CSR Router Show Commands

Describes the available CSR Router show commands and their example outputs.

Use the different show commands for CSR router instances to do the following:
  • View all Existing ISAKMP SAs
  • View all Existing IPsec SAs
  • View Crypto (Encryption) Session Details
  • View IKEv2 SAs
  • View IKEv2 SA Details

View all Existing ISAKMP SAs

Use the show crypto isakmp sa command to view the ISAKMP SAs for all existing or current IPsec connections.

Example


switch#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dstsrc state conn-id status
1.0.0.11.0.0.2 QM_IDLE 1331 ACTIVE
vrouter-ikev1-isakmp-profile

IPv6 Crypto ISAKMP SA

View all Existing IPsec SAs

Use the show crypto ipsec sa command to view the IPsec SAs for all existing or current IPsec connections.

Example


switch#show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr1.0.0.2

 protected vrf: (none)


 local ident (addr/mask/prot/port): 
(1.0.0.2/255.255.255.255/47/0)
 remote ident (addr/mask/prot/port): 
(1.0.0.1/255.255.255.255/47/0)
 current_peer 1.0.0.1 port 500 
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest:1f
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify:1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed:0
#pkts not decompressed: 0, #pkts decompress failed:0
#send errors 0, #recv errors 0

local crypto endpt.: 1.0.0.2, remote crypto endpt.: 
1.0.0.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet2
current outbound spi: 0xCB8FB740(3415193408) 
PFS (Y/N): N, DH group: none
Dummy packet: Initializing

inbound esp sas:
spi: 0x36383677(909653623)
transform: esp-aes esp-sha-hmac , 
in use settings ={Tunnel, }
conn id: 5287, flow_id: CSR:3287, sibling_flags 
FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):(4607999/3598)
IV size: 16 bytes
replay detection support: Y 
Status: ACTIVE(ACTIVE)

inbound ah sas: 

inbound pcp sas: 

outbound esp sas:
spi: 0xCB8FB740(3415193408)
transform: esp-aes esp-sha-hmac , 
in use settings ={Tunnel, }
conn id: 5288, flow_id: CSR:3288, sibling_flags 
FFFFFFFF80004048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):(4607999/3598)
IV size: 16 bytes
replay detection support : Y 
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

View Crypto (Encryption) Session Details

Use the show crypto session detail command to view details about the crypto session for all current IPsec connections.

Example


switch#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: Tunnel0
Profile: vrouter-ikev1-isakmp-profile
Uptime: 00:20:23
Session status: UP-ACTIVE
Peer: 1.0.0.1 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 1.0.0.1
Desc: (none)
 Session ID: 0
 IKEv1 SA: local 1.0.0.2/500 remote 1.0.0.1/500 Active
Capabilities:(none) connid:1332 lifetime:07:39:35
 IPSEC FLOW: permit 47 host 1.0.0.2 host 1.0.0.1
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 42 drop 0 life (KB/Sec)
4607997/2375
Outbound: #pkts enc'ed 44 drop 0 life (KB/Sec)
4607995/2375

View IKEv2 SAs

Use the show crypto ikev2 sa command to view summary information about all IKE version 2 SAs in use by existing IPsec connections.

Example


switch#show crypto ikev2 sa
IPv4 Crypto IKEv2SA

Tunnel-id Local Remotefvrf/ivrfStatus
1 3.3.3.3/500 3.3.3.1/500 none/noneREADY

Encr: AES-CBC, keysize: 128, PRF: sha256, Hash: SHA96, 
DH Grp:14, Auth sign: PSK, Auth verify: PSK
 Life/Active Time: 86400/5349 sec

IPv6 Crypto IKEv2SA

View IKEv2 SA Details

Use the show crypto ikev2 sa detailed command to view details about all IKE version 2 SAs in use by existing IPsec connections.

Example


switch#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remotefvrf/ivrfStatus
1 3.3.3.3/500 3.3.3.1/500 none/noneREADY

Encr: AES-CBC, keysize: 128, PRF: sha256, Hash: SHA96, 
DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/5358 sec
CE id: 1351, Session-id: 6
Status Description: Negotiation done
Local spi: 9FA0B7B1F7746E69 Remote spi:
4B1652D32691E8AF
Local id: 3.3.3.3
Remote id: 3.3.3.1
Local req msg id: 4Remote req msg id: 8
Local next msg id:4Remote next msg id:8
Local req queued: 4Remote req queued: 8
Local window: 5Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes

IPv6 Crypto IKEv2 SA