show crypto ipsec sa

Last Updated : Oct 26, 2015 |

Displays the IPSec SA database and related runtime, statistical, and configuration information. If no crypto-list, crypto-list rule, or peer IP address are specified, then all SAs are displayed, sorted first by interface and then by crypto-list rule index.

The IPSec SA statistics counters are reset when any of the following events occur:

The clear crypto sa counters command is used.
avipsMonitorRstCntrs is set in the MIB (equivalent to the above).
The clear crypto sa all command is used.
The crypto-list is activated on an interface for the first time.
A failing-over to a different peer occurs.
A new local-address is learned (due to DHCP, PPPoE, user configuration).

Note:

The IP Payload Compression (IPPCP) numbers refer to data as it is presented to the compression/decompression engine, which is before outbound protection and after inbound de-protection. Hence, the numbers do not take into account encapsulation and encryption overheads.

Syntax

show crypto ipsec sa [list crypto-list-id [rulerule-id] | address] [detail]

Parameters


Parameter	Description	Possible Values	Default Value
crypto-list-id	The crypto-list whose SA configuration should be displayed
rule-id	The ip-rule in the crypto-list whose SA configuration should be displayed
address	Keyword specifying to display SA configuration by peer IP address.
detail	Keyword specifying to display detailed output

User level

read-only

Context

general

Example

To display the IPSec SA database and related information:

(In this example, active SAs exist for the rule.)

Gxxx-001(super)# show crypto ipsec sa
Interface: FastEthernet 
 Crypto list id: 901, Local address: 149.49.77.202
  Rule: 10, Crypto map: 1
  Local address:   149.49.77.202, Remote address: 135.64.102.109
  Local identity:  149.49.77.0/255.255.255.0
  Remote identity: 135.64.102.0/255.255.255.0
  path mtu 1500, media mtu 1500
  Current outbound spi: 0xfdc7d80c
  Inbound packets                Outbound packets
  -------------------------      ----------------------------------
  Total             6412359      Total                       3643507
    Total OK        6412359        Total OK                  3643507
      Decrypt       6412359          Encrypt                 3643507
      Verify        6412359          Digest                  3643507
      Decaps        6412359          Encaps                  3643507
    Total discards        0        Total discards                  0
     SA Type      SPI        Transform     PFS Secs left KB left Mode
   ------------ ---------- ------------  --- --------- ------- ----
   Inbound ESP  0x1698      esp-des       No  3501     4607999 Tunnel
                            esp-md5-hmac
   Outbound ESP 0xfdc7d80c  esp-des       No  3501     4607999 Tunnel
                            esp-md5-hmac
  --------------------------------------------------------------------
  Rule: 20, Crypto map: 1
  ...

To display the IPSec SA database and related information in detail:

(In this example, IP Payload Compression (IPPCP) is used.)

Gxxx-001(super)# show crypto ipsec sa detail
Inbound pkts errors (global):
     Invalid spi                 1
     Invalid interface           0
Interface: FastEthernet 
 Crypto list id: 901, Local address: FastEthernet 
  Rule: 10, Crypto map: 1
  Local address:   134.1.157.2
  Remote address: 134.1.155.1
  Local identity:  8.0.0.0/255.0.0.0
  Remote identity: 149.49.43.0/255.255.255.0
  path mtu 1500, media mtu 1500
  Current outbound spi: 0x0
  Inbound packets                Outbound packets
  -------------------------      ----------------------------------
  Total                   0      Total                          1075
    Total OK              0        Total OK                     1044
      Decrypt             0          Encrypt                    1044
      Verify              0          Digest                     1044
      Decaps              0          Encaps                     1044
      Decompompressed     0          Compressed                    0
      Incompressible      0          Incompressible                0
                                       Comp bypass                 0
                                       Comp abort                  0
    Total discards        0        Total discards                 31
       Invalid len        0          No sa                        31
       Replay failed      0          Seq rollover                  0
       Sa expired         0          Sa expired                    0
       Auth failed        0
       Bad padding        0
       Invalid identity   0
       Unprotected        0
       Other discards     0          Other discards                0
  Overall decompression ratio 1.00  Overall compression ratio   1.00
  Decompression ratio         1.00  Compression ratio           1.00
    Uncomp bytes                 0    Uncomp bytes                 0
    Comp bytes                   0    Comp bytes                   0
    Incomp bytes                 0    Incomp bytes                 0
======================================================================

Output fields


Name	Description
Inbound pkts errors (global)	The global inbound packets’ error statistics, as follows: Invalid spi — The number of packets received with an invalid SPI (that does not resolve to any known SA Invalid interface — The number of packets received with an SPI which is valid on a different interface than the one on which it was received
Interface	The interface for which the following SA information is being displayed. If the crypto-list activated on the interface is also activated on other interfaces, these interfaces are also listed here. Interfaces in the 'down' state are designated as such.
Crypto list id	The ID of the crypto-list that contains the SAs being displayed
Local address	The local address configured for the crypto list, used for the local tunnel endpoint of all traffic protected by SAs pertaining to the crypto-list. The local address is either an interface name or an IP address, depending on configuration.
Rule	The ID of the crypto-list rule that contains the SAs being displayed
Crypto Map	The ID of the crypto-map that the rule points to, including its user-defined description
Local address	The IP address of the local tunnel endpoint of traffic protected by this SA. If NAT Traversal is used, the UDP encapsulation port number is appended.
Remote address	The IP address and, optionally, hostname of the remote peer. A hostname is displayed if the peer was configured by its FQDN. If NAT Traversal is used, the UDP encapsulation port number is appended.
Local identity	The local subnet protected by this SA, as it was configured in the crypto-list rule. The subnet is expressed as <`address`>/<`wildcard`>.
Remote identity	The remote subnet protected by this SA, as it was configured in the crypto-list rule. The subnet is expressed as <address>/<wildcard>.
Path mtu	The path MTU kept for this SA, as received from the network by path MTU discovery error messages. This does not include the IPSec encapsulation overhead.
Media mtu	The media MTU kept for this SA, as learned from the underlying interface. This does not include the IPSec encapsulation overhead.
Current outbound spi	The value of the currently active outbound SPI, expressed in hexadecimal encoding. If none exists, `0x0` is displayed.
Inbound packets	The inbound packets statistics for the crypto-list rule: Total — the total number of inbound packets received Total OK — the total number of inbound packets received and not discarded Decrypt — the total number of packets successfully decrypted Verify — the total number of packets successfully verified by HMAC Decaps — the total number of packets successfully decapsulated from the IPSec tunnel header Decompressed — the total number of packets successfully decompressed by the IP Payload Compression (IPPCP) process Incompressible— the total number of uncompressed packets successfully received, when IPPCP is enabled Total Discards — the total number of packets discarded due to some error. This number is an aggregate of the more specific numbers below. Invalid len — the number of packets discarded after being received through this tunnel, because the length is not aligned to the cipher block Replay failed — the number of packets discarded after being received through this tunnel, because of anti-replay verification failure Sa expired — the number of packets discarded after being received through this tunnel, because the SA KB lifetime is smaller then the external IP packet total length Auth failed — the number of packets discarded after being received through this tunnel, because of HMAC verification failure
Inbound packets	Bad padding — the number of packets discarded after being received through this tunnel, because of bad ESP trailer format received failure Invalid identity — the number of packets discarded after being received through this tunnel, because of invalid identity. That is, the inner (original) IP header address does not match the IP subnet configured in the containing crypto-list rule. Unprotected — the number of packets discarded after being received in the clear (unprotected), although they were expected to arrive protected by this tunnel (that is, unprotected packets with source and destination IP matching the IP subnet configured in the containing crypto-list rule) Other discards — the number of packets dropped due to other reasons which were not covered by the above counters Overall decompression ratio — a measure of the total compression efficiency at the remote peer. This is the ratio between the number of octets resulting after decompression and the number of octets received before decompression – for all packets, including incompressible packets. Decompression ratio — a measure of the efficiency of the compression engine at the remote peer. This is the ratio between the number of octets resulting after decompression and the number of octets received before decompression, for compressible packets only. Uncomp bytes — the total number of bytes after decompression, including incompressible packets. Comp bytes — the total number of bytes received compressed Incomp bytes— the total number of incompressible bytes received, that is, that were received uncompressed
Outbound packets	The outbound packets statistics for the crypto-list rule: Total — the total number of outbound packets sent Total OK — the total number of outbound packets sent and not discarded Encrypt — the total number of packets successfully encrypted. Digest — the total number of packets successfully attached with an HMAC Encaps — the total number of packets successfully encapsulated with an IPSec tunnel header
Outbound packets	Compressed — the total number of packets successfully compressed Incompressible — the total number of incompressible packets when IPPCP is enabled Comp bypass — the number of incompressible packets due to the packet being too short to compress Comp abort — the number of incompressible packets due to the compression result being longer than the original packet Total Discards — the total number of packets discarded due to some error No sa — the number of packets dropped before being transmitted through this tunnel due to no IPSec SA existed when the packet arrived Seq rollover — the number of packets dropped before being transmitted through this tunnel, due to sequence number rollover: the sequence number of the IPSec SA reached its capacity Sa expired — the number of packets dropped before being transmitted through this tunnel due to SA expired: SA KB lifetime is smaller then the external IP packet total length Other discards — the number of packets dropped due to other reasons not covered by any of the above counters Overall compression ratio — a measure of the total compression efficiency. This is the ratio between the number of octets before compression and the number of octets resulting after compression — for all packets, including incompressible packets. Compression ratio — a measure of the compression engine’s efficiency. This is the ratio between the number of octets before compression and the number of octets resulting after compression, for compressible packets only. Uncomp bytes— the number of bytes that were presented to the compression engine, including incompressible packets Comp bytes — the number of compressed bytes that resulted from the compression engine (compressible packets only) Incomp bytes— the number of bytes from incompressible packets
SA Type	The type of the SA: ESP Inbound or ESP Outbound
SPI	The SPI of the SA in hexadecimal encoding
Transform	Lists all the transforms being used by the SA. Each transform is listed in a separate row.
PFS	Displays information about Perfect Forward Secrecy (PFS) usage, when the SA is negotiated by IKE Phase-2. Possible values are: No – PFS is not used #<N> – PFS is used with Diffie-Hellman group N
Secs left	The number of seconds left for this SA’s expiration
KB left	The number of kilobytes left for this SA’s expiration
Mode	The encapsulation mode: tunnel or transport

This parameter appears when the detail keyword is specified.

This parameter appears when IP Payload Compression (IPPCP) is used.

The SA table is displayed only when active SAs exist for the rule.

Send Feedback

AVAYA DOCUMENTATION CENTER

No results found