https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s3.html#wp5743341910 

 

show crypto isakmp sa [to view the security association] 

 

Show crypto isakmp sa | i [destination IP] 

 

show crypto isakmp sa detail 

 

show crypto isakmp stats 

 

show crypto ipsec sa [to view the IPSec SA between VPN peers] 

 

show crypto session | include [destination IP] 

 

show crypto session interface  [interface] detail | sec [IP] 

 

show crypto session brief [summarized view of active crypto sessions] 

 

clear crypto sa 

 

clear crypto session [to clear tunnel] 

 

show crypto ca cert [to check vert start date/end date] 

 

show crypto pki cert 

 

show crypto ikev1 stats 

 

show crypto ikev2 stats 

 

show crypto ipsec sa peer [destination IP] detail 

 

show crypto isakmp policy 

 

show crypto ipsec profile >>> IPSec timers 

 

show vpn-sessiondb 

 

show crypto session remote [destination peer IP address] >> if this is up/up to check for policy mis-match. Policies must match on both devices. Transform sets must always match.  

 

crypto debug pki transactions 

 

crypto debug pki scep 

 

 

 

Checking IPSec Protocol Status: 

 

Problem 

You want to check the status of a VPN 

 

Solution 

There are several useful commands for displaying IPSec parameters.  

The command show crypto isakmp sa shows all of the ISAKMP security associations.  

 

Router1# show crypto isakmp sa 

 

And you can look at the IPSec security associations with this command:  

 

Router1# show crypto ipsec sa 

 

Even if you aren't using a key management protocol such as ISAKMP, you can see information on all of the active IPSec connections with the following command: 

 

Router1# show crypto engine connections active 

 

And this closely related command will tell you about the packet drops within the encryption engine: 

 

Router1# show crypto engine connections dropped-packet 

 

The show crypto map command gives information about all of the IPSec crypto maps that you have configured on your router, whether or not they are in use: 

 

Router1# show crypto map 

 

And you can specify a particular crypto map with the tag keyword: 

 

Router1# show crypto map tag TUNNELMAP 

 

For information about dynamic crypto maps, you can use the following command: 

 

Router1# show crypto dynamic-map  

 

Discussion 

 

The show crypto isakmp command lets you see information about the current state of any ISAKMP key exchange that the router is involved in: 

 

Router1# show crypto isakmp sa  

dst 
	

 
	

src 
	

 
	

state 
	

 
	

conn-id 
	

 
	

slot 

172.22.1.4 
	

 
	

172.22.1.3 
	

 
	

QM_IDLE 
	

 
	

1 
	

 
	

0 

 

 

Table shows all of the possible ISAKMP SA states: 

Main Mode 
	

MM_NO_STATE 
	

There is an ISAKMP SA, but none of the parameters have been negotiated yet. 

 
	

MM_SA_SETUP 
	

The devices have negotiated a set of parameters for the SA, but have not yet exchanged any key information. 

 
	

MM_KEY_EXCH 
	

The devices have used the Diffie-Helman algorithm to create a common key, but they have not yet authenticated the session.  

 
	

MM_KEY_AUTH 
	

The devices have authenticated the SA. The can now proceed to Quick Mode. 

 
	

 
	

 

Aggressive Mode 
	

AG_NO_STATE 
	

There is an ISAKMP SA, but none of the parameters have been negotiated yet.  

 
	

AG_INIT_EXCH 
	

The devices have initiated an Aggressive Mode exchange. 

 
	

AG_AUTH 
	

The devices have completed an Aggressive Mode exchange and authenticated the SA. They can now proceed to Quick Mode. 

 
	

 
	

 

Quick Mode 
	

QM_IDLE 
	

The SA is authenticated and ready for use. 

 

 

Aggressive Mode allows faster SA setup by combining SA parameter negotiation, key exchange, and authentication information into the same packet. This has the disadvantage of not hiding the identity information on the peer devices, however. In Main Mode exchanges, this identity information is exchanged separately in encrypted form. Main Mode is the default. Because the extra overhead is minimal, you generally don't need to resort to Aggressive Mode for ISAKMP.  

 

Quick Mode is only possible after the initial ISAKMP exchange has happened at least once. The routers then use this mode when periodically renegotiating the SA information of an SA that has been active for a while. Quick Mode can take advantage of the existing SA to encrypt its exchange.  

 

Use the following rather verbose command to look at IPSec Security Associations: 

 

Router1# show crypto ipsec sa 

 

intface: FastEthernet0/1 

Crypto map tag: TUNNELMAP, local addr. 172.22.1.3 

local ident (addr/mask/prot/port): (172.22.1.3/255.255.225.255/0/0) 

remote ident (addr/mask/prot/port): (172.22.1.4/255.255.225.255/0/0) 

current_peer: 172.22.1.4 

PERMIT, flags={transport_parent, } 

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 

#pkts compressed: 0, #pkts decompressed: 0 

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 

#send errors 0, #recv errors 0 

 

local crypto endpt.: 172.22.1.3, remote crypto endpt.: 172.22.1.4 

path mtu 1500, media mtu 1500 

current outbound spi: 0 

 

inbound esp sas: 

inbound ah sas: 

inbound pcp sas: 

outbound esp sas: 

outbound ah sas: 

outbound pcp sas: 

 

 

local ident (addr/mask/prot/port): (172.22.1.3/255.255.225.255/47/0) 

remote ident (addr/mask/prot/port): (172.22.1.4/255.255.225.255/47/0) 

current_peer: 172.22.1.4 

PERMIT, flags={origin_is_acl, transport_parent, parent_is_transport,} 

#pkts encaps: 466, #pkts encrypt: 466, #pkts digest 466 

#pkts decaps: 1156, #pkts decrypt: 1156, #pkts verify 1156 

#pkts compressed: 0, #pkts decompressed: 0 

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 

#send errors 1, #recv errors 0 

 

local crypto endpt.: 172.22.1.3, remote crypto endpt.: 172.22.1.4 

path mtu 1500, media mtu 1500 

current outbound spi: EB99FB6C 

 

inbound esp sas: 

  spi: 0x5A48ACC4(1514712260) 

transform: esp-3des esp-sha-hmac , 

in use settings ={Transport, } 

slot: 0, conn id: 2000, flow_id: 1, crypto map: TUNNELMAP 

sa timing: remaining key lifetime (k/sec): (4606612/3392) 

IV size: 8 bytes 

replay detection support: Y 

 

inbound ah sas: 

inbound pcp sas: 

 

outbound esp sas: 

   spi: 0xEB99FB6C(3952737132) 

transform: esp-3des esp-sha-hmac , 

in use settings ={Transport, } 

slot: 0, conn id: 2001, flow_id: 2, crypto map: TUNNELMAP 

sa timing: remaining key lifetime (k/sec): (4607955/3392) 

IV size: 8 bytes 

replay detection support: Y 

 

outbound ah sas: 

outbound pcp sas: 

 

There is clearly a lot of information in this output. It breaks out the inbound and outbound information, and shows what crpyto maps have been applied to which interfaces. Is also includes information about the number of packets that the router has been both sent and received, as well as how much time remains before the SA must be renogtiated.  

 

The show crypto engine command allows you to see some of this same information in a more compact form. With the connections active keywords, this command tells you what interfaces are involved in IPSec SA's, the peer IP addresses, the algorithm used, and the number of packets sent and received through the encryption engine. 

 

Router1# show crypto engine connections active 

 

ID 
	

Interface 
	

IP-Address 
	

State 
	

Algorithm  
	

Encrypt 
	

Decrypt 

1 
	

<none> 
	

<none> 
	

set 
	

HMAC_SHA+3DES_56_C 
	

0 
	

0 

2088 
	

FastEhternet0/1 
	

172.22.1.3 
	

set 
	

HMAC_SHA+3DES_56_C 
	

0 
	

5 

2099 
	

FastEhternet0/1 
	

172.22.1.3 
	

set 
	

HMAC_SHA+3DES_56_C 
	

202 
	

0 

 

With the connections dropped-packet keywords, you get some simple statistics on dropped packets. In the following example, the encryption engine was forced to drop five packets because the router tried to send them before it had a valid connection: 

 

Router1# show crypto engine connections dropped-packet 

 

Packets dropped because of connection not established: 

Interface 
	

IP-Address 
	

Drop Count 

FastEhternet0/1 
	

172.22.1.3 
	

5 

 

The command show crypto map displays information about all of the configured crypto maps on the router, including which interfaces are currently using them. Note that just because a particular interface is using a particular crypto map, this does not imply that there any active IPSec SAs. It only means that you have applied this map to this interface by using the crypto map interface configuration command:  

 

Router1# show crypto map 

Interfaces using crypto map VPN_MAP: 

 

Crypto Map "CRYPTOMAP" 10 ipsec-isakmp 

Dynamic map template tag: VPN-USER-MAP 

Interfaces using crypto map CRYPTOMAP: 

 

Crypto Map "TUNNELMAP" 10 ipsec-isakmp 

Peer = 172.22.1.4 

Extended IP access list 116 

access-list 116 permit gre host 172.22.1.3 host 172.22.1.4 

Current peer: 172.22.1.4 

Security association lifetime: 4608000 kilobytes/3600 seconds 

PFS (Y/N): N 

Transform sets={ TUNNEL-TRANSFORM, } 

Interfaces using crypto map TUNNELMAP: 

FastEthernet0/1 

 

If you have several crypto maps configured on your router, you can look at a particular one with the tag keyword:  

 

Router1# show crypto map tag TUNNELMAP 

Crypto Map "TUNNELMAP" 10 ipsec-isakmp 

Peer = 172.22.1.4 

Extended IP access list 116 

access-list 116 permit gre host 172.22.1.3 host 172.22.1.4 

Current peer: 172.22.1.4 

Security association lifetime: 4608000 kilobytes/3600 seconds 

PFS (Y/N): N 

Transform sets={ TUNNEL-TRANSFORM, } 

Interfaces using crypto map TUNNELMAP: 

FastEthernet0/1 

 

And if there are any dynamic maps, you can see more information about them with the following command: 

 

Router1# show crypto dynamic-map 

Crytpo Map Template "VPN-USER-MAP" 50 

Extended IP access list 115 

access-list 115 permit tcp any port = 80 any 

access-list 115 permit tcp any port = 80 

access-list 115 deny ip any 224.0.0.0 31.255.255.255 

Current peer: 0.0.0.0 

Security association lifetime: 4608000 kilobytes/3600 seconds 

PFS (Y/N): N 

Transform sets={ VPN-TRANSFORMS, }