Cisco ASA Series Command Reference
show crashinfo -- show curpriv
Downloads: This chapterpdf (PDF - 680.0KB) The complete bookPDF (PDF - 31.85MB) | The complete bookePub (ePub - 2.33MB) | The complete bookMobi (Mobi - 9.5MB) | Feedback

Table of Contents

show crashinfo through show curpriv Commands

s how crashinfo

s how crashinfo console

s how crypto accelerator statistics

s how crypto ca certificates

s how crypto ca crl

show crypto ca server

show crypto ca server cert-db

show crypto ca server certificate

show crypto ca server crl

show crypto ca server user-db

show crypto ca trustpool

show crypto ca trustpool policy

show crypto debug-condition

s how crypto ikev1 sa

s how crypto ikev2 sa

s how crypto ipsec df-bit

s how crypto ipsec fragmentation

show crypto ipsec policy

show crypto ipsec sa

show crypto ipsec stats

s how crypto isakmp sa

s how crypto isakmp stats

s how crypto key mypubkey

s how crypto protocol statistics

show crypto sockets

s how csc node-count

show ctiqbe

show ctl-file

show cts environment-data

show cts environment-data sg-table

show cts pac

show cts sgt-map

show cts sxp connections

show cts sxp sgt-map

s how curpriv

show crashinfo through show curpriv Commands

show crashinfo

To display the contents of the crash file stored in Flash memory, enter the show crashinfo command in privileged EXEC mode.

show crashinfo [ save ]

 
Syntax Description

save

(Optional) Displays if the ASA is configured to save crash information to Flash memory or not.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  

  •  

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.1(5)

The output displays the thread ID (TID) in the show process command.

 
Usage Guidelines

If the crash file is from a test crash (generated from the crashinfo test command), the first string of the crash file is “ : Saved_Test_Crash ” and the last string is “ : End_Test_Crash ”. If the crash file is from a real crash, the first string of the crash file is “ : Saved_Crash ” and the last string is “ : End_Crash ”. (This includes crashes from use of the crashinfo force page-fault or crashinfo force watchdog commands).

If there is no crash data saved in flash, or if the crash data has been cleared by entering the clear crashinfo command, the show crashinfo command displays an error message.

Examples

The following example shows how to display the current crash information configuration:

ciscoasa# show crashinfo save
crashinfo save enable
 

The following example shows the output for a crash file test. (However, this test does not actually crash the ASA. It provides a simulated example file.)

ciscoasa(config)# crashinfo test
ciscoasa(config)# exit
ciscoasa# show crashinfo
: Saved_Test_Crash
 
Thread Name: ci/console (Old pc 0x001a6ff5 ebp 0x00e88920)
 
Traceback:
0: 00323143
1: 0032321b
2: 0010885c
3: 0010763c
4: 001078db
5: 00103585
6: 00000000
vector 0x000000ff (user defined)
edi 0x004f20c4
esi 0x00000000
ebp 0x00e88c20
esp 0x00e88bd8
ebx 0x00000001
edx 0x00000074
ecx 0x00322f8b
eax 0x00322f8b
error code n/a
eip 0x0010318c
cs 0x00000008
eflags 0x00000000
CR2 0x00000000
F-flags : 0x2
F-flags2 : 0x0
F-flags3 : 0x10000
F-flags4 : 0x0
F-bytes : 0
Stack dump: base:0x00e8511c size:16384, active:1476
0x00e89118: 0x004f1bb4
0x00e89114: 0x001078b4
0x00e89110-0x00e8910c: 0x00000000
0x00e89108-0x00e890ec: 0x12345678
0x00e890e8: 0x004f1bb4
0x00e890e4: 0x00103585
0x00e890e0: 0x00e8910c
0x00e890dc-0x00e890cc: 0x12345678
0x00e890c8: 0x00000000
0x00e890c4-0x00e890bc: 0x12345678
0x00e890b8: 0x004f1bb4
0x00e890b4: 0x001078db
0x00e890b0: 0x00e890e0
0x00e890ac-0x00e890a8: 0x12345678
0x00e890a4: 0x001179b3
0x00e890a0: 0x00e890b0
0x00e8909c-0x00e89064: 0x12345678
0x00e89060: 0x12345600
0x00e8905c: 0x20232970
0x00e89058: 0x616d2d65
0x00e89054: 0x74002023
0x00e89050: 0x29676966
0x00e8904c: 0x6e6f6328
0x00e89048: 0x31636573
0x00e89044: 0x7069636f
0x00e89040: 0x64786970
0x00e8903c-0x00e88e50: 0x00000000
0x00e88e4c: 0x000a7473
0x00e88e48: 0x6574206f
0x00e88e44: 0x666e6968
0x00e88e40: 0x73617263
0x00e88e3c-0x00e88e38: 0x00000000
0x00e88e34: 0x12345600
0x00e88e30-0x00e88dfc: 0x00000000
0x00e88df8: 0x00316761
0x00e88df4: 0x74706100
0x00e88df0: 0x12345600
0x00e88dec-0x00e88ddc: 0x00000000
0x00e88dd8: 0x00000070
0x00e88dd4: 0x616d2d65
0x00e88dd0: 0x74756f00
0x00e88dcc: 0x00000000
0x00e88dc8: 0x00e88e40
0x00e88dc4: 0x004f20c4
0x00e88dc0: 0x12345600
0x00e88dbc: 0x00000000
0x00e88db8: 0x00000035
0x00e88db4: 0x315f656c
0x00e88db0: 0x62616e65
0x00e88dac: 0x0030fcf0
0x00e88da8: 0x3011111f
0x00e88da4: 0x004df43c
0x00e88da0: 0x0053fef0
0x00e88d9c: 0x004f1bb4
0x00e88d98: 0x12345600
0x00e88d94: 0x00000000
0x00e88d90: 0x00000035
0x00e88d8c: 0x315f656c
0x00e88d88: 0x62616e65
0x00e88d84: 0x00000000
0x00e88d80: 0x004f20c4
0x00e88d7c: 0x00000001
0x00e88d78: 0x01345678
0x00e88d74: 0x00f53854
0x00e88d70: 0x00f7f754
0x00e88d6c: 0x00e88db0
0x00e88d68: 0x00e88d7b
0x00e88d64: 0x00f53874
0x00e88d60: 0x00e89040
0x00e88d5c-0x00e88d54: 0x12345678
0x00e88d50-0x00e88d4c: 0x00000000
0x00e88d48: 0x004f1bb4
0x00e88d44: 0x00e88d7c
0x00e88d40: 0x00e88e40
0x00e88d3c: 0x00f53874
0x00e88d38: 0x004f1bb4
0x00e88d34: 0x0010763c
0x00e88d30: 0x00e890b0
0x00e88d2c: 0x00e88db0
0x00e88d28: 0x00e88d88
0x00e88d24: 0x0010761a
0x00e88d20: 0x00e890b0
0x00e88d1c: 0x00e88e40
0x00e88d18: 0x00f53874
0x00e88d14: 0x0010166d
0x00e88d10: 0x0000000e
0x00e88d0c: 0x00f53874
0x00e88d08: 0x00f53854
0x00e88d04: 0x0048b301
0x00e88d00: 0x00e88d30
0x00e88cfc: 0x0000000e
0x00e88cf8: 0x00f53854
0x00e88cf4: 0x0048a401
0x00e88cf0: 0x00f53854
0x00e88cec: 0x00f53874
0x00e88ce8: 0x0000000e
0x00e88ce4: 0x0048a64b
0x00e88ce0: 0x0000000e
0x00e88cdc: 0x00f53874
0x00e88cd8: 0x00f7f96c
0x00e88cd4: 0x0048b4f8
0x00e88cd0: 0x00e88d00
0x00e88ccc: 0x0000000f
0x00e88cc8: 0x00f7f96c
0x00e88cc4-0x00e88cc0: 0x0000000e
0x00e88cbc: 0x00e89040
0x00e88cb8: 0x00000000
0x00e88cb4: 0x00f5387e
0x00e88cb0: 0x00f53874
0x00e88cac: 0x00000002
0x00e88ca8: 0x00000001
0x00e88ca4: 0x00000009
0x00e88ca0-0x00e88c9c: 0x00000001
0x00e88c98: 0x00e88cb0
0x00e88c94: 0x004f20c4
0x00e88c90: 0x0000003a
0x00e88c8c: 0x00000000
0x00e88c88: 0x0000000a
0x00e88c84: 0x00489f3a
0x00e88c80: 0x00e88d88
0x00e88c7c: 0x00e88e40
0x00e88c78: 0x00e88d7c
0x00e88c74: 0x001087ed
0x00e88c70: 0x00000001
0x00e88c6c: 0x00e88cb0
0x00e88c68: 0x00000002
0x00e88c64: 0x0010885c
0x00e88c60: 0x00e88d30
0x00e88c5c: 0x00727334
0x00e88c58: 0xa0ffffff
0x00e88c54: 0x00e88cb0
0x00e88c50: 0x00000001
0x00e88c4c: 0x00e88cb0
0x00e88c48: 0x00000002
0x00e88c44: 0x0032321b
0x00e88c40: 0x00e88c60
0x00e88c3c: 0x00e88c7f
0x00e88c38: 0x00e88c5c
0x00e88c34: 0x004b1ad5
0x00e88c30: 0x00e88c60
0x00e88c2c: 0x00e88e40
0x00e88c28: 0xa0ffffff
0x00e88c24: 0x00323143
0x00e88c20: 0x00e88c40
0x00e88c1c: 0x00000000
0x00e88c18: 0x00000008
0x00e88c14: 0x0010318c
0x00e88c10-0x00e88c0c: 0x00322f8b
0x00e88c08: 0x00000074
0x00e88c04: 0x00000001
0x00e88c00: 0x00e88bd8
0x00e88bfc: 0x00e88c20
0x00e88bf8: 0x00000000
0x00e88bf4: 0x004f20c4
0x00e88bf0: 0x000000ff
0x00e88bec: 0x00322f87
0x00e88be8: 0x00f5387e
0x00e88be4: 0x00323021
0x00e88be0: 0x00e88c10
0x00e88bdc: 0x004f20c4
0x00e88bd8: 0x00000000 *
0x00e88bd4: 0x004eabb0
0x00e88bd0: 0x00000001
0x00e88bcc: 0x00f5387e
0x00e88bc8-0x00e88bc4: 0x00000000
0x00e88bc0: 0x00000008
0x00e88bbc: 0x0010318c
0x00e88bb8-0x00e88bb4: 0x00322f8b
0x00e88bb0: 0x00000074
0x00e88bac: 0x00000001
0x00e88ba8: 0x00e88bd8
0x00e88ba4: 0x00e88c20
0x00e88ba0: 0x00000000
0x00e88b9c: 0x004f20c4
0x00e88b98: 0x000000ff
0x00e88b94: 0x001031f2
0x00e88b90: 0x00e88c20
0x00e88b8c: 0xffffffff
0x00e88b88: 0x00e88cb0
0x00e88b84: 0x00320032
0x00e88b80: 0x37303133
0x00e88b7c: 0x312f6574
0x00e88b78: 0x6972772f
0x00e88b74: 0x342f7665
0x00e88b70: 0x64736666
0x00e88b6c: 0x00020000
0x00e88b68: 0x00000010
0x00e88b64: 0x00000001
0x00e88b60: 0x123456cd
0x00e88b5c: 0x00000000
0x00e88b58: 0x00000008
 
Cisco XXX Firewall Version X.X
Cisco XXX Device Manager Version X.X
 
Compiled on Fri 15-Nov-04 14:35 by root
 
hostname up 10 days 0 hours
 
Hardware: XXX-XXX, 64 MB RAM, CPU Pentium 200 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
 
0: ethernet0: address is 0003.e300.73fd, irq 10
1: ethernet1: address is 0003.e300.73fe, irq 7
2: ethernet2: address is 00d0.b7c8.139e, irq 9
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Disabled
Maximum Interfaces: 3
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
 
This XXX has a Restricted (R) license.
 
Serial Number: 480430455 (0x1ca2c977)
Running Activation Key: 0xc2e94182 0xc21d8206 0x15353200 0x633f6734
Configuration last modified by enable_15 at 13:49:42.148 UTC Wed Nov 20 2004
 
------------------ show clock ------------------
 
15:34:28.129 UTC Sun Nov 24 2004
 
------------------ show memory ------------------
 
Free memory: 50444824 bytes
Used memory: 16664040 bytes
------------- ----------------
Total memory: 67108864 bytes
 
------------------ show conn count ------------------
 
0 in use, 0 most used
 
------------------ show xlate count ------------------
 
0 in use, 0 most used
 
------------------ show vpn-sessiondb summary ------------------
 
Active Session Summary
 
Sessions:
Active : Cumulative : Peak Concurrent : Inactive
SSL VPN : 2 : 2 : 2
Clientless only : 0 : 0 : 0
With client : 2 : 2 : 2 : 0
Email Proxy : 0 : 0 : 0
IPsec LAN-to-LAN : 1 : 1 : 1
IPsec Remote Access : 0 : 0 : 0
VPN Load Balancing : 0 : 0 : 0
Totals : 3 : 3
 
License Information:
Shared VPN License Information:
SSL VPN : 1500
Allocated to this device : 50
Allocated in network : 50
Device limit : 750
 
IPsec : 750 Configured : 750 Active : 1 Load : 0%
SSL VPN : 52 Configured : 52 Active : 2 Load : 4%
Active : Cumulative : Peak Concurrent
IPsec : 1 : 1 : 1
SSL VPN : 2 : 10 : 2
AnyConnect Mobile : 0 : 0 : 0
Linksys Phone : 0 : 0 : 0
Totals : 3 : 11
 
Tunnels:
Active : Cumulative : Peak Concurrent
IKE : 1 : 1 : 1
IPsec : 1 : 1 : 1
Clientless : 2 : 2 : 2
SSL-Tunnel : 2 : 2 : 2
DTLS-Tunnel : 2 : 2 : 2
Totals : 8 : 8
------------------ show blocks ------------------
 
SIZE MAX LOW CNT
4 1600 1600 1600
80 400 400 400
256 500 499 500
1550 1188 795 927
 
------------------ show interface ------------------
 
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0003.e300.73fd
IP address 172.23.59.232, subnet mask 255.255.0.0
MTU 1500 bytes, BW 10000 Kbit half duplex
6139 packets input, 830375 bytes, 0 no buffer
Received 5990 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
90 packets output, 6160 bytes, 0 underruns
0 output errors, 13 collisions, 0 interface resets
0 babbles, 0 late collisions, 47 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (5/128) software (0/2)
output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet1 "inside" is up, line protocol is down
Hardware is i82559 ethernet, address is 0003.e300.73fe
IP address 10.1.1.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1 packets output, 60 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
1 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/1) software (0/1)
interface ethernet2 "intf2" is administratively down, line protocol is down
Hardware is i82559 ethernet, address is 00d0.b7c8.139e
IP address 127.0.0.1, subnet mask 255.255.255.255
MTU 1500 bytes, BW 10000 Kbit half duplex
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
 
------------------ show cpu usage ------------------
 
CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%
 
------------------ show process ------------------
 
PC SP STATE Runtime SBASE Stack Process TID
Hsi 001e3329 00763e7c 0053e5c8 0 00762ef4 3784/4096 arp_timer 0x000000000000000a
Lsi 001e80e9 00807074 0053e5c8 0 008060fc 3792/4096 FragDBGC 0x000000000000006b
Lwe 00117e3a 009dc2e4 00541d18 0 009db46c 3704/4096 dbgtrace
Lwe 003cee95 009de464 00537718 0 009dc51c 8008/8192 Logger
Hwe 003d2d18 009e155c 005379c8 0 009df5e4 8008/8192 tcp_fast
Hwe 003d2c91 009e360c 005379c8 0 009e1694 8008/8192 tcp_slow
Lsi 002ec97d 00b1a464 0053e5c8 0 00b194dc 3928/4096 xlate clean
Lsi 002ec88b 00b1b504 0053e5c8 0 00b1a58c 3888/4096 uxlate clean
Mrd 002e3a17 00c8f8d4 0053e600 0 00c8d93c 7908/8192 tcp_intercept_times
Lsi 00423dd5 00d3a22c 0053e5c8 0 00d392a4 3900/4096 route_process
Hsi 002d59fc 00d3b2bc 0053e5c8 0 00d3a354 3780/4096 PIX Garbage Collecr
Hwe 0020e301 00d5957c 0053e5c8 0 00d55614 16048/16384 isakmp_time_keepr
Lsi 002d377c 00d7292c 0053e5c8 0 00d719a4 3928/4096 perfmon
Hwe 0020bd07 00d9c12c 0050bb90 0 00d9b1c4 3944/4096 IPsec
Mwe 00205e25 00d9e1ec 0053e5c8 0 00d9c274 7860/8192 IPsec timer handler
Hwe 003864e3 00db26bc 00557920 0 00db0764 6904/8192 qos_metric_daemon
Mwe 00255a65 00dc9244 0053e5c8 0 00dc8adc 1436/2048 IP Background
Lwe 002e450e 00e7bb94 00552c30 0 00e7ad1c 3704/4096 pix/trace
Lwe 002e471e 00e7cc44 00553368 0 00e7bdcc 3704/4096 pix/tconsole
Hwe 001e5368 00e7ed44 00730674 0 00e7ce9c 7228/8192 pix/intf0
Hwe 001e5368 00e80e14 007305d4 0 00e7ef6c 7228/8192 pix/intf1
Hwe 001e5368 00e82ee4 00730534 2470 00e8103c 4892/8192 pix/intf2
H* 001a6ff5 0009ff2c 0053e5b0 4820 00e8511c 12860/16384 ci/console
Csi 002dd8ab 00e8a124 0053e5c8 0 00e891cc 3396/4096 update_cpu_usage
Hwe 002cb4d1 00f2bfbc 0051e360 0 00f2a134 7692/8192 uauth_in
Hwe 003d17d1 00f2e0bc 00828cf0 0 00f2c1e4 7896/8192 uauth_thread
Hwe 003e71d4 00f2f20c 00537d20 0 00f2e294 3960/4096 udp_timer
Hsi 001db3ca 00f30fc4 0053e5c8 0 00f3004c 3784/4096 557mcfix
Crd 001db37f 00f32084 0053ea40 508286220 00f310fc 3688/4096 557poll
Lsi 001db435 00f33124 0053e5c8 0 00f321ac 3700/4096 557timer
Hwe 001e5398 00f441dc 008121e0 0 00f43294 3912/4096 fover_ip0
Cwe 001dcdad 00f4523c 00872b48 120 00f44344 3528/4096 ip/0:0
Hwe 001e5398 00f4633c 008121bc 10 00f453f4 3532/4096 icmp0
Hwe 001e5398 00f47404 00812198 0 00f464cc 3896/4096 udp_thread/0
Hwe 001e5398 00f4849c 00812174 0 00f475a4 3456/4096 tcp_thread/0
Hwe 001e5398 00f495bc 00812150 0 00f48674 3912/4096 fover_ip1
Cwe 001dcdad 00f4a61c 008ea850 0 00f49724 3832/4096 ip/1:1
Hwe 001e5398 00f4b71c 0081212c 0 00f4a7d4 3912/4096 icmp1
Hwe 001e5398 00f4c7e4 00812108 0 00f4b8ac 3896/4096 udp_thread/1
Hwe 001e5398 00f4d87c 008120e4 0 00f4c984 3832/4096 tcp_thread/1
Hwe 001e5398 00f4e99c 008120c0 0 00f4da54 3912/4096 fover_ip2
Cwe 001e542d 00f4fa6c 00730534 0 00f4eb04 3944/4096 ip/2:2
Hwe 001e5398 00f50afc 0081209c 0 00f4fbb4 3912/4096 icmp2
Hwe 001e5398 00f51bc4 00812078 0 00f50c8c 3896/4096 udp_thread/2
Hwe 001e5398 00f52c5c 00812054 0 00f51d64 3832/4096 tcp_thread/2
Hwe 003d1a65 00f78284 008140f8 0 00f77fdc 300/1024 listen/http1
Mwe 0035cafa 00f7a63c 0053e5c8 0 00f786c4 7640/8192 Crypto CA
 
------------------ show failover ------------------
 
No license for Failover
 
------------------ show traffic ------------------
 
outside:
received (in 865565.090 secs):
6139 packets 830375 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 865565.090 secs):
90 packets 6160 bytes
0 pkts/sec 0 bytes/sec
inside:
received (in 865565.090 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 865565.090 secs):
1 packets 60 bytes
0 pkts/sec 0 bytes/sec
intf2:
received (in 865565.090 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
transmitted (in 865565.090 secs):
0 packets 0 bytes
0 pkts/sec 0 bytes/sec
 
------------------ show perfmon ------------------
 
 
PERFMON STATS: Current Average
Xlates 0/s 0/s
Connections 0/s 0/s
TCP Conns 0/s 0/s
UDP Conns 0/s 0/s
URL Access 0/s 0/s
URL Server Req 0/s 0/s
TCP Fixup 0/s 0/s
TCPIntercept 0/s 0/s
HTTP Fixup 0/s 0/s
FTP Fixup 0/s 0/s
AAA Authen 0/s 0/s
AAA Author 0/s 0/s
AAA Account 0/s 0/s
: End_Test_Crash

 
Related Commands

Command
Description

clear crashinfo

Deletes the contents of the crash file.

crashinfo force

Forces a crash of the ASA.

crashinfo save disable

Disables crash information from writing to flash memory.

crashinfo test

Tests the ability of the ASA to save crash information to a file in flash memory.

show crashinfo console

To display the configuration setting of the crashinfo console command, enter the show crashinfo console command.

show crashinfo console

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

This command has no default settings.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  

 
Command History

Release
Modification

7.0(4)

This command was introduced.

 
Usage Guidelines

Compliance with FIPS 140-2 prohibits the distribution of Critical Secu rity Parameters (keys, passwords, etc.) outside of the crypto boundary (chassis). When the device crashes, due to an assert or checkheaps failure, it is possible that the stack or memory regions dumped to the console contain sensitive data. This output must be suppressed in FIPS-mode.

Examples

sw8-5520(config)# show crashinfo console
crashinfo console enable
 

 
Related Commands

Command
Description

clear configure fips

Clears the system or module FIPS configuration information stored in NVRAM.

crashinfo console disable

Disables the reading, writing and configuration of crash write info to flash.

fips enable

Enables or disablea policy-checking to enforce FIPS compliance on the system or module.

show running-config fips

Displays the FIPS configuration that is running on the ASA.

show crypto accelerator statistics

To display the global and accelerator-specific statistics from the hardware crypto accelerator MIB, use the show crypto accelerator statistics command in global configuration or privileged EXEC mode.

show crypto accelerator statistics

 
Syntax Description

This command has no keywords or variables.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

7.0

This command was introduced.

 
Usage Guidelines

The output statistics are defined as follows:

Accelerator 0 shows statistics for the software-based crypto engine.

Accelerator 1 shows statistics for the hardware-based crypto engine.

RSA statistics show RSA operations for 2048-bit keys, which are executed in software by default. This means that when you have a 2048-bit key, IKE/SSL VPN performs RSA operations in software during the IPsec/SSL negotiation phase. Actual IPsec/SSL traffic is still processed using hardware. This may cause high CPU if there are many simultaneous sessions starting at the same time, which may result in multiple RSA key operations and high CPU. If you run into a high CPU condition because of this, then you should use a 1024-bit key to process RSA key operations in hardware. To do so, you must reenroll the identity certificate. In releases 8.3(2) or later, you can also use the crypto engine large-mod-accel command on the 5510-5550 platforms to perform these operations in hardware.

If you are using a 2048-bit RSA key and the RSA processing is performed in software, you can use CPU profiling to determine which functions are causing high CPU usage. Generally, the bn_* and BN_* functions are math operations on the large data sets used for RSA, and are the most useful when examining CPU usage during an RSA operation in software. For example:

@@@@@@@@@@@@@@@@@@................................ 36.50% : _bn_mul_add_words
@@@@@@@@@......................................... 19.75% : _bn_sqr_comba8

Diffie-Hellman statistics show that any crypto operation with a modulus size greater than 1024 is performed in software (for example, DH5 (Diffie-Hellman group 5 uses 1536)). If so, a 2048-bit key certificate will be processed in software, which can result in high CPU usage when a lot of sessions are running.


Note The ASA 5505 (with a Cavium CN505 processor) only supports Diffie-Hellman Groups 1 and 2 for hardware-accelerated, 768-bit and 1024-bit key generation. Diffie-Hellman Group 5 (1536-bit key generation) is performed in software.


A single crypto engine in the adaptive security appliance performs the IPsec and SSL operations. To display the versions of crypto (Cavium) microcode that are loaded into the hardware crypto accelerator at boot time, enter the show version command. For example:

ciscoasa(config) show version
 
Cisco Adaptive Security Appliance Software Version 8.0(4)8
Device Manager Version 6.1(5)
Compiled on Wed 15-Oct-09 17:27 by builders
System image file is “disk0:/interim/asa804-8-k8.bin”
Config file at boot was "startup-config"
asa up 5 days 17 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 512MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPsec microcode : CNlite-MC-IPSECm-MAIN-2.05
 

DSA statistics show key generation in two phases. The first phase is a choice of algorithm parameters, which may be shared between different users of the system. The second phase computes private and public keys for a single user.

SSL statistics show records for the processor-intensive public key encryption algorithms involved in SSL transactions to the hardware crypto accelerator.

RNG statistics show records for a sender and receiver, which can generate the same set of random numbers automatically to use as keys.

Examples

The following example, entered in global configuration mode, shows global crypto accelerator statistics:

ciscoasa # show crypto accelerator statistics
 
Crypto Accelerator Status
-------------------------
[Capacity]
Supports hardware crypto: True
Supports modular hardware crypto: False
Max accelerators: 1
Max crypto throughput: 100 Mbps
Max crypto connections: 750
[Global Statistics]
Number of active accelerators: 1
Number of non-operational accelerators: 0
Input packets: 700
Input bytes: 753488
Output packets: 700
Output error packets: 0
Output bytes: 767496
[Accelerator 0]
Status: Active
Software crypto engine
Slot: 0
Active time: 167 seconds
Total crypto transforms: 7
Total dropped packets: 0
[Input statistics]
Input packets: 0
Input bytes: 0
Input hashed packets: 0
Input hashed bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[Output statistics]
Output packets: 0
Output bad packets: 0
Output bytes: 0
Output hashed packets: 0
Output hashed bytes: 0
Encrypted packets: 0
Encrypted bytes: 0
[Diffie-Hellman statistics]
Keys generated: 0
Secret keys derived: 0
[RSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
Encrypted packets: 0
Encrypted bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[DSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
[SSL statistics]
Outbound records: 0
Inbound records: 0
[RNG statistics]
Random number requests: 98
Random number request failures: 0
[Accelerator 1]
Status: Active
Encryption hardware device : Cisco ASA-55x0 on-board accelerator
(revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPsec microcode : CNlite-MC-IPSECm-MAIN-2.03
Slot: 1
Active time: 170 seconds
Total crypto transforms: 1534
Total dropped packets: 0
[Input statistics]
Input packets: 700
Input bytes: 753544
Input hashed packets: 700
Input hashed bytes: 736400
Decrypted packets: 700
Decrypted bytes: 719944
[Output statistics]
Output packets: 700
Output bad packets: 0
Output bytes: 767552
Output hashed packets: 700
Output hashed bytes: 744800
Encrypted packets: 700
Encrypted bytes: 728352
[Diffie-Hellman statistics]
Keys generated: 97
Secret keys derived: 1
[RSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
Encrypted packets: 0
Encrypted bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[DSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
[SSL statistics]
Outbound records: 0
Inbound records: 0
[RNG statistics]
Random number requests: 1
Random number request failures: 0
 
 

The following table describes what the output entries indicates.

 

Output
Decription

Capacity

This section pertains to the crypto acceleration that the ASA can support.

Supports hardware crypto

(True/False) The ASA can support hardware crypto acceleration.

Supports modular hardware crypto

(True/False) Any supported hardware crypto accelerator can be inserted as a separate plug-in card or module.

Max accelerators

The maximum number of hardware crypto accelerators that the ASA supports.

Mac crypto throughput

The maximum rated VPN throughput for the ASA.

Max crypto connections

The maximum number of supported VPN tunnels for the ASA.

Global Statistics

This section pertains to the combined hardware crypto accelerators in the ASA.

Number of active accelerators

The number of active hardware accelerators. An active hardware accelerator has been initialized and is avaialble to process crypto commands.

Number of non-operational accelerators

The number of inactive hardware accelerators. An inactive hardware accelerator has been detected, but either has not completed initialization or has failed and is no longer usable.

Input packets

The number of inbound packets processed by all hardware crypto accelerators.

Input bytes

The number of bytes of data in the processed inbound packets.

Output packets

The number of outbound packets processed by all hardware crypto accelerators.

Output error packets

The number of outbound packets processed processed by all hardware crypto accelerators in which an error has been detected.

Output bytes

The number of bytes of data in the processed outbound packets.

Accelerator 0

Each of these sections pertains to a crypto accelerator. The first one (Accelerator 0) is always the software crypto engine. Although not a hardware accelerator, the ASA uses it to perform specific crypto tasks, and its statistics appear here. Accelerators 1 and higher are always hardware crypto accelerators.

Status

The status of the accelerator, which indicates whether the accelerator is being initialized, is active, or has failed.

Software crypto engine

The type of accelerator and firmware version (if applicable).

Slot

The slot number of the accelerator (if applicable).

Active time

The length of time that the accelerator has been in the active state.

Total crypto transforms

The total number of crypto commands that were performed by the accelerator.

Total dropped packets

The total number of packets that were dropped by the accelerator because of errors.

Input statistics

This section pertains to input traffic that was processed by the accelerator. Input traffic is considered to be ciphertext that must be decrypted and/or authenticated.

Input packets

The number of input packets that have been processed by the accelerator.

Input bytes

The number of input bytes that have been processed by the accelerator

Input hashed packets

The number of packets for which the accelerator has performed hash operations.

Input hashed bytes

The number of bytes over which the accelerator has performed hash operations.

Decrypted packets

The number of packets for which the accelerator has performed symmetric decryption operations.

Decrypted bytes

The number of bytes over which the accelerator has performed symmetric decryption operations.

Output statistics

This section pertains to output traffic that has been processed by the accelerator. Input traffic is considered clear text that must be encrypted and/or hashed.

Output packets

The number of output packets that have been processed by the accelerator.

Output bad packets

The number of output packets that have been processed by the accelerator in which an error has been detected.

Output bytes

The number of output bytes that have been processed by the accelerator.

Output hashed packets

The number of packets for which the accelerator has performed outbound hash operations.

Output hashed bytes

The number of bytes over which the accelerator has performed outbound hash operations.

Encyrpted packets

The number of packets for which the accelerator has performed symmetric encryption operations.

Encyrpted bytes

The number of bytes over which the accelerator has performed symmetric encryption operations.

Diffie-Hellman statistics

This section pertains to Diffie-Hellman key exchange operations.

Keys generated

The number of Diffie-Hellman key sets that have been generated by the accelerator.

Secret keys derived

The number of Diffie-Hellman shared secrets that have been derived by the accelerator.

RSA statistics

This section pertains to RSA crypto operations.

Keys generated

The number of RSA key sets that have been generated by the accelerator.

Signatures

The number of RSA signature operations that have been performed by the accelerator.

Verifications

The number of RSA signature verifications that have been performed by the accelerator.

Encrypted packets

The number of packets for which the accelerator has performed RSA encryption operations.

Decrypted packets

The number of packets for which the accelerator has performed RSA decryption operations.

Decrypted bytes

The number of bytes of data over which the accelerator has performed RSA decryption operations.

DSA statistics

This section pertains to DSA operations. Note that DSA is not supported as of Version 8.2, so these statistics are no longer displayed.

Keys generated

The number of DSA key sets that have been generated by the accelerator.

Signatures

The number of DSA signature operations that have been performed by the accelerator.

Verifications

The number of DSA signature verifications that have been performed by the accelerator.

SSL statistics

This section pertains to SSL record processing operations.

Outbound records

The number of SSL records that have been encrypted and authenticated by the accelerator.

Inbound records

The number of SSL records that have been decrypted and authenticated by the accelerator.

RNG statistics

This section pertains to random number generation.

Random number requests

The number of requests to the accelerator for a random number.

Random number request failures

The number of randum number requests to the accelerator that did not succeed.

 
Related Commands

Command
Description

clear crypto accelerator statistics

Clears the global and accelerator-specific statistics in the crypto accelerator MIB.

clear crypto protocol statistics

Clears the protocol-specific statistics in the crypto accelerator MIB.

show crypto protocol statistics

Displays the protocol-specific statistics from the crypto accelerator MIB.

show crypto ca certificates

To display the certificates associated with a specific trustpoint or to display all the certificates installed on the system, use the show crypto ca certificates command in global configuration or privileged EXEC mode.

show crypto ca certificates [ trustpointname ]

 
Syntax Description

trustpointname

(Optional) The name of a trustpoint. If you do not specify a name, this command displays all certificates installed on the ASA.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

7.0

This command was introduced.

Examples

The following is sample output from the show crypto ca certificates command:

ciscoasa(config)# show crypto ca certificates tp1
CA Certificate
Status: Available
Certificate Serial Number 2957A3FF296EF854FD0D6732FE25B45
Certificate Usage: Signature
Issuer:
CN = ms-root-sha-06-2004
OU = rootou
O = cisco
L = franklin
ST - massachusetts
C = US
EA = a@b.con
Subject:
CN = ms-root-sha-06-2004
OU = rootou
O = cisco
L = franklin
ST = massachusetts
C = US
EA = example.com
CRL Distribution Point
ldap://w2kadvancedsrv/CertEnroll/ms-root-sha-06-2004.crl
Validity Date:
start date: 14:11:40 UTC Jun 26 2004
end date: 14:01:30 UTC Jun 4 2022
Associated Trustpoints: tp2 tp1
ciscoasa(config)#

 
Related Commands

Command
Description

crypto ca authenticate

Obtains a CA certificate for a specified trustpoint.

crypto ca crl request

Requests a CRL based on the configuration parameters of a specified trustpoint.

crypto ca enroll

Initiates the enrollment process with a CA.

crypto ca import

Imports a certificate to a specified trustpoint.

crypto ca trustpoint

Enters trustpoint configuration mode for a specified trustpoint.

show crypto ca crl

To display all cached CRLs or to display all CRLs cached for a specified trustpoint, use the show crypto ca crl command in global configuration or privileged EXEC mode.

show crypto ca crl [trustpool | trustpoint < trustpointname> ]

 
Syntax Description

trustpointname

(Optional) The name of a trustpoint. If you do not specify a name, this command displays all CRLs cached on the ASA.

trustpool

tbd?

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

7.0

This command was introduced.

Examples

The following is sample output from the show crypto ca crl command:

ciscoasa(config)# show crypto ca crl tp1
CRL Issuer Name:
cn=ms-sub1-ca-5-2004,ou=Franklin DevTest,o=Cisco
Systems,l=Franklin,st=MA,c=US,ea=user@example.com
LastUpdate: 19:45:53 UTC Dec 24 2004
NextUpdate: 08:05:53 UTC Jan 1 2005
Retrieved from CRL Distribution Point:
http://win2k-ad2.frk-ms-pki.cisco.com/CertEnroll/ms-sub1-ca-5-2004.crl
Associated Trustpoints: tp1
ciscoasa(config)#

 
Related Commands

Command
Description

crypto ca authenticate

Obtains a CA certificate for a specified trustpoint.

crypto ca crl request

Requests a CRL based on the configuration parameters of a specified trustpoint.

crypto ca enroll

Initiates the enrollment process with a CA.

crypto ca import

Imports a certificate to a specified trustpoint.

crypto ca trustpoint

Enters trustpoint configuration mode for a specified trustpoint.

show crypto ca server

To display the status of the local CA configuration on the ASA, use the show crypto ca server command in ca server configuration, global configuration, or privileged EXEC mode.

show crypto ca server

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Ca server configuration

Global configuration

Privileged EXEC

 
Command History

Release
Modification

8.0(2)

This command was introduced.

Examples

The following is sample output from the show crypto ca server command:

ciscoasa# show crypto ca server
#Certificate Server LOCAL-CA-SERVER:
Status: disabled
State: disabled
Server's configuration is unlocked (enter "no shutdown" to lock it)
Issuer name: CN=asa1.cisco.com
CA cert fingerprint: -Not found-
Last certificate issued serial number: 0x0
CA certificate expiration timer: 00:00:00 UTC Jan 1 2009
CRL not present.
Current primary storage dir: nvram:
ciscoasa#

 
Related Commands

Command
Description

crypto ca server

Provides access to the ca server configuration mode CLI command set, which allows you to configure and manage the local CA.

debug crypto ca server

Shows debugging messages when you configure the local CA server.

show crypto ca server certificate

Displays the certificate of the local CA in base64 format.

show crypto ca server crl

Displays the lifetime of the local CA CRL.

show crypto ca server cert-db

To display all or a subset of local CA server certificates, including those issued to a specific user, use the show crypto ca server cert-db command in ca server configuration, global configuration, or privileged EXEC mode.

show crypto ca server cert-db [ username username | allowed | enrolled | expired | on-hold ]
[ serial certificate-serial-number]

 
Syntax Description

allowed

Specifies that users who are allowed to enroll appear, regardless of the status of their certificate.

enrolled

Specifies that users with valid certificates appear.

expired

Specifies that users holding expired certificates appear.

on-hold

Specifies that users who have not yet enrolled appear.

serial certificate-serial-number

Specifies the serial number of a specific certificate that displays. The serial number must be in hexadecimal format.

username username

Specifies the certificate owner. The username may be a username or an e-mail address. For e-mail addresses, it is the e-mail address used to contact and deliver the one-time password (OTP) to the end user. An e-mail address is required to enable e-mail notifications for the end user.

 
Defaults

By default, if no username or certificate serial number is specified, the entire database of issued certificates appears.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Ca server configuration

Global configuration

Privileged EXEC

 
Command History

Release
Modification

8.0(2)

This command was introduced.

 
Usage Guidelines

The show crypto ca server cert-db command displays a list of the user certificates that are issued by the local CA server. You can display a subset of the certificate database by specifying a specific username with one or more of the optional certificate-type keywords, and/or with an optional certificate serial number.

If you specify a username without a keyword or a serial number, all of the certificates issued for that user appear. For each user, the output shows the username, e-mail address, domain name, the time period for which enrollment is allowed, and the number of times that the user has been notified with an enrollment invitation.

In addition, the following information appears in the output:

  • The NOTIFIED field is required to support multiple reminders. It tracks when a user needs to be notified of the OTP for enrollment and the reminder notification attempts. This field is set to 0 initially. It is incremented to 1 when the user entry is marked as being allowed to enroll. At this time, the initial OTP notification is generated.
  • The NOTIFY field is incremented each time a reminder is sent. Three notifications are sent before the OTP is due to expire. A notification is sent when the user is allowed to enroll, at the mid-point of the expiration, and when ¾ of the expiration time has passed. This field is used only for administrator-initiated enrollments. For automatic certificate renewals, the NOTIFYfield in the certificate database is used.

Note While the notification counter in this command is used to track the number of times a user is notified to renew a certificate before expiration, the notification counter in show crypto ca server user-db is used to track the number of times a user is notified to enroll for the certificate. Renewal notifications are tracked under cert-db and not included in user-db.


Each certificate displays the certificate serial number, the issued and expired dates, and the certificate status (Revoked/Not Revoked).

Examples

The following example requests the display of all of the certificates issued for asa by the CA server:

hostname# show crypto ca server cert-db username asa
Username: asa
Renewal allowed until: Not Allowed
Number of times user notified: 0
PKCS12 file stored until: 10:28:05 UTC Wed Sep 25 2013
Certificates Issued:
serial: 0x2
issued: 10:28:04 UTC Tue Sep 24 2013
expired: 10:28:04 UTC Thu Sep 26 2013
status: Not Revoked
 

The following example requests the display of all the certificates issued by the local CA server with a serial number of 0x2:

hostname# show crypto ca server cert-db serial 2

Username:asa
Renewal allowed until: Not Allowed
Number of times user notified: 0
PKCS12 file stored until: 10:28:05 UTC Wed Sep 25 2013
Certificates Issued:
serial: 0x2
issued: 10:28:04 UTC Tue Sep 24 2013
expired: 10:28:04 UTC Thu Sep 26 2013
status: Not Revoked
 

The following example requests the display of all of the certificates issued by the local CA server:

hostname# show crypto ca server cert-db
Username: asa
Renewal allowed until: Not Allowed
Number of times user notified: 0
PKCS12 file stored until: 10:28:05 UTC Wed Sep 25 2013
Certificates Issued:
serial: 0x2
issued: 10:28:04 UTC Tue Sep 24 2013
expired: 10:28:04 UTC Thu Sep 26 2013
status: Not Revoked
 

 
Related Commands

Command
Description

crypto ca server

Provides access to the ca server configuration mode CLI command set, which allows you to configure and manage the local CA.

crypto ca server revoke

Marks a certificate issued by the local CA server as revoked in both the certificate database and CRL.

lifetime crl

Specifies the lifetime of the CRL.

show crypto ca server certificate

To display the certificate for the local CA server in base64 format, use the show crypto ca server certificate command in ca server configuration, global configuration, or privileged EXEC mode.

show crypto ca server certificate

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Ca server configuration

Global configuration

Privileged EXEC

 
Command History

Release
Modification

8.0(2)

This command was introduced.

 
Usage Guidelines

The show crypto ca server certificate command displays the local CA server certificate in base64 format. This display allows you to cut and paste a certificate while exporting it to other devices that need to trust the local CA server.

Examples

The following is sample output from the show crypto ca server certificate command:

ciscoasa# show crypto ca server certificate
 
The base64 encoded local CA certificate follows:
 
MIIXlwIBAzCCF1EGCSqGSIb3DQEHAaCCF0IEghc+MIIXOjCCFzYGCSqGSIb3DQEHBqCCFycwghcjAgEAMIIXHAYJKoZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIjph4SxJoyTgCAQGAghbw3v4bFy+GGG2dJnB4OLphsUM+IG3SDOiDwZG9n1SvtMieoxd7Hxknxbum06JDrujWKtHBIqkrm+td34qlNE1iGeP2YC94/NQ2z+4kS+uZzwcRhl1KEZTS1E4L0fSaC3uMTxJq2NUHYWmoc8pi4CIeLj3h7VVMy6qbx2AC8I+q57+QG5vG5l5Hi5imwtYfaWwPEdPQxaWZPrzoG1J8BFqdPa1jBGhAzzuSmElm3j/2dQ3Atro1G9nIsRHgV39fcBgwz4fEabHG7/Vanb+fj81d5nlOiJjDYYbP86tvbZ2yOVZR6aKFVI0b2AfCr6PbwfC9U8Z/aF3BCyM2sN2xPJrXva94CaYrqyotZdAkSYA5KWScyEcgdqmuBeGDKOncTknfgy0XM+fG5rb3qAXy1GkjyFI5Bm9Do6RUROoG1DSrQrKeq/hj….
 

ciscoasa #

 
Related Commands

Command
Description

crypto ca server

Provides access to the ca server configuration mode CLI command set, which allows you to configure and manage a local CA.

issuer-name

Specifies the subject-name DN of the certificate authority certificate.

keysize

Specifies the size of the public and private keys generated at user certificate enrollment.

lifetime

Specifies the lifetime of the CA certificate and issued certificates.

show crypto ca server

Displays the local CA configuration in ASCII text format.

show crypto ca server crl

To display the current CRL of the local CA, use the show crypto ca server crl command in ca server configuration, global configuration, or privileged EXEC mode.

show crypto ca server crl

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Ca server configuration

Global configuration

Privileged EXEC

 
Command History

Release
Modification

8.0(2)

This command was introduced.

Examples

The following is sample output from the show crypto ca server crl command:

ciscoasa# show crypto ca server crl
asa5540(config)# sh cry ca ser crl
Certificate Revocation List:
Issuer: cn=asa5540.frqa.cisco.com
This Update: 07:32:27 UTC Oct 16 2006
Next Update: 13:32:27 UTC Oct 16 2006
Number of CRL entries: 0
CRL size: 232 bytes
asa5540(config)#
ciscoasa#

 
Related Commands

Command
Description

cdp-url

Specifies the CRL distribution point (CDP) to be included in the certificates issued by the CA.

crypto ca server

Provides access to the ca server configuration mode CLI command set, which allows you to configure and manage the local CA.

crypto ca server revoke

Marks a certificate issued by the local CA server as revoked in the certificate database and CRL.

lifetime crl

Specifies the lifetime of the CRL.

show crypto ca server

Displays the status of the CA configuration.

show crypto ca server user-db

To display users included in the local CA server user database, use the show crypto ca server user-db command in ca server configuration, global configuration, or privileged EXEC mode.

show crypto ca server user-db [ expired | allowed | on-hold | enrolled ]

 
Syntax Description

allowed

(Optional) Specifies that users who are allowed to enroll display, regardless of the status of their certificate.

enrolled

(Optional) Specifies that users with valid certificates display.

expired

(Optional) Specifies that users holding expired certificates display.

on-hold

(Optional) Specifies that users who have not enrolled yet display.

 
Defaults

By default, all users in the database display if no keywords are entered.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Ca server configuration

Global configuration

Privileged EXEC

 
Command History

Release
Modification

8.0(2)

This command was introduced.

Examples

The following example displays currently enrolled users:

ciscoasa# show crypto ca server user-db enrolled
Username DN Certificate issued Certificate expiration
exampleuser cn=Example User,o=... 5/31/2009 5/31/2010
 
ciscoasa#

 
Usage Guidelines

While the notification counter in this command is used to track the number of times a user is notified to enroll for the certificate, the notification counter in show crypto ca server cert-db is used to track the number of times a user is notified to renew a certificate before expiration. Renewal notifications are tracked under cert-db and not included in user-db.

 
Related Commands

Command
Description

crypto ca server user-db add

Adds a user to the CA server user database.

crypto ca server user-db allow

Allows a specific user or a subset of users in the CA server database to enroll with the local CA.

crypto ca server user-db remove

Removes a user from the CA server user database.

crypto ca server user-db write

Writes user information configured in the local CA database to storage.

show crypto ca server cert-db

Displays all certificates issued by the local CA.

show crypto ca trustpool

To display the certificates that constitute the trustpool, use the show crypto ca trustpool command in privileged EXEC mode.

show crypto ca trustpool [detail]

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

This command shows an abbreviated display of all the trustpool certificates. When the “detail” option is specified, more information is included.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

9.0(1)

This command was introduced.

 
Usage Guidelines

The output of the show crypto ca trustpool command includes the fingerprint value of each certificate. These values are required for removal operation.

Examples

ciscoasa# show crypto ca trustpool
 
CA Certificate
Status: Available
Certificate Serial Number: 6c386c409f4ff4944154635da520ed4c
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name: cn=bxb2008-root
dc=bdb2008
dc=mycompany
dc=com
Subject Name:
cn=bxb2008-root
dc=bxb2008
dc=cisco
dc=com
Validity Date:
start date:17:21:06 EST Jan 14 2009
end date:17:31:06 EST Jan 14 2024
 
CA Certificate
Status: Available
Certificate Serial Number: 58d1c756000000000059
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=bxb2008-root
dc=bxb2008
dc=mycompany
dc=com
Subject Name:
cn=BXB2008SUB1-CA
dc=bxb2008
dc=cisco
dc=com
OCSP AIA:
URL: http://bxb2008-1.bxb2008.mycompany.com/ocsp
CRL Distribution Points:
(1) http://bxb2008-1.bxb2008.mycompany.com/CertEnroll/bxb2008-root.crl
Validity Date:
start date:11:54:34 EST May 18 2009
end date:12:04:34 EST May 18 2011

 
Related Commands

Command
Description

clear crypto ca trustpool

Removes all certificates from the trustpool.

crypto ca trustpool import

Imports certificates that constitute the PKI trustpool.

crypto ca trustpool remove

Removes a single specified certificate from the trustpool.

show crypto ca trustpool policy

To display the configured trustpool policy and process any applied certificate maps to show how those impact the policy, use the show crypto ca trustpool policy command in privileged EXEC mode.

show crypto ca trustpool policy

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

 
Command History

Release
Modification

9.0(1)

This command was introduced.

Examples

ciscoasa(config)# sh run cry ca cert map
crypto ca certificate map map1 1
issuer-name eq cn = mycompany manufacturing ca
issuer-name eq cn = mycompany ca
crypto ca certificate map map 2 1
issuer-name eq cn = mycompany manufacturing ca
issuer-name eq cn = mycompany ca2
ciscoasa(config)#
 
ciscoasa(config)# sh run crypto ca trustpool policy
crypto ca trustpool policy
revocation-check none
match certificate map2 allow expired-certificate
match certificate map1 skip revocation-check
crl cache-time 123
ciscoasa(config)#
 
ciscoasa# show crypto ca trustpool policy
800 trustpool certificates installed
Trustpool Policy
Trustpool revocation checking is disabled
CRL cache time: 123 seconds
CRL next update field: required and forced
Policy overrides:
map: map1
match:issuer-name eq cn=Mycompany Manufacturing CA
match:issuer-name eq cn=Mycompany CA
action:skip revocation-check
 
map: map2
match: issuer-name eq cn=mycompany Manufacturing CA
match: issuer-name eq cn=mycompany CA2
action: allowed expired certificates
 
ciscoasa(config)#

 
Related Commands

Command
Description

crypto ca trustpool policy

Enters a submode that provides the commands that define the trustpool policy.

show crypto debug-condition

To display the currently configured filters, the unmatched states, and the error states for IPsec and ISAKMP debugging messages, use the show crypto debug-condition command in global configuration mode.

show crypto debug-condition

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

 
Command History

Release
Modification

8.0(2)

This command was introduced.

9.0(1)

Support for multiple context mode was added.

Examples

The following example shows the filtering conditions:

ciscoasa(config)# show crypto debug-condition
Crypto conditional debug is turned ON
IKE debug context unmatched flag: OFF
IPsec debug context unmatched flag: ON
 
IKE peer IP address filters:
1.1.1.0/24 2.2.2.2
 
IKE user name filters:
my_user
 

 
Related Commands

Command
Description

debug crypto condition

Sets filtering conditions for IPsec and ISAKMP debugging messages.

debug crypto condition error

Shows debugging messages whether or not filtering conditions have been specified.

debug crypto condition unmatched

Shows debugging messages for IPsec and ISAKMP that do not include sufficient context information for filtering.

show crypto ikev1 sa

To display the IKEv1 runtime SA database, use the show crypto ikev1 sa command in global configuration mode or privileged EXEC mode.

show crypto ikev1 sa [ detail ]

 
Syntax Description

detail

Displays detailed output about the SA database.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

8.4(1)

This command command was introduced.

9.0(1)

Support for multiple context mode was added.

 
Usage Guidelines

The output from this command includes the following fields:

Detail not specified.

IKE Peer

Type

Dir

Rky

State

209.165.200.225

L2L

Init

No

MM_Active

Detail specified.

IKE Peer

Type

Dir

Rky

State

Encrypt

Hash

Auth

Lifetime

209.165.200.225

L2L

Init

No

MM_Active

3des

md5

preshrd

86400

Examples

The following example, entered in global configuration mode, displays detailed information about the SA database:

ciscoasa(config)# show crypto ikev1 sa detail
 
IKE Peer Type Dir Rky State Encrypt Hash Auth Lifetime
1 209.165.200.225 User Resp No AM_Active 3des SHA preshrd 86400
 
IKE Peer Type Dir Rky State Encrypt Hash Auth Lifetime
2 209.165.200.226 User Resp No AM_ACTIVE 3des SHA preshrd 86400
 
IKE Peer Type Dir Rky State Encrypt Hash Auth Lifetime
3 209.165.200.227 User Resp No AM_ACTIVE 3des SHA preshrd 86400
 
IKE Peer Type Dir Rky State Encrypt Hash Auth Lifetime
4 209.165.200.228 User Resp No AM_ACTIVE 3des SHA preshrd 86400
 
ciscoasa(config)#
 

 
Related Commands

Command
Description

show crypto ikev2 sa

Displays the IKEv2 runtime SA database.

show running-config crypto isakmp

Displays all the active ISAKMP configuration.

show crypto ikev2 sa

To display the IKEv2 runtime SA database, use the show crypto ikev2 sa command in global configuration mode or privileged EXEC mode.

show crypto ikev2 sa [ detail ]

 
Syntax Description

detail

Displays detailed output about the SA database.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

8.4(1)

This command command was introduced.

9.0(1)

Support for multiple context mode was added.

 
Usage Guidelines

The output from this command includes the following fields:

Detail not specified.

IKE Peer

Type

Dir

Rky

State

209.165.200.225

L2L

Init

No

MM_Active

Detail specified.

IKE Peer

Type

Dir

Rky

State

Encrypt

Hash

Auth

Lifetime

209.165.200.225

L2L

Init

No

MM_Active

3des

md5

preshrd

86400

Examples

The following example, entered in global configuration mode, displays detailed information about the SA database:

asa(config)# show crypto ikev2 sa detail
 
IKEv2 SAs:
 
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
 
Tunnel-id Local Remote Status Role
671069399 10.0.0.0/500 10.255.255.255/500 READY INITIATOR
Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:20, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/188 sec
Session-id: 1
Status Description: Negotiation done
Local spi: 80173A0373C2D403 Remote spi: AE8AEFA1B97DBB22
Local id: asa
Remote id: asa1
Local req mess id: 8 Remote req mess id: 7
Local next mess id: 8 Remote next mess id: 7
Local req queued: 8 Remote req queued: 7
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0x242a3da5/0xe6262034
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-GCM, keysize: 128, esp_hmac: N/A
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
 

 
Related Commands

Command
Description

show crypto ikev1 sa

Displays the IKEv1 runtime SA database.

show running-config crypto isakmp

Displays all the active ISAKMP configuration.

show crypto ipsec df-bit

To display the IPsec DF-bit policy for IPsec packets for a specified interface, use the show crypto ipsec df-bit command in global configuration mode and privileged EXEC mode.

show crypto ipsec df-bit interface

 
Syntax Description

interface

Specifies an interface name.

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

7.0

This command was introduced.

Examples

The following example displays the IPsec DF-bit policy for interface named inside:

ciscoasa(config)# show crypto ipsec df-bit inside
df-bit inside copy
ciscoasa(config)#

 
Related Commands

Command
Description

crypto ipsec df-bit

Configures the IPsec DF-bit policy for IPsec packets.

crypto ipsec fragmentation

Configures the fragmentation policy for IPsec packets.

show crypto ipsec fragmentation

Displays the fragmentation policy for IPsec packets.

show crypto ipsec fragmentation

To display the fragmentation policy for IPsec packets, use the show crypto ipsec fragmentation command in global configuration or privileged EXEC mode.

show crypto ipsec fragmentation interface

 
Syntax Description

interface

Specifies an interface name.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

7.0

This command was introduced.

Examples

The following example, entered in global configuration mode, displays the IPsec fragmentation policy for an interface named inside:

ciscoasa(config)# show crypto ipsec fragmentation inside
fragmentation inside before-encryption
ciscoasa(config)#
 

 
Related Commands

Command
Description

crypto ipsec fragmentation

Configures the fragmentation policy for IPsec packets.

crypto ipsec df-bit

Configures the DF-bit policy for IPsec packets.

show crypto ipsec df-bit

Displays the DF-bit policy for a specified interface.

show crypto ipsec policy

To display IPsec secure socket API (SS API) security policy information provided by OSPFv3, use the show crypto ipsec policy command in global configuration or privileged EXEC mode. You can also use the alternate form of this command: show ipsec policy .

show crypto ipsec policy [name]

 
Syntax Description

name

Specifies a policy name.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

7.0

This command was introduced.

Examples

The following example, entered in global configuration mode, displays the crypto secure socket API installed policy information for a policy named CSSU-UTF:

ciscoasa(config)# show crypto ipsec policy
Crypto IPsec client security policy data
 
Policy name: CSSU-UTF
Policy refcount: 0
Inbound ESP SPI: 1031 (0x407)
Outbound ESP SPI: 1031 (0x407)
Inbound ESP Auth Key: 0123456789abcdef
Outbound ESP Auth Key: 0123456789abcdef
Inbound ESP Cipher Key:
Outbound ESP Cipher Key:
Transform set: esp-sha-hmac
 

 
Related Commands

Command
Description

show crypto ipsec fragmentation

Displays the fragmentation policy for IPsec packets.

show crypto ipsec sa

Displays a list of IPsec SA.

show crypto ipsec df-bit

Displays the DF-bit policy for a specified interface.

show crypto sockets

Displays crypto secure sockets and the socket state.

show crypto ipsec sa

To display a list of IPsec SAs, use the show crypto ipsec sa command in global configuration mode or privileged EXEC mode. You can also use the alternate form of this command: show ipsec sa .

show crypto ipsec sa [ entry | identity | map map-name | peer peer-addr ] [ detail ]

 
Syntax Description

detail

(Optional) Displays detailed error information on what is displayed.

entry

(Optional) Displays IPsec SAs sorted by peer address

identity

(Optional) Displays IPsec SAs for sorted by identity, not including ESPs. This is a condensed form.

map map-name

(Optional) Displays IPsec SAs for the specified crypto map.

peer peer-addr

(Optional) Displays IPsec SAs for specified peer IP addresses.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

Added support for OSPFv3, multipe context mode, Suite B algorithm in the transform and IV size portion, and ESPV3 IPsec output.

Examples

The following example, entered in global configuration mode, displays IPsec SAs that include a tunnel identified as OSPFv3.

ciscoasa(config)# show crypto ipsec sa
interface: outside2
Crypto map tag: def, local addr: 10.132.0.17
 
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.20.0.21/255.255.255.255/0/0)
current_peer: 172.20.0.21
dynamic allocated peer ip: 10.135.1.5
 
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1145, #pkts decrypt: 1145, #pkts verify: 1145
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 2, #pre-frag failures: 1, #fragments created: 10
#PMTUs sent: 5, #PMTUs rcvd: 2, #decapstulated frags needing reassembly: 1
#send errors: 0, #recv errors: 0
 
local crypto endpt.: 10.132.0.17, remote crypto endpt.: 172.20.0.21
 
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
 
inbound esp sas:
spi: 0x1E8246FC (511854332)
transform: esp-3des esp-md5-hmac
in use settings ={L2L, Transport, Manual key, (OSPFv3), }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 548
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDC15BF68 (3692412776)
transform: esp-3des esp-md5-hmac
in use settings ={L2L, Transport, Manual key, (OSPFv3), }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 548
IV size: 8 bytes
replay detection support: Y
 
Crypto map tag: def, local addr: 10.132.0.17
 
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
ciscoasa(config)#

Note Fragmentation statistics are pre-fragmentation statistics if the IPsec SA policy states that fragmentation occurs before IPsec processing. Post-fragmentation statistics appear if the SA policy states that fragmentation occurs after IPsec processing.


The following example, entered in global configuration mode, displays IPsec SAs for a crypto map named def.

ciscoasa(config)# show crypto ipsec sa map def
cryptomap: def
Crypto map tag: def, local addr: 172.20.0.17
 
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
 
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1146, #pkts decrypt: 1146, #pkts verify: 1146
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
 
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
 
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
 
inbound esp sas:
spi: 0x1E8246FC (511854332)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 480
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDC15BF68 (3692412776)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 480
IV size: 8 bytes
replay detection support: Y
 
Crypto map tag: def, local addr: 172.20.0.17
 
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
 
#pkts encaps: 73672, #pkts encrypt: 73672, #pkts digest: 73672
#pkts decaps: 78824, #pkts decrypt: 78824, #pkts verify: 78824
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 73672, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
 
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
 
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
 
inbound esp sas:
spi: 0xB32CF0BD (3006066877)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 263
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3B6F6A35 (997157429)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 263
IV size: 8 bytes
replay detection support: Y
ciscoasa(config)#
 

The following example, entered in global configuration mode, shows IPsec SAs for the keyword entry .

ciscoasa(config)# show crypto ipsec sa entry
peer address: 10.132.0.21
Crypto map tag: def, local addr: 172.20.0.17
 
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
 
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
 
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
 
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
 
inbound esp sas:
spi: 0x1E8246FC (511854332)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 429
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDC15BF68 (3692412776)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 429
IV size: 8 bytes
replay detection support: Y
 
peer address: 10.135.1.8
Crypto map tag: def, local addr: 172.20.0.17
 
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
 
#pkts encaps: 73723, #pkts encrypt: 73723, #pkts digest: 73723
#pkts decaps: 78878, #pkts decrypt: 78878, #pkts verify: 78878
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 73723, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
 
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
 
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
 
inbound esp sas:
spi: 0xB32CF0BD (3006066877)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 212
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3B6F6A35 (997157429)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 212
IV size: 8 bytes
replay detection support: Y
ciscoasa(config)#
 

The following example, entered in global configuration mode, shows IPsec SAs with the keywords entry detail .

ciscoasa(config)# show crypto ipsec sa entry detail
peer address: 10.132.0.21
Crypto map tag: def, local addr: 172.20.0.17
 
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
 
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1148, #pkts decrypt: 1148, #pkts verify: 1148
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
 
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
 
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
 
inbound esp sas:
spi: 0x1E8246FC (511854332)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 322
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDC15BF68 (3692412776)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 3, crypto-map: def
sa timing: remaining key lifetime (sec): 322
IV size: 8 bytes
replay detection support: Y
 
peer address: 10.135.1.8
Crypto map tag: def, local addr: 172.20.0.17
 
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
 
#pkts encaps: 73831, #pkts encrypt: 73831, #pkts digest: 73831
#pkts decaps: 78989, #pkts decrypt: 78989, #pkts verify: 78989
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 73831, #pkts comp failed: 0, #pkts decomp failed: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
 
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
 
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
 
inbound esp sas:
spi: 0xB32CF0BD (3006066877)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 104
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3B6F6A35 (997157429)
transform: esp-3des esp-md5-hmac
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4, crypto-map: def
sa timing: remaining key lifetime (sec): 104
IV size: 8 bytes
replay detection support: Y
ciscoasa(config)#
 

The following example shows IPsec SAs with the keyword identity .

ciscoasa(config)# show crypto ipsec sa identity
interface: outside2
Crypto map tag: def, local addr: 172.20.0.17
 
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
 
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
 
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
 
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
 
Crypto map tag: def, local addr: 172.20.0.17
 
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
 
#pkts encaps: 73756, #pkts encrypt: 73756, #pkts digest: 73756
#pkts decaps: 78911, #pkts decrypt: 78911, #pkts verify: 78911
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 73756, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
 
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
 
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
 

The following example shows IPsec SAs with the keywords identity and detail .

ciscoasa(config)# show crypto ipsec sa identity detail
interface: outside2
Crypto map tag: def, local addr: 172.20.0.17
 
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)
current_peer: 10.132.0.21
dynamic allocated peer ip: 90.135.1.5
 
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
 
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21
 
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: DC15BF68
 
Crypto map tag: def, local addr: 172.20.0.17
 
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)
current_peer: 10.135.1.8
dynamic allocated peer ip: 0.0.0.0
 
#pkts encaps: 73771, #pkts encrypt: 73771, #pkts digest: 73771
#pkts decaps: 78926, #pkts decrypt: 78926, #pkts verify: 78926
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 73771, #pkts comp failed: 0, #pkts decomp failed: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
 
local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8
 
path mtu 1500, ipsec overhead 60, media mtu 1500
current outbound spi: 3B6F6A35
 

 
Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

isakmp enable

Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA.

show running-config isakmp

Displays all the active ISAKMP configuration.

show crypto ipsec stats

To display a list of IPsec statistics, use the show crypto ipsec stats command in global configuration mode or privileged EXEC mode.

show crypto ipsec stats

 
Syntax Description

This command has no keywords or variables.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

7.0

This command was introduced.

Examples

The following example, entered in global configuration mode, displays IPsec statistics:

ciscoasa(config)# show crypto ipsec stats
 
IPsec Global Statistics
-----------------------
Active tunnels: 2
Previous tunnels: 9
Inbound
Bytes: 4933013
Decompressed bytes: 4933013
Packets: 80348
Dropped packets: 0
Replay failures: 0
Authentications: 80348
Authentication failures: 0
Decryptions: 80348
Decryption failures: 0
Decapsulated fragments needing reassembly: 0
Outbound
Bytes: 4441740
Uncompressed bytes: 4441740
Packets: 74029
Dropped packets: 0
Authentications: 74029
Authentication failures: 0
Encryptions: 74029
Encryption failures: 0
Fragmentation successes: 3
Pre-fragmentation successes:2
Post-fragmentation successes: 1
Fragmentation failures: 2
Pre-fragmentation failures:1
Post-fragmentation failures: 1
Fragments created: 10
PMTUs sent: 1
PMTUs recvd: 2
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
ciscoasa(config)#

 
Related Commands

Command
Description

clear ipsec sa

Clears IPsec SAs or counters based on specified parameters.

crypto ipsec transform-set

Defines a transform set.

show ipsec sa

Displays IPsec SAs based on specified parameters.

show ipsec sa summary

Displays a summary of IPsec SAs.

Examples

The following example, issued in global configuration mode, displays ISAKMP statistics:

ciscoasa(config)# show crypto isakmp stats
Global IKE Statistics
Active Tunnels: 132
Previous Tunnels: 132
In Octets: 195471
In Packets: 1854
In Drop Packets: 925
In Notifys: 0
In P2 Exchanges: 132
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 119029
Out Packets: 796
Out Drop Packets: 0
Out Notifys: 264
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
ciscoasa(config)#
 

 
Related Commands

Command
Description

clear configure crypto isakmp

Clears all the ISAKMP configuration.

clear configure crypto isakmp policy

Clears all ISAKMP policy configuration.

clear crypto isakmp sa

Clears the IKE runtime SA database.

crypto isakmp enable

Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA.

show running-config crypto isakmp

Displays all the active ISAKMP configuration.

show crypto isakmp sa

To display the IKE runtime SA database, use the show crypto isakmp sa command in global configuration mode or privileged EXEC mode.

show crypto isakmp sa [ detail ]

 
Syntax Description

detail

Displays detailed output about the SA database.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

7.0(1)

The show isakmp sa command was introduced.

7.2(1)

This command was deprecated. The show crypto isakmp sa command replaces it.

9.0(1)

Support for multiple context mode was added.

 
Usage Guidelines

The output from this command includes the following fields:

Detail not specified.

IKE Peer

Type

Dir

Rky

State

209.165.200.225

L2L

Init

No

MM_Active

Detail specified.

IKE Peer

Type

Dir

Rky

State

Encrypt

Hash

Auth

Lifetime

209.165.200.225

L2L

Init

No

MM_Active

3des

md5

preshrd

86400

Examples

The following example, entered in global configuration mode, displays detailed information about the SA database:

ciscoasa(config)# show crypto isakmp sa detail
 
IKE Peer Type Dir Rky State Encrypt Hash Auth Lifetime
1 209.165.200.225 User Resp No AM_Active 3des SHA preshrd 86400
 
IKE Peer Type Dir Rky State Encrypt Hash Auth Lifetime
2 209.165.200.226 User Resp No AM_ACTIVE 3des SHA preshrd 86400
 
IKE Peer Type Dir Rky State Encrypt Hash Auth Lifetime
3 209.165.200.227 User Resp No AM_ACTIVE 3des SHA preshrd 86400
 
IKE Peer Type Dir Rky State Encrypt Hash Auth Lifetime
4 209.165.200.228 User Resp No AM_ACTIVE 3des SHA preshrd 86400
 
ciscoasa(config)#
 

 
Related Commands

Command
Description

clear configure crypto isakmp

Clears all the ISAKMP configuration.

clear configure crypto isakmp policy

Clears all ISAKMP policy configuration.

clear crypto isakmp sa

Clears the IKE runtime SA database.

crypto isakmp enable

Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA.

show running-config crypto isakmp

Displays all the active ISAKMP configuration.

show crypto isakmp stats

To display runtime statistics, use the show crypto isakmp stats command in global configuration mode or privileged EXEC mode.

show crypto isakmp stats

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

7.0

The show isakmp stats command was introduced.

7.2(1)

The show isakmp stats command was deprecated. The show crypto isakmp stats command replaces it.

 
Usage Guidelines

The output from this command includes the following fields:

  • Global IKE Statistics
  • Active Tunnels
  • In Octets
  • In Packets
  • In Drop Packets
  • In Notifys
  • In P2 Exchanges
  • In P2 Exchange Invalids
  • In P2 Exchange Rejects
  • In P2 Sa Delete Requests
  • Out Octets
  • Out Packets
  • Out Drop Packets
  • Out Notifys
  • Out P2 Exchanges
  • Out P2 Exchange Invalids
  • Out P2 Exchange Rejects
  • Out P2 Sa Delete Requests
  • Initiator Tunnels
  • Initiator Fails
  • Responder Fails
  • System Capacity Fails
  • Auth Fails
  • Decrypt Fails
  • Hash Valid Fails
  • No Sa Fails

Examples

The following example, issued in global configuration mode, displays ISAKMP statistics:

ciscoasa(config)# show crypto isakmp stats
Global IKE Statistics
Active Tunnels: 132
Previous Tunnels: 132
In Octets: 195471
In Packets: 1854
In Drop Packets: 925
In Notifys: 0
In P2 Exchanges: 132
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 119029
Out Packets: 796
Out Drop Packets: 0
Out Notifys: 264
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
ciscoasa(config)#
 

 
Related Commands

Command
Description

clear configure crypto isakmp

Clears all the ISAKMP configuration.

clear configure crypto isakmp policy

Clears all ISAKMP policy configuration.

clear crypto isakmp sa

Clears the IKE runtime SA database.

crypto isakmp enable

Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA.

show running-config crypto isakmp

Displays all the active ISAKMP configuration.

show crypto key mypubkey

To display the key name, usage, and elliptic curve size for ECDSA keys, use the show crypto key mypubkey command in global configuration mode or privileged EXEC mode.

show crypto key mypubkey dsa | rsa

 
Syntax Description

dsa

Specifies the key name.

rsa

Specifies the key name.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

7.0

The show crypto key mypubkey command was introduced.

show crypto protocol statistics

To display the protocol-specific statistics in the crypto accelerator MIB, use the show crypto protocol statistics command in global configuration or privileged EXEC mode.

show crypto protocol statistics protocol

 
Syntax Description

protocol

Specifies the name of the protocol for which to display statistics. Protocol choices are as follows:

ikev1 —Internet Key Exchange version 1.

ipsec —IP Security Phase-2 protocols.

ssl —Secure Sockets Layer.

other —Reserved for new protocols.

all —All protocols currently supported.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

7.0

This command was introduced.

Examples

The following examples entered in global configuration mode, display crypto accelerator statistics for specified protocols:

ciscoasa # show crypto protocol statistics ikev1
[IKEv1 statistics]
Encrypt packet requests: 39
Encapsulate packet requests: 39
Decrypt packet requests: 35
Decapsulate packet requests: 35
HMAC calculation requests: 84
SA creation requests: 1
SA rekey requests: 3
SA deletion requests: 2
Next phase key allocation requests: 2
Random number generation requests: 0
Failed requests: 0
 
ciscoasa # show crypto protocol statistics ipsec
[IPsec statistics]
Encrypt packet requests: 700
Encapsulate packet requests: 700
Decrypt packet requests: 700
Decapsulate packet requests: 700
HMAC calculation requests: 1400
SA creation requests: 2
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
 
ciscoasa # show crypto protocol statistics ssl
[SSL statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
 
ciscoasa # show crypto protocol statistics other
[Other statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 99
Failed requests: 0
 
ciscoasa # show crypto protocol statistics all
[IKEv1 statistics]
Encrypt packet requests: 46
Encapsulate packet requests: 46
Decrypt packet requests: 40
Decapsulate packet requests: 40
HMAC calculation requests: 91
SA creation requests: 1
SA rekey requests: 3
SA deletion requests: 3
Next phase key allocation requests: 2
Random number generation requests: 0
Failed requests: 0
[IKEv2 statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[IPsec statistics]
Encrypt packet requests: 700
Encapsulate packet requests: 700
Decrypt packet requests: 700
Decapsulate packet requests: 700
HMAC calculation requests: 1400
SA creation requests: 2
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[SSL statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[SSH statistics are not supported]
[SRTP statistics are not supported]
[Other statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 99
Failed requests: 0
ciscoasa #

 
Related Commands

Command
Description

clear crypto accelerator statistics

Clears the global and accelerator-specific statistics in the crypto accelerator MIB.

clear crypto protocol statistics

Clears the protocol-specific statistics in the crypto accelerator MIB.

show crypto accelerator statistics

Displays the global and accelerator-specific statistics from the crypto accelerator MIB.

show crypto sockets

To display crypto secure socket information, use the show crypto sockets command in global configuration mode or privileged EXEC mode.

show crypto sockets

 
Syntax Description

This command has no keywords or variables.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

 
Command History

Release
Modification

7.0

This command was introduced.

Examples

The following example, entered in global configuration mode, displays crypto secure socket information:

ciscoasa(config)# show crypto sockets
 
Number of Crypto Socket connections 1
 
Gi0/1 Peers: (local): 2001:1::1
(remote): ::
Local Ident (addr/plen/port/prot): (2001:1::1/64/0/89)
Remote Ident (addr/plen/port/prot): (::/0/0/89)
IPsec Profile: "CSSU-UTF"
Socket State: Open
Client: "CSSU_App(UTF)" (Client State: Active)
 
Crypto Sockets in Listen state:
 

The following table describes the fields in the show crypto sockets command output.

 

Field
Description

Number of Crypto Socket connections

Number of crypto sockets in the system.

Socket State

This state can be Open, which means that active IPsec security associations (SAs) exist, or it can be Closed, which means that no active IPsec SAs exist.

Client

Application name and its state.

Flags

If this field says “shared,” the socket is shared with more than one tunnel interface.

Crypto Sockets in Listen state

Name of the crypto IPsec profile.

 
Related Commands

Command
Description

show crypto ipsec policy

Displays the crypto secure socket API installed policy information.

show csc node-count

To display the number of nodes for which the CSC SSM scanned traffic, use the show csc node-count command in privileged EXEC mode:

show csc node-count [ yesterday ]

 
Syntax Description

yesterday

(Optional) Shows the number of nodes for which the CSC SSM scanned traffic in the preceding 24-hour period, from midnight to midnight.

 
Defaults

By default, the node count displayed is the number of nodes scanned since midnight.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  

  •  

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

A node is any distinct source IP address or the address of a device that is on a network protected by the ASA. The ASA keeps track of a daily node count and communicates this to the CSC SSM for user license enforcement.

Examples

The following is sample output of the show csc node-count command, which displays the number of nodes for which the CSC SSM has scanned traffic since midnight:

ciscoasa# show csc node-count
Current node count is 1
 

The following is sample output of the show csc node-count command, which displays the number of nodes for which the CSC SSM scanned traffic in the preceding 24-hour period, from midnight to midnight:

ciscoasa(config)# show csc node-count yesterday
Yesterday’s node count is 2
 

 
Related Commands

csc

Sends network traffic to the CSC SSM for scanning of FTP, HTTP, POP3, and SMTP, as configured on the CSC SSM.

show running-config class-map

Shows current class map configuration.

show running-config policy-map

Shows the current policy map configuration.

show running-config service-policy

Shows the current service policy configuration.

show ctiqbe

To display information about CTIQBE sessions established across the ASA, use the show ctiqbe command in privileged EXEC mode.

show ctiqbe

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  

 
Command History

Release
Modification

7.0(1)

This command was introduced.

 
Usage Guidelines

The show ctiqbe command displays information of CTIQBE sessions established across the ASA. Along with debug ctiqbe and show local-host , this command is used for troubleshooting CTIQBE inspection engine issues.


Note We recommend that you have the pager command configured before using the show ctiqbe command. If there are a lot of CTIQBE sessions and the pager command is not configured, it can take a while for the show ctiqbe command output to reach the end.


Examples

The following is sample output from the show ctiqbe command under the following conditions. There is only one active CTIQBE session setup across the ASA. It is established between an internal CTI device (for example, a Cisco IP SoftPhone) at local address 10.0.0.99 and an external Cisco Call Manager at 172.29.1.77, where TCP port 2748 is the Cisco CallManager. The heartbeat interval for the session is 120 seconds.

ciscoasa# | show ctiqbe
 
Total: 1
| LOCAL | FOREIGN | STATE | HEARTBEAT
---------------------------------------------------------------
1 | 10.0.0.99/1117 172.29.1.77/2748 | 1 | 120
| RTP/RTCP: PAT xlates: mapped to 172.29.1.99(1028 | 1029)
| MEDIA: Device ID 27 | Call ID 0
| Foreign 172.29.1.99 | (1028 | 1029)
| Local | 172.29.1.88 | (26822 | 26823)
| ----------------------------------------------
 

The CTI device has already registered with the CallManager. The device internal address and RTP listening port is PATed to 172.29.1.99 UDP port 1028. Its RTCP listening port is PATed to UDP 1029.

The line beginning with RTP/RTCP: PAT xlates: appears only if an internal CTI device has registered with an external CallManager and the CTI device address and ports are PATed to that external interface. This line does not appear if the CallManager is located on an internal interface, or if the internal CTI device address and ports are NATed to the same external interface that is used by the CallManager.

The output indicates a call has been established between this CTI device and another phone at 172.29.1.88. The RTP and RTCP listening ports of the other phone are UDP 26822 and 26823. The other phone locates on the same interface as the CallManager because the ASA does not maintain a CTIQBE session record associated with the second phone and CallManager. The active call leg on the CTI device side can be identified with Device ID 27 and Call ID 0.

The following is the xlate information for these CTIBQE connections:

ciscoasa# show xlate debug
3 in use, 3 most used
Flags: D | DNS, d | dump, I | identity, i | inside, n | no random,
| o | outside, r | portmap, s | static
TCP PAT from inside:10.0.0.99/1117 to outside:172.29.1.99/1025 flags ri idle 0:00:22 timeout 0:00:30
UDP PAT from inside:10.0.0.99/16908 to outside:172.29.1.99/1028 flags ri idle 0:00:00 timeout 0:04:10
UDP PAT from inside:10.0.0.99/16909 to outside:172.29.1.99/1029 flags ri idle 0:00:23 timeout 0:04:10
ciscoasa#
 

 
Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

inspect ctiqbe

Enables CTIQBE application inspection.

service-policy

Applies a policy map to one or more interfaces.

show conn

Displays the connection state for different connection types.

timeout

Sets the maximum idle time duration for different protocols and session types.

show ctl-file

To show the contents of the CTL file used by the phone proxy, use the show ctl-file command in global configuration mode.

show ctl-file filename [ parsed ]

 
Syntax Description

filename

Displays the phones capable of secure mode stored in the database.

parsed

(Optional) Displays detailed information from the CTL file specified.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  •  

 
Command History

Release
Modification

8.2(1)

The command was introduced.

 
Usage Guidelines

When specifying the filename of the CTL file stored in Flash memory, specify the disk number, filename, and extension; for example: disk0:/testctl.tlv . Using the show ctl-file command is useful for debugging when configuring the phone proxy instance.

Examples

The following example shows the use of the show ctl-file command to show general information about the CTL file:

hostname# show ctl-file disk0:/ctlfile.tlv
Total Number of Records: 1
CTL Record Number 1
Subject Name:
serialNumber=JMX1215L2TX+hostname=ciscoasa
Issuer Name:
serialNumber=JMX1215L2TX+hostname=ciscoasa
Function:
cucm
IP Address:
192.168.52.102
Associated Trustpoint:
cucm_primary
 
The following example shows the use of the show ctl-file command to show detailed information about the CTL file:
hostname# show ctl-file disk0:/ctlfile.tlv parsed
TAG 0x01: Version: Maj 1, Min 2
TAG 0x02: Header Len: Len 288
TAG 0x03: Signer ID: Len 103
TAG 0x04: Signer Name: Len 45 Name: <cn=_internal_myctl_SAST_0,ou=STG,o=Cisco Inc>
TAG 0x05: Cert SN: Len 4 SN: c43c9048
TAG 0x06: CA Name: Len 45 Name: <cn=_internal_myctl_SAST_0,ou=STG,o=Cisco Inc>
TAG 0x07: Signature: Len 15
TAG 0x08: Digest Alg: Len 1 Name: SHA-1
TAG 0x09: Sig Alg Info: Len 8
TAG 0x0A: Sig Alg: Len 1 Name: RSA
TAG 0x0B: Modulus: Len 1 Name: 1024
TAG 0x0C: Sig Block: Len 128 Signature:
521debcf b7a77ea8 94eba5f7 f3c8b0d8 3337a9fa 267ce1a7 202b2c8b 2ac980d3
9608f64d e7cd82df e205e5bf 74a1d9c4 fae20f90 f3d2746a e90f439e ef93fca7
d4925551 72daa414 2c55f249 ef7e6dc2 bcb9f9b5 39be8238 5011eecb ce37e4d1
866e6550 6779c3fd 25c8bab0 6e9be32c 7f79fe34 5575e3af ea039145 45ce3158
TAG 0x0E: File Name: Len 12 Name: <CTLFile.tlv>
TAG 0x0F: Timestamp: Len 4 Timestamp: 48903cc6
 
### CTL RECORD No. 1 ###
TAG 0x01: Rcd Len: Len 731
TAG 0x03: Sub Name: Len 43 Sub Name: <serialNumber=JMX1215L2TX+hostname=ciscoasa>
TAG 0x04: Function: Len 2 Func: CCM
TAG 0x05: Cert Issuer: Len 43 Issuer Name: <serialNumber=JMX1215L2TX+hostname=ciscoasa>
TAG 0x06: Cert SN: Len 4 Cert SN: 15379048
TAG 0x07: Pub Key: Len 140 Pub Key:
30818902 818100ad a752b4e6 89769a49 13115e52 1209b3ef 96a179af 728c29d7
af7fed4e c759d0ea cebd7587 dd4f7c4c 322da86b 3a677c08 ce39ce60 2525f6d2
50fe87cf 2aea60a5 690ec985 10706e5a 30ad26db e6fdb243 159758ed bb487525
f901ef4a 658445de 29981546 3867d2d1 ce519ee4 62c7be32 51037c3c 751c0ad6
040bedbb 3e984502 03010001
TAG 0x09: Cert: Len 469 X.509v3 Cert:
308201d1 3082013a a0030201 02020415 37904830 0d06092a 864886f7 0d010104
0500302d 312b3012 06035504 05130b4a 4d583132 31354c32 54583015 06092a86
4886f70d 01090216 08636973 636f6173 61301e17 0d303830 37333030 39343033
375a170d 31383037 32383039 34303337 5a302d31 2b301206 03550405 130b4a4d
58313231 354c3254 58301506 092a8648 86f70d01 09021608 63697363 6f617361
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00ada752
b4e68976 9a491311 5e521209 b3ef96a1 79af728c 29d7af7f ed4ec759 d0eacebd
7587dd4f 7c4c322d a86b3a67 7c08ce39 ce602525 f6d250fe 87cf2aea 60a5690e
c9851070 6e5a30ad 26dbe6fd b2431597 58edbb48 7525f901 ef4a6584 45de2998
15463867 d2d1ce51 9ee462c7 be325103 7c3c751c 0ad6040b edbb3e98 45020301
0001300d 06092a86 4886f70d 01010405 00038181 005d82b7 ac45dbf8 bd911d4d
a330454a a2784a4b 5ef898b1 482e0bbf 4a86ed86 9019820b 00e80361 fd7b2518
9efa746c b98b1e23 fcc0793c de48de6d 6b1a4998 cd6f4e66 ba661d3a d200739a
ae679c7c 94f550fb a6381b94 1eae389e a9ec4b11 30ba31f3 33cd184e 25647174
ce00231d 102d5db3 c9c111a6 df37eb43 66f3d2d5 46
TAG 0x0A: IP Addr: Len 4 IP Addr: 192.168.52.102

 
Related Commands

Command
Description

ctl-file (global)

Specifies the CTL instance to create for the phone proxy or parses the CTL file stored in Flash memory.

ctl-file (phone-proxy)

Specifies the CTL instance to use when configuring the phone proxy.

phone proxy

Configures the Phone Proxy instance.

show cts environment-data

To show the health and status of the environment data refresh operation on the ASA for Cisco TrustSec, use the show cts environment-data command in privileged EXEC mode.

show cts environment-data

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  

 
Command History

Release
Modification

9.0(1)

This command was introduced.

 
Usage Guidelines

This command is not supported on a standby device in a failover configuration. If you enter this command on a standby device, the following error message appears:

ERROR: This command is only permitted on the active device.
 

This command is only supported on the master unit in a clustering configuration. If you enter this command on a slave unit, the following error message appears:

This command is only permitted on the master device.
 

Examples

The following is sample output from the show cts environment-data command

ciscoasa# show cts environment-data
 
CTS Environment Data
====================
Status: Active
Last download attempt: Successful
Environment Data Lifetime: 1200 secs
Last update time: 18:12:07 EST Feb 27 2012
Env-data expires in: 0:00:12:24 (dd:hr:mm:sec)
Env-data refreshes in: 0:00:02:24 (dd:hr:mm:sec)

 
Related Commands

Commands
Description

show running-config cts

Shows the SXP connections for the running configuration.

show cts pac

Shows the components on the PAC.

show cts environment-data sg-table

To show the resident security group table on the ASA for Cisco TrustSec, use the show cts environment-data sg-table command in privileged EXEC mode.

show cts environment-data sg-table

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  

 
Command History

Release
Modification

9.0(1)

This command was introduced.

 
Usage Guidelines

This command is not supported on a standby device in a failover configuration. If you enter this command on a standby device, the following error message appears:

ERROR: This command is only permitted on the active device.
 

This command is only supported on the master unit in a clustering configuration. If you enter this command on a slave unit, the following error message appears:

This command is only permitted on the master device.
 

Examples

The following is sample output from the show cts environment-data sg-table command

ciscoasa# show cts environment-data sg-table
 
Security Group Table:
Valid until: 18:32:07 EST Feb 27 2012
Showing 9 of 9 entries
 
SG Name SG Tag Type
------- ------ -------------
ANY 65535 unicast
ExampleSG1 2 unicast
ExampleSG13 14 unicast
ExampleSG14 15 unicast
ExampleSG15 16 unicast
ExampleSG16 17 unicast
ExampleSG17 18 unicast
ExampleSG18 19 unicast
Unknown 0 unicast
 

 
Related Commands

Commands
Description

show running-config cts

Shows the SXP connections for the running configuration.

show cts pac

Shows the components on the PAC.

show cts pac

To show the components of the Protected Access Credential (PAC) on the ASA for Cisco TrustSec, use the show cts pac command in privileged EXEC mode.

show cts pac

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  
  •  

 
Command History

Release
Modification

9.0(1)

This command was introduced.

 
Usage Guidelines

The show cts pac command displays PAC information, including the expiration time. The expiration time is important because the ASA cannot retrieve security group table updates after the PAC lifetime lapses. The administrator must request and install a new PAC before the old one expires to maintain synchronization with the security group table on the Identity Services Engine.

This command is not supported on a standby device in a failover configuration. If you enter this command on a standby device, the following error message appears:

ERROR: This command is only permitted on the active device.
 

This command is only supported on the master unit in a clustering configuration. If you enter this command on a slave unit, the following error message appears:

This command is only permitted on the master device.
 

Examples

The following is sample output from the show cts pac command

ciscoasa# show cts pac
PAC-Info:
Valid until: Jul 28 2012 08:03:23
AID: 6499578bc0240a3d8bd6591127ab270c
I-ID: BrianASA36
A-ID-Info: Identity Services Engine
PAC-type: Cisco Trustsec
PAC-Opaque:
000200b000030001000400106499578bc0240a3d8bd6591127ab270c00060094000301
00d75a3f2293ff3b1310803b9967540ff7000000134e2d2deb00093a803d227383e2b9
7db59ed2eeac4e469fcb1eeb0ac2dd84e76e13342a4c2f1081c06d493e192616d43611
8ff93d2af9b9135bb95127e8b9989db36cf1667b4fe6c284e220c11e1f7dbab91721d1
00e9f47231078288dab83a342ce176ed2410f1249780882a147cc087942f52238fc9b4
09100e1758
 

 
Related Commands

Commands
Description

show running-config cts

Shows the SXP connections for the running configuration.

show cts environment

Shows the health and status of the environment data refresh operation.

show cts sgt-map

To show the IP address-security group table manager entries in the control path, use the show cts sgt-map command in privileged EXEC mode.

show cts sgt-map [ sgt sgt ] [ address ipv4 | address ipv6 [/ prefix ] | ipv4 | ipv6 ] [ name ] [ brief | detail ]

 
Syntax Description

address i pv4 / ipv6 /prefix

Shows only IP address-security group table mapping for the specific IPv4 or IPv6 address or subnet.

brief

Shows the IP address-security group table mapping summary.

detail

Shows the IP address-security group table mapping.

ipv4

Shows the IPv4 address-security group table mapping. By default, only the IPv4 address-security group table mapping is displayed.

ipv6

Shows the IPv6 address-security group table mapping.

name

Shows IP address-security group table mapping with the matched security group name.

sgt sgt

Shows only IP address-security group table mapping with the matched security group table.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  

 
Command History

Release
Modification

9.01)

The command was introduced.

 
Usage Guidelines

This command displays the IP address-security group table manager entries in the control path.

Examples

The following is sample output from the show cts sgt-map ipv6 command:

ciscoasa# show cts sgt-map ipv6
Active IP-SGT Bindings Information
 
IP Address SGT Source
============================================================
3330::1 17 SXP
FE80::A8BB:CCFF:FE00:110 17 SXP
 
IP-SGT Active Bindings Summary
============================================
Total number of SXP bindings = 2
Total number of active bindings = 2
 

The following is sample output from the show cts sgt-map ipv6 detail command:

ciscoasa# show cts sgt-map ipv6 detail
Active IP-SGT Bindings Information
 
IP Address Security Group Source
=========================================================================
3330::1 2345 SXP
1280::A8BB:CCFF:FE00:110 Security Tech Business Unit(12345) SXP
 
IP-SGT Active Bindings Summary
===================================
Total number of SXP bindings = 2
Total number of active bindings = 2
 

The following is sample output from the show cts sgt-map ipv6 brief command:

ciscoasa# show cts sgt-map ipv6 brief
Active IP-SGT Bindings Information
 
IP-SGT Active Bindings Summary
====================================
Total number of SXP bindings = 2
Total number of active bindings = 2
 

The following is sample output from the show cts sgt-map address command:

ciscoasa# show cts sgt-map address 10.10.10.5 mask 255.255.255.255
 
Active IP-SGT Bindings Information
 
IP Address SGT Source
============================================================
10.10.10.5 1234 SXP
 
IP-SGT Active Bindings Summary
============================================
Total number of SXP bindings = 1
Total number of active bindings = 1

 
Related Commands

Command
Description

show running-config cts

Shows the SXP connections for the running configuration.

show cts environment

Shows the health and status of the environment data refresh operation.

show cts sxp connections

To show the Security eXchange Protocol (SXP) connections on the ASA, use the show cts sxp connections command in privileged EXEC mode.

show cts sxp connections [ peer peer addr ] [ local local addr ] [ ipv4 | ipv6 ] [ status { on | off | delete-hold-down | pending-on }] [ mode { speaker | listener }] [ brief ]

 
Syntax Description

brief

(Optional) Shows the SXP connection summary.

delete-hold-down

(Optional) The TCP connection was terminated (TCP is down) when it was in the ON state. Only an ASA configured in listener mode can be in this state.

ipv4

(Optional) Shows SXP connections with IPv4 addresses.

ipv6

(Optional) Shows SXP connections with IPv6 addresses.

listener

(Optional) Shows the ASA configured in listener mode.

local local addr

(Optional) Shows SXP connections with the matched local IP addresses.

mode

(Optional) Shows SXP connections with the matched mode.

off

(Optional) The TCP connection has not been initiated. The ASA retries the TCP connection only in this state.

on

(Optional) An SXP OPEN or SXP OPEN RESP message has been received. The SXP connection has been successfully established. The ASA only exchanges SXP messages in this state.

peer peer addr

(Optional) Shows SXP connections with the matched peer IP addresses.

pending-on

(Optional) An SXP OPEN message has been sent to the peer; the response from the peer is being awaited.

speaker

(Optional) Shows the ASA configured in speaker mode.

status

(Optional) Shows SXP connections with the matched status.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Provileged EXEC

  •  

 
Command History

Release
Modification

9.0(1)

The command was introduced.

 
Usage Guidelines

The SXP states change under the following conditions:

  • If the SXP listener drops its SXP connection because its peer unconfigures SXP or disables SXP, then the SXP listener moves to the OFF state.
  • If the SXP listener drops its SXP connection because its peer crashes or has the interface shut down, then the SXP listener moves to the DELETE_HOLD_DOWN state.
  • The SXP speaker moves to the OFF state when either of the first two conditions occurs.

This command is not supported on a standby device in a failover configuration. If you enter this command on a standby device, the following error message appears:

ERROR: This command is only permitted on the active device.
 

This command is only supported on the master unit in a clustering configuration. If you enter this command on a slave unit, the following error message appears:

This command is only permitted on the master device.
 

Examples

The following is sample output from the show cts sxp connections command:

ciscoasa# show cts sxp connections
SXP : Enabled
Highest version : 2
Default password : Set
Default local IP : Not Set
Reconcile period : 120 secs
Retry open period : 10 secs
Retry open timer : Not Running
Total number of SXP connections : 3
Total number of SXP connection shown : 3
----------------------------------------------
Peer IP : 2.2.2.1
Local IP : 2.2.2.2
Conn status : On
Local mode : Listener
Ins number : 1
TCP conn password : Default
Delete hold down timer : Not Running
Reconciliation timer : Not Running
Duration since last state change: 0:00:01:25 (dd:hr:mm:sec)
----------------------------------------------
Peer IP : 3.3.3.1
Local IP : 3.3.3.2
Conn status : On
Local mode : Listener
Ins number : 2
TCP conn password : None
Delete hold down timer : Not Running
Reconciliation timer : Not Running
Duration since last state change: 0:01:02:20 (dd:hr:mm:sec)
----------------------------------------------
Peer IP : 4.4.4.1
Local IP : 4.4.4.2
Conn status : On
Local mode : Speaker
Ins number : 1
TCP conn password : Set
Delete hold down timer : Not Running
Reconciliation timer : Not Running
Duration since last state change: 0:03:01:20 (dd:hr:mm:sec)
 

 
Related Commands

Command
Description

show running-config cts

Shows the SXP connections for the running configuration.

show cts environment

Shows the health and status of the environment data refresh operation.

show cts sxp sgt-map

To show the current IP address-security group table mapping database entries in the Security eXchange Protocol (SXP) module on the ASA for Cisco TrustSec, use the show cts sxp sgt-map command in privileged EXEC mode.

show cts sxp sgt-map [ peer peer_addr ] [ sgt sgt ] [ address ipv4 | address ipv6 [/ prefix ] | ipv4 | ipv6 ] [ name ] [ brief | detail ] [ status ]

 
Syntax Description

address i pv4 / ipv6 /prefix

Shows only IP address-security group table mapping for the specific IPv4 or IPv6 address or subnet.

brief

Shows the IP address-security group table mapping summary.

detail

Shows the security group table information. If a security group name is not available, only the security group table value is displayed without the bracket.

ipv4

Shows the IP address-security group table mapping with IPv4 addresses. By default, only the IP address-security group table mapping with IPv4 addresses is displayed.

ipv6

Shows the IP address-security group table mapping with IPv6 addresses.

name

Shows IP address-security group table mapping with the matched security group name.

peer peer addr

Shows only IP address-security group table mapping with the matched peer IP address.

sgt sgt

Shows only IP address-security group table mapping with the matched security group table.

status

Shows active or inactive mapped entries.

 
Defaults

No default behavior or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC

  •  

 
Command History

Release
Modification

9.01)

The command was introduced.

 
Usage Guidelines

This command displays the active IP address-security group table mapped entries consolidated from SXP.

This command is not supported on a standby device in a failover configuration. If you enter this command on a standby device, the following error message appears:

ERROR: This command is only permitted on the active device.
 

This command is only supported on the master unit in a clustering configuration. If you enter this command on a slave unit, the following error message appears:

This command is only permitted on the master device.
 

Examples

The following is sample output from the show cts sxp sgt-map command:

ciscoasa# show cts sxp sgt-map
Total number of IP-SGT mappings : 3
 
SGT : 7
IPv4 : 2.2.2.1
Peer IP : 2.2.2.1
Ins Num : 1
 
SGT : 7
IPv4 : 2.2.2.0
Peer IP : 3.3.3.1
Ins Num : 1
 
SGT : 7
IPv6 : FE80::A8BB:CCFF:FE00:110
Peer IP : 2.2.2.1
Ins Num : 1
 

The following is sample output from the show cts sxp sgt-map detail command:

ciscoasa# show cts sxp sgt-map detail
Total number of IP-SGT mappings : 3
 
SGT : STBU(7)
IPv4 : 2.2.2.1
Peer IP : 2.2.2.1
Ins Num : 1
Status : Active
 
SGT : STBU(7)
IPv4 : 2.2.2.0
Peer IP : 3.3.3.1
Ins Num : 1
Status : Inactive
 
SGT : 6
IPv6 : 1234::A8BB:CCFF:FE00:110
Peer IP : 2.2.2.1
Ins Num : 1
Status : Active
 

The following is sample output from the show cts sxp sgt-map brief command:

ciscoasa# show cts sxp sgt-map brief
Total number of IP-SGT mappings : 3
SGT, IPv4: 7, 2.2.2.1
SGT, IPv4: 7, 3.3.3.0
SGT, IPv6: 7, FE80::A8BB:CCFF:FE00:110
 

 
Related Commands

Command
Description

show running-config cts

Shows the SXP connections for the running configuration.

show cts environment

Shows the health and status of the environment data refresh operation.

show curpriv

To display the current user privileges, use the show curpriv command:

show curpriv

 
Syntax Description

This command has no arguments or keywords.

 
Defaults

No default behaviors or values.

 
Command Modes

The following table shows the modes in which you can enter the command:

 

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

  •  
  •  

  •  

Privileged EXEC

  •  
  •  

  •  

User EXEC

  •  
  •  

  •  

 
Command History

Release
Modification

7.0(1)

Modified to conform to CLI guidelines.

 
Usage Guidelines

The show curpriv command displays the current privilege level. Lower privilege level numbers indicate lower privilege levels.

Examples

These examples show output from the show curpriv command when a user named enable_15 is at different privilege levels. The username indicates the name that the user entered when the user logged in. P_PRIV indicates that the user has entered the enable command. P_CONF indicates that the user has entered the config terminal command.

ciscoasa(config)# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV P_CONF
ciscoasa(config)# exit
 
ciscoasa(config)# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
ciscoasa(config)# exit
 
ciscoasa(config)# show curpriv
Username : enable_1
Current privilege level : 1
Current Mode/s : P_UNPR
ciscoasa(config)#
 

The following example shows a known behavior. When you are in enable mode, then enter disable mode, the initial logged-in username is replaced with enable_1:

hostname(config)# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV P_CONF
hostname(config)# exit
hostname# show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
hostname# exit
 
Logoff
 
Type help or '?' for a list of available commands.
hostname# show curpriv
Username : enable_1
Current privilege level : 1
Current Mode/s : P_UNPR
hostname#

 
Related Commands

Command
Description

clear configure privilege

Remove privilege command statements from the configuration.

show running-config privilege

Display privilege levels for commands.