMP SAs for all existing or current IPsec connections.
Example
switch#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dstsrc state conn-id status
1.0.0.11.0.0.2 QM_IDLE 1331 ACTIVE
vrouter-ikev1-isakmp-profile
IPv6 Crypto ISAKMP SA
View all Existing IPsec SAs
Use the
show crypto ipsec sa
command to view the IPsec
SAs for all existing or current IPsec connections.
Example
switch#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr1.0.0.2
protected vrf: (none)
local ident (addr/mask/prot/port):
(1.0.0.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port):
(1.0.0.1/255.255.255.255/47/0)
current_peer 1.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest:1f
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify:1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed:0
#pkts not decompressed: 0, #pkts decompress failed:0
#send errors 0, #recv errors 0
local crypto endpt.: 1.0.0.2, remote crypto endpt.:
1.0.0.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet2
current outbound spi: 0xCB8FB740(3415193408)
PFS (Y/N): N, DH group: none
Dummy packet: Initializing
inbound esp sas:
spi: 0x36383677(909653623)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5287, flow_id: CSR:3287, sibling_flags
FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):(4607999/3598)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCB8FB740(3415193408)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5288, flow_id: CSR:3288, sibling_flags
FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):(4607999/3598)
IV size: 16 bytes
replay detection support : Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
View Crypto (Encryption) Session Details
Use the
show crypto session detail
command to view
details about the crypto session for all current IPsec connections.
Example
switch#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: Tunnel0
Profile: vrouter-ikev1-isakmp-profile
Uptime: 00:20:23
Session status: UP-ACTIVE
Peer: 1.0.0.1 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 1.0.0.1
Desc: (none)
Session ID: 0
IKEv1 SA: local 1.0.0.2/500 remote 1.0.0.1/500 Active
Capabilities:(none) connid:1332 lifetime:07:39:35
IPSEC FLOW: permit 47 host 1.0.0.2 host 1.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 42 drop 0 life (KB/Sec)
4607997/2375
Outbound: #pkts enc'ed 44 drop 0 life (KB/Sec)
4607995/2375
View IKEv2 SAs
Use the
show crypto ikev2 sa
command to view summary
information about all IKE version 2 SAs in use by existing IPsec connections.
Example
switch#show crypto ikev2 sa
IPv4 Crypto IKEv2SA
Tunnel-id Local Remotefvrf/ivrfStatus
1 3.3.3.3/500 3.3.3.1/500 none/noneREADY
Encr: AES-CBC, keysize: 128, PRF: sha256, Hash: SHA96,
DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/5349 sec
IPv6 Crypto IKEv2SA
View IKEv2 SA Details
Use the
show crypto ikev2 sa detailed
command to view
details about all IKE version 2 SAs in use by existing IPsec connections.
Example
switch#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remotefvrf/ivrfStatus
1 3.3.3.3/500 3.3.3.1/500 none/noneREADY
Encr: AES-CBC, keysize: 128, PRF: sha256, Hash: SHA96,
DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/5358 sec
CE id: 1351, Session-id: 6
Status Description: Negotiation done
Local spi: 9FA0B7B1F7746E69 Remote spi:
4B1652D32691E8AF
Local id: 3.3.3.3
Remote id: 3.3.3.1
Local req msg id: 4Remote req msg id: 8
Local next msg id:4Remote next msg id:8
Local req queued: 4Remote req queued: 8
Local window: 5Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
IPv6 Crypto IKEv2 SA