-
Cisco IOS Security Command Reference, Release 12.3 T
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through clear ip ips statistics
-
Security Commands: clear ip sdee through crypto isakmp nat keepalive
-
Security Commands: crypto key decrypt rsa through ctype
-
Security Commands: D through evaluate
-
Security Commands: fingerprint through ip ips signature disable
-
Security Commands: ip port-map through issuer name
-
Security Commands: keepalive (isakmp profile) through outgoing
-
Security Commands: parameter through quit
-
Security Commands: radius-server attribute 11 direction default through rsa-pubkey
-
Security Commands: save-password through show crypto ipsec transform-set
-
Security Commands: show crypto isakmp key through subject-name
-
Security Commands: tacacs-server administration through xauth userid mode
-
Table Of Contents
security authentication failure rate
set aggressive-mode client-endpoint
set security-association idle-time
set security-association level per-host
set security-association lifetime
set security-association replay disable
set security-association replay window-size
show call admission statistics
show crypto call admission statistics
show crypto engine accelerator logs
show crypto engine accelerator ring
show crypto engine accelerator sa-database
show crypto engine accelerator statistic
show crypto ipsec client ezvpn
show crypto ipsec security-association lifetime
show crypto ipsec transform-set
save-password
To save your extended authentication (Xauth) password locally on your PC, use the save-password command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To disable the Save-Password attribute, use the no form of this command.
save-password
no save-password
Syntax Description
This command has no arguments or keywords.
Defaults
Your Xauth password is not saved locally on your PC, and the Save-Password attribute is not added to the server group profile.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
Save password control allows you to save your Xauth password locally on your PC so that after you have initially entered the password, the Save-Password attribute is pushed from the server to the client. On subsequent authentications, you can activate the password by using the tick box on the software client or by adding the username and password to the Cisco IOS hardware client profile. The password setting remains until the Save-Password attribute is removed from the server group profile. After the password has been activated, the username and password are sent automatically to the server during Xauth without your intervention.
The save-password option is useful only if your password is static, that is, if it is not a one-time password such as one that is generated by a token.
The Save-Password attribute is configured on a Cisco IOS router or in the RADIUS profile.
To configure save password control, use the save-password command.
An example of an attribute-value (AV) pair for the Save-Password attribute is as follows:
ipsec:save-password=1You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the save-password command.
Note
•
•
•
•
Examples
The following example shows that the Save-Password attribute has been configured:
crypto isakmp client configuration group ciscosave-passwordRelated Commands
acl
Configures split tunneling.
crypto isakmp client configuration group
Specifies the DNS domain to which a group belongs.
secondary-color
To specify the color of the secondary title bars on the login and portal pages of a Secure Sockets Layer Virtual Private Network (SSLVPN), use the secondary-color command in Web VPN configuration mode. To remove the color, use the no form of this command.
secondary-color color
no secondary-color color
Syntax Description
Defaults
Purple
Command Modes
Web VPN configuration
Command History
Usage Guidelines
If a new color is configured, it will override the color that was already configured.
Examples
The following examples show three ways that a secondary color may be configured:
secondary-color darkseagreensecondary-color #8FBC8Fsecondary-color 143,188,143Related Commands
secondary-text-color
To specify the color of the text on the secondary bars of a Secure Sockets Layer Virtual Private Network (SSLVPN), use the secondary-text-color command in Web VPN configuration mode. To revert to the default color, use the no form of this command.
secondary-text-color [black | white]
no secondary-text-color [black | white]
Syntax Description
black
(Optional) Color of the text is black. This is the default value.
white
(Optional) Color of the text is white.
Defaults
Color of the text is black.
Command Modes
Web VPN configuration
Command History
Usage Guidelines
The color of the text on the secondary bars must be aligned with the color of the text on the title bar.
Examples
The following example shows that the secondary text color has been set to white:
secondary-text-color whiteRelated Commands
secret
To associate a command-line interface (CLI) view or a superview with a password, use the secret command in view configuration mode.
secret {unencrypted-password | 0 unencrypted-password | 5 encrypted-password}
Syntax Description
Defaults
User cannot access a CLI view or superview.
Command Modes
View configuration
Command History
Usage Guidelines
A user cannot access any commands within the CLI view or superview until the secret command has been issued.
Note
Examples
The following examples show how to configure two CLI views, "first" and "second," and associate each view with a password:
CLI View "first"
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# parser view firstRouter(config-view)#*Dec 9 05:20:03.039: %PARSER-6-VIEW_CREATED: view 'first' successfully created.Router(config-view)# secret firstpasswordRouter(config-view)# secret secondpassword% Overwriting existing secret for the current viewRouter(config-view)# secret 0 thirdpassword% Overwriting existing secret for the current viewRouter(config-view)# secret 5 $1$jj1e$vmYyRbmj5UoU96tT1x7eP1% Overwriting existing secret for the current viewRouter(config-view)# secret 5 invalidpasswordERROR: The secret you entered is not a valid encrypted secret.To enter an UNENCRYPTED secret, do not specify type 5 encryption.When you properly enter an UNENCRYPTED secret, it will be encrypted.Router(config-view)# command exec include show versionRouter(config-view)# command exec include configure terminalRouter(config-view)# command configure include all ipRouter(config-view)# exitCLI View "second"
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# parser view secondRouter(config-view)#*Dec 30 06:11:52.915: %PARSER-6-VIEW_CREATED: view 'second' successfully created.Router(config-view)# secret mypasswdRouter(config-view)# commands exec include pingRouter(config-view)# endRouter# show running-configparser view secondsecret 5 $1$PWs8$lz3lSx6OqAnFrUx2hkI0w0commands exec include ping!The following is an example of show running-config output for a situation in which the secret command has been configured using a level 5 encrypted password:Router: show running-configparser view firstsecret 5 $1$jj1e$vmYyRbmj5UoU96tT1x7eP1commands configure include all ipcommands exec include configure terminalcommands exec include configurecommands exec include show versioncommands exec include show!Related Commands
secure boot-config
To take a snapshot of the router running configuration and securely archive it in persistent storage, use the secure boot-config command in global configuration mode. To remove the secure configuration archive and disable configuration resilience, use the no form of this command.
secure boot-config [restore filename]
no secure boot-config
Syntax Description
restore filename
(Optional) Reproduces a copy of the secure configuration archive as the supplied filename.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Without any parameters, this command takes a snapshot of the router running configuration and securely archives it in persistent storage. Like the image, the configuration archive is hidden and cannot be viewed or removed directly from the command-line interface (CLI) prompt . It is recommended that you run this command after the router has been fully configured to reach a steady state of operation and the running configuration is considered complete for a restoration, if required. A syslog message is printed on the console notifying the user of configuration resilience activation. The secure archive uses the time of creation as its filename. For example, .runcfg-20020616-081702.ar was created July 16 2002 at 8:17:02.
The restore option reproduces a copy of the secure configuration archive as the supplied filename (disk0:running-config, slot1:runcfg, and so on). The restore operation will work only if configuration resilience is enabled. The number of restored copies that can be created is unlimited.
The no form of this command removes the secure configuration archive and disables configuration resilience. An enable, disable, enable sequence has the effect of upgrading the configuration archive if any changes were made to the running configuration since the last time the feature was disabled.
The configuration upgrade scenario is similar to an image upgrade. The feature detects a different version of Cisco IOS and notifies the user of a version mismatch. The same command can be run to upgrade the configuration archive to a newer version after new configuration commands corresponding to features in the new image have been issued.
The correct sequence of steps to upgrade the configuration archive after an image upgrade is as follows:
•
•
Examples
The following example shows the command used to securely archive a snapshot of the router running configuration:
secure boot-configThe following example shows the command used to restore an archived image to the file slot0:rescue-cfg:
Router(config)# secure boot-config restore slot0:rescue-cfgios resilience:configuration successfully restored as slot0:rescue-cfgRelated Commands
secure boot-image
Enables Cisco IOS image resilience.
show secure bootset
Displays the status of image and configuration resilience.
secure boot-image
To enable Cisco IOS image resilience, use the secure boot-image command in global configuration mode. To disable Cisco IOS image resilience and release the secured image so that it can be safely removed, use the no form of this command.
secure boot-image
no secure boot-image
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables or disables the securing of the running Cisco IOS image. The following two possible scenarios exist with this command.
•
•
ios resilience :Archived image and configuration version 12.2 differs from running version 12.3.Run secure boot-config and image commands to upgrade archives to running version.To upgrade the image archive to the new running image, reenter this command from the console. A message will be displayed about the upgraded image. The old image is released and will be visible in the dir command output.
Caution
Note
Examples
The following example shows the activation of image resilience.
Router(config)# secure boot-imageRelated Commands
security authentication failure rate
To configure the number of allowable unsuccessful login attempts, use the security authentication failure rate command in global configuration mode. To disable this functionality, use the no form of this command.
security authentication failure rate threshold-rate log
no security authentication failure rate threshold-rate log
Syntax Description
Defaults
The default number of failed login attempts before a 15-second delay is 10.
Command Modes
Global configuration
Command History
Usage Guidelines
The security authentication failure rate command provides enhanced security access to the router by generating syslog messages after the number of unsuccessful login attempts exceeds the configured threshold rate. This command ensures that there are not any continuous failures to access the router.
Note
Examples
The following example shows how to configure your router to generate a syslog message after eight failed login attempts:
security authentication failure rate 8 logRelated Commands
security passwords min-length
Ensures that all configured passwords are at least a specified length.
security ipsec
To apply a previously configured IP Security (IPSec) profile to the redundancy group communications, use the security ipsec command in inter-device configuration mode. To remove the IPSec profile from the configuration, use the no form of this command.
security ipsec profile-name
no security [ipsec [profile-name]]
Syntax Description
Defaults
The redundancy group is not secured.
Command Modes
Inter-device configuration
Command History
Usage Guidelines
The security ipsec command allows you to secure a redundancy group via a previously configured IPSec profile. If you are certain that the Stateful Switchover (SSO) traffic between the redundancy group runs on a physically secure interface, you do not have to configure this command.
Note
Examples
The following example shows how to configure SSO traffic protection:
crypto ipsec transform-set trans2 ah-md5-hmac esp-aes!crypto ipsec profile sso-secureset transform-set trans2!redundancy inter-devicescheme standby HA-insecurity ipsec sso-secureRelated Commands
security passwords min-length
To ensure that all configured passwords are at least a specified length, use the security passwords min-length command in global configuration mode. To disable this functionality, use the no form of this command.
security passwords min-length length
no security passwords min-length length
Syntax Description
Defaults
Six characters
Command Modes
Global configuration
Command History
Usage Guidelines
The security passwords min-length command provides enhanced security access to the router by allowing you to specify a minimum password length, eliminating common passwords that are prevalent on most networks, such as "lab" and "cisco." This command affects user passwords, enable passwords and secrets, and line passwords. After this command is enabled, any password that is less than the specified length will fail.
Examples
The following example shows both how to specify a minimum password length of six characters and what happens when the password does not adhere to the minimum length:
security password min-length 6enable password lab% Password too short - must be at least 6 characters. Password not configured.Related Commands
self-identity
To define the identity that the local Internet Key Exchange (IKE) uses to identify itself to the remote peer, use the self-identity command in ISAKMP profile configuration mode. To remove the Internet Security Association and Key Management Protocol (ISAKMP) identity that was defined for the IKE, use the no form of this command.
self-identity {address | fqdn | user-fqdn user-fqdn}
no self-identity {address | fqdn | user-fqdn user-fqdn}
Syntax Description
address
The IP address of the local endpoint.
fqdn
The fully qualified domain name (FQDN) of the host.
user-fqdn user-fqdn
The user FQDN that is sent to the remote endpoint.
Defaults
If no ISAKMP identity is defined in the ISAKMP profile configuration, global configuration is the default.
Command Modes
ISAKMP profile configuration
Command History
Examples
The following example shows that the IKE identity is the user FQDN "user@vpn.com":
crypto isakmp profile vpnprofileself-identity user-fqdn user@vpn.comserial-number (ca-trustpoint)
To specify whether the router serial number should be included in the certificate request, use the serial-number command in ca-trustpoint configuration mode. To restore the default behavior, use the no form of this command.
serial-number [none]
no serial-number
Syntax Description
Defaults
Not configured. You will be prompted for the serial number during certificate enrollment.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can issue the serial-number command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.
Use this command to specify the router serial number in the certificate request, or use the none keyword to specify that a serial number should not be included in the certificate request.
Examples
The following example shows how to omit a serial number from the "root" certificate request:
crypto ca trustpoint rootenrollment url http://10.3.0.7:80ip-address nonefqdn noneserial-number nonesubject-name CN=jack, OU=PKI, O=Cisco Systems, C=UScrypto ca trustpoint rootenrollment url http://10.3.0.7:80serial-numberRelated Commands
serial-number (pubkey)
To define the serial number for the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signatures during Internet Key Exchange (IKE) authentication, use the serial-number command in pubkey configuration mode. To remove the manual key that was defined, use the no form of this command.
serial-number serial-number
no serial-number serial-number
Syntax Description
Defaults
No default behavior or values
Command Modes
Pubkey configuration
Command History
Examples
The following example shows that the public key of an IP Security (IPSec) peer has been specified:
Router(config)# crypto keyring vpnkeyringRouter(conf-keyring)# rsa-pubkey name host.vpn.comRouter(config-pubkey-key)# address 10.5.5.1Router(config-pubkey-key)# serial-number 1000000Router(config-pubkey)# key-stringRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045BRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(conf-keyring)# exitRelated Commands
address
Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.
key-string (IKE)
Specifies the RSA public key of a remote peer.
server (RADIUS)
To configure the IP address of the RADIUS server for the group server, use the server command in server-group configuration mode. To remove the associated server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.
server ip-address [auth-port port-number] [acct-port port-number]
no server ip-address [auth-port port-number] [acct-port port-number]
Syntax Description
Defaults
If no port attributes are defined, the defaults are as follows:
•
•
Command Modes
Server-group configuration
Command History
12.0(5)T
This command was introduced.
12.0(7)T
The following new keywords/arguments were added:
•
•
Usage Guidelines
Use the server command to associate a particular server with a defined group server. There are two different ways in which you can identify a server, depending on the way you want to offer AAA services. You can identify the server simply by using its IP address, or you can identify multiple host instances or entries using the optional auth-port and acct-port keywords.
When you use the optional keywords, the network access server identifies RADIUS security servers and host instances associated with a group server on the basis of their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.)
Examples
Configuring Multiple Entries for the Same Server IP Address
The following example shows the network access server configured to recognize several RADIUS host entries with the same IP address. Two different host entries on the same RADIUS server are configured for the same services—authentication and accounting. The second host entry configured acts as fail-over backup to the first one. (The RADIUS host entries are tried in the order in which they are configured.)
! This command enables AAA.aaa new-model! The next command configures default RADIUS parameters.aaa authentication ppp default radius! The next set of commands configures multiple host entries for the same IP address.radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.20.0.1 auth-port 2000 acct-port 2000Configuring Multiple Entries Using AAA Group Servers
In this example, the network access server is configured to recognize two different RADIUS group servers. One of these groups, group1, has two different host entries on the same RADIUS server configured for the same services. The second host entry configured acts as failover backup to the first one.
! This command enables AAA.aaa new-model! The next command configures default RADIUS parameters.aaa authentication ppp default group group1! The following commands define the group1 RADIUS group server and associates servers ! with it. aaa group server radius group1server 172.20.0.1 auth-port 1000 acct-port 1001! The following commands define the group2 RADIUS group server and associates servers ! with it. aaa group server radius group2server 172.20.0.1 auth-port 2000 acct-port 2001! The following set of commands configures the RADIUS attributes for each host entry ! associated with one of the defined group servers.radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.20.0.1 auth-port 1000 acct-port 1001radius-server host 172.10.0.1 auth-port 1645 acct-port 1646Related Commands
server (TACACS+)
To configure the IP address of the TACACS+ server for the group server, use the server command in TACACS+ group server configuration mode. To remove the IP address of the RADIUS server, use the no form of this command.
server ip-address
no server ip-address
Syntax Description
Defaults
No default behavior or values.
Command Modes
TACACS+ group server configuration
Command History
Usage Guidelines
You must configure the aaa group server tacacs command before configuring this command.
Enter the server command to specify the IP address of the TACACS+ server. Also configure a matching tacacs-server host entry in the global list. If there is no response from the first host entry, the next host entry is tried.
Examples
The following example shows server host entries configured for the RADIUS server:
aaa new-modelaaa authentication ppp default group g1aaa group server tacacs+ g1server 1.0.0.1server 2.0.0.1tacacs-server host 1.0.0.1tacacs-server host 2.0.0.1Related Commands
server-private (RADIUS)
To configure the IP address of the private RADIUS server for the group server, use the server-private command in server-group configuration mode. To remove the associated private server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.
server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]
no server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]
Syntax Description
Defaults
If server-private parameters are not specified, global configurations will be used; if global configurations are not specified, default values will be used.
Command Modes
Server-group configuration
Command History
Usage Guidelines
Use the server-private command to associate a particular private server with a defined server group. To prevent possible overlapping of private addresses between Virtual Route Forwardings (VRFs), private servers (servers with private addresses) can be defined within the server group and remain hidden from other groups, while the servers in the global pool (default "radius" server group) can still be referred to by IP addresses and port numbers. Thus, the list of servers in server groups includes references to the hosts in the global configuration and the definitions of private servers.
Examples
The following example shows how to define the sg_water RADIUS group server and associate private servers with it:
aaa group server radius sg_waterserver-private 10.1.1.1 timeout 5 retransmit 3 key cokeserver-private 10.2.2.2 timeout 5 retransmit 3 key cokeRelated Commands
server-private (TACACS+)
To configure the IP address of the private TACACS+ server for the group server, use the server-private command in server-group configuration mode. To remove the associated private server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.
server-private {ip-address | name} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string]
no server-private
Syntax Description
Defaults
If server-private parameters are not specified, global configurations will be used; if global configurations are not specified, default values will be used.
Command Modes
Server-group configuration
Command History
Usage Guidelines
Use the server-private command to associate a particular private server with a defined server group. To prevent possible overlapping of private addresses between virtual route forwardings (VRFs), private servers (servers with private addresses) can be defined within the server group and remain hidden from other groups, while the servers in the global pool (default "TACACS+" server group) can still be referred to by IP addresses and port numbers. Thus, the list of servers in server groups includes references to the hosts in the global configuration and the definitions of private servers.
Examples
The following example shows how to define the tacacs1 TACACS+ group server and associate private servers with it:
aaa group server tacacs+ tacacs1server-private 10.1.1.1 port 19 key ciscoip vrf ciscord 100:1interface Loopback0ip address 10.0.0.2 255.0.0.0ip vrf forwarding ciscoRelated Commands
service password-encryption
To encrypt passwords, use the service password-encryption command in global configuration mode. To restore the default, use the no form of this command.
service password-encryption
no service password-encryption
Syntax Description
This command has no arguments or keywords.
Defaults
No encryption
Command Modes
Global configuration
Command History
Usage Guidelines
The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including username passwords, authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and Border Gateway Protocol neighbor passwords. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.
When password encryption is enabled, the encrypted form of the passwords is displayed when a more system:running-config command is entered.
Caution
Note
Examples
The following example causes password encryption to take place:
service password-encryptionRelated Commands
set aggressive-mode client-endpoint
To specify the Tunnel-Client-Endpoint attribute within an Internet Security Association Key Management Protocol (ISAKMP) peer configuration, use the set aggressive-mode client-endpoint command in ISAKMP policy configuration mode. To remove this attribute from your configuration, use the no form of this command.
set aggressive-mode client-endpoint client-endpoint
no set aggressive-mode client-endpoint client-endpoint
Syntax Description
Defaults
The Tunnel-Client-Endpoint attribute is not defined.
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Before you can use this command, you must enable the crypto isakmp peer command.
To initiate an IKE aggressive mode negotiation and specify the RADIUS Tunnel-Client-Endpoint attribute, the set aggressive-mode client-endpoint command, along with the set aggressive-mode password command, must be configured in the ISAKMP peer policy. The Tunnel-Client-Endpoint attribute will be communicated to the server by encoding it in the appropriate IKE identity payload.
Examples
The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:
crypto isakmp peer address 10.4.4.1set aggressive-mode client-endpoint user-fqdn user@cisco.comset aggressive-mode password cisco123Related Commands
set aggressive-mode password
To specify the Tunnel-Password attribute within an Internet Security Association Key Management Protocol (ISAKMP) peer configuration, use the set aggressive-mode password command in ISAKMP policy configuration mode. To remove this attribute from your configuration, use the no form of this command.
set aggressive-mode password password
no set aggressive-mode password password
Syntax Description
password
Password that is used to authenticate the peer to a remote server. The tunnel password is used as the Internet Key Exchange (IKE) preshared key.
Defaults
The Tunnel-Password attribute is not defined.
Command Modes
ISAKMP policy configuration
Command History
12.2(8)T
This command was introduced.
12.3(2)T
This command was modified so that output shows that the preshared key is either encrypted or unencrypted.
Usage Guidelines
Before you can use this command, you must enable the crypto isakmp peer command.
To initiate an IKE aggressive mode negotiation, the set aggressive-mode password command, along with the set aggressive-mode client-endpoint command, must be configured in the ISAKMP peer policy. The Tunnel-Password attribute will be used as the IKE preshared key for the aggressive mode negotiation.
Output for the set aggressive-mode password command will show that the preshared key is either unencrypted or encrypted. An output example for an unencrypted preshared key would be as follows:
set aggressive-mode password test123An output example for a type 6 encrypted preshared key would be as follows:
set aggressive-mode password 6 DV'P[aTVWWbcgKU]T\T\QhZAAB
Examples
The following example shows how to initiate aggressive mode using RADIUS tunnel attributes:
Router (config)# crypto isakmp peer address 10.4.4.1Router (config-isakmp-peer)# set aggressive-mode client-endpoint user-fqdn user@cisco.comRouter (config-isakmp-peer)# set aggressive-mode password cisco123
Related Commands
set ip access-group
To check a preencrypted or postdecrypted packet against an access control list (ACL) without having to use the outside physical interface ACL, use the set ip access-group command in crypto map configuration mode. To disable the check, use the no form of this command.
set ip access-group {access-list-number | access-list-name} {in | out}
no set ip access-group {access-list-number | access-list-name} {in | out}
Syntax Description
Defaults
No crypto map access ACLs are defined to filter clear-text packets going through the IPSec tunnel.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
The set ip access-group command is used after the crypto map has been configured.
Examples
The following example shows that a crypto map access ACL has been configured:
Router (config)# crypto map map vpn1 10Router (config-crypto-map)# set ip access-group 151 inRelated Commands
crypto map
Assigns a previously defined crypto map set to an interface so that the interface can provide IPSec services.
set isakmp-profile
To set the Internet Security Association and Key Management Protocol (ISAKMP) profile name, use the set isakmp-profile command in crypto map configuration mode. To remove the ISAKMP profile name, use the no form of this command.
set isakmp-profile profile-name
no set isakmp-profile profile-name
Syntax Description
Defaults
If the ISAKMP profile is not specified in the crypto map entry, the default is to the ISAKMP profile that is on the head. If there is no ISAKMP profile on the head, the default is "none."
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command describes the ISAKMP profile to use when you start the Internet Key Exchange (IKE) exchange.
Before configuring an ISAKMP profile on a crypto map, you should set up the ISAKMP profile.
Examples
The following example shows that an ISAKMP profile has been configured on a crypto map:
crypto map vpnmap 10 ipsec-isakmpset isakmp-profile vpnprofileRelated Commands
set peer (IPSec)
To specify an IP Security (IPSec) peer in a crypto map entry, use the set peer command in crypto map configuration mode. To remove an IPSec peer from a crypto map entry, use the no form of this command.
set peer {host-name [dynamic] [default] | ip-address [default] }
no set peer {host-name [dynamic] [default] | ip-address [default] }
Syntax Description
Defaults
No peer is defined.
Command Modes
Crypto map configuration
Command History
11.2
This command was introduced.
12.3(4)T
The dynamic keyword was added.
12.3(14)T
The default keyword was added.
Usage Guidelines
Use this command to specify an IPSec peer for a crypto map.
This command is required for all static crypto maps. If you are defining a dynamic crypto map (with the crypto dynamic-map command), this command is not required, and in most cases is not used (because, in general, the peer is unknown).
For crypto map entries created with the crypto map map-name seq-num ipsec-isakmp command, you can specify multiple peers by repeating this command. The peer that packets are actually sent to is determined by the last peer that the router heard from (received either traffic or a negotiation request from) for a given data flow. If the attempt fails with the first peer, Internet Key Exchange (IKE) tries the next peer on the crypto map list.
For crypto map entries created with the crypto map map-name seq-num ipsec-manual command, you can specify only one IPSec peer per crypto map. If you want to change the peer, you must first delete the old peer and then specify the new peer.
You can specify the remote IPSec peer by its host name only if the host name is mapped to the peer's IP address in a DNS or if you manually map the host name to the IP address with the ip host command.
The dynamic Keyword
When specifying the host name of a remote IPSec peer via the set peer command, you can also issue the dynamic keyword, which defers DNS resolution of the host name until right before the IPSec tunnel has been established. Deferring resolution enables the Cisco IOS software to detect whether the IP address of the remote IPSec peer has changed. Thus, the software can contact the peer at the new IP address.
If the dynamic keyword is not issued, the host name is resolved immediately after it is specified. So, the Cisco IOS software cannot detect an IP address change and, therefore, attempts to connect to the IP address that it previously resolved.
The default Keyword
If there are multiple peers and you specify the default keyword, the first peer is designated as the default peer.
If dead peer detection (DPD) detects a failure, the default peer is retried before there is an attempt to connect to the next peer in the peer list.
If the default peer is unresponsive, the next peer in the peer list becomes the new current peer. Future connections through the crypto map will try that peer.
Examples
The following example shows a crypto map configuration when IKE will be used to establish the security associations (SAs). In this example, an SA could be set up to either the IPSec peer at 10.0.0.1 or the peer at 10.0.0.2.
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1set peer 10.0.0.2The following example shows how to configure a router to perform real-time Domain Name System (DNS) resolution with a remote IPSec peer; that is, the host name of peer is resolved via a DNS lookup right before the router establishes a connection (an IPSec tunnel) with the peer.
crypto map secure_b 10 ipsec-isakmpmatch address 140set peer b.cisco.com dynamicset transform-set xsetinterface serial1ip address 30.0.0.1crypto map secure_baccess-list 140 permit ...The following example shows that the first peer, at IP address 1.1.1.1, is the default peer.
crypto map tohub 1 ipsec-isakmpset peer 1.1.1.1 defaultset peer 2.2.2.2The following example shows that the peer with the host name fred is the default peer.
crypto map tohub 2 ipsec-isakmpset peer fred dynamic defaultset peer barney dynamicRelated Commands
set pfs
To specify that IP Security (IPSec) should ask for perfect forward secrecy (PFS) when requesting new security associations for this crypto map entry, or that IPSec requires PFS when receiving requests for new security associations, use the set pfs command in crypto map configuration mode. To specify that IPSec should not request PFS, use the no form of this command.
set pfs [group1 | group2]
no set pfs
Syntax Description
Defaults
By default, PFS is not requested. If no group is specified with this command, group1 is used as the default.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command is only available for ipsec-isakmp crypto map entries and dynamic crypto map entries.
During negotiation, this command causes IPSec to request PFS when requesting new security associations for the crypto map entry. The default (group1) is sent if the set pfs statement does not specify a group. If the peer initiates the negotiation and the local configuration specifies PFS, the remote peer must perform a PFS exchange or the negotiation will fail. If the local configuration does not specify a group, a default of group1 will be assumed, and an offer of either group1 or group2 will be accepted. If the local configuration specifies group2, that group must be part of the peer's offer or the negotiation will fail. If the local configuration does not specify PFS it will accept any offer of PFS from the peer.
PFS adds another level of security because if one key is ever cracked by an attacker then only the data sent with that key will be compromised. Without PFS, data sent with other keys could be also compromised.
With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs. (This exchange requires additional processing time.)
The 1024-bit Diffie-Hellman prime modulus group, group2, provides more security than group1, but requires more processing time than group1.
Examples
The following example specifies that PFS should be used whenever a new security association is negotiated for the crypto map "mymap 10":
crypto map mymap 10 ipsec-isakmpset pfs group2Related Commands
set security-association idle-time
To specify the maximum amount of time for which the current peer can be idle before the default peer is used, use the set security-association idle-time command in crypto map configuration mode. To disable this feature, use the no form of this command.
set security-association idle-time seconds [default]
no set security-association idle-time seconds [default]
Syntax Description
Defaults
If the default keyword is not specified and there is a connection timeout, the current peer remains unchanged.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command is optional. Use this command if you want the default peer to be used if the current peer times out. If there is a timeout to the current peer, the connection to that peer is closed. The next time a connection is initiated, it is directed to the default peer specified in the set peer command.
Examples
In the following example, if the current peer is idle for 120 seconds, the default peer 10.1.1.1 (which was specified in the set peer command) is used for the next attempted connection:
crypto map tohub 1 ipsec-isakmpset peer 10.1.1.1 defaultset peer 10.2.2.2set security-association idle-time 120 defaultRelated Commands
set security-association level per-host
To specify that separate IP Security security associations should be requested for each source/destination host pair, use the set security-association level per-host command in crypto map configuration mode. To specify that one security association should be requested for each crypto map access list permit entry, use the no form of this command.
set security-association level per-host
no set security-association level per-host
Syntax Description
This command has no arguments or keywords.
Defaults
For a given crypto map, all traffic between two IPSec peers matching a single crypto map access list permit entry will share the same security association.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command is only available for ipsec-isakmp crypto map entries and is not supported for dynamic crypto map entries.
When you use this command, you need to specify that a separate security association should be used for each source/destination host pair.
Normally, within a given crypto map, IPSec will attempt to request security associations at the granularity specified by the access list entry. For example, if the access list entry permits IP protocol traffic between subnet A and subnet B, IPSec will attempt to request security associations between subnet A and subnet B (for any IP protocol), and unless finer-grained security associations are established (by a peer request), all IPSec-protected traffic between these two subnets would use the same security association.
This command causes IPSec to request separate security associations for each source/destination host pair. In this case, each host pairing (where one host was in subnet A and the other host was in subnet B) would cause IPSec to request a separate security association.
With this command, one security association would be requested to protect traffic between host A and host B, and a different security association would be requested to protect traffic between host A and host C.
The access list entry can specify local and remote subnets, or it can specify a host-and-subnet combination. If the access list entry specifies protocols and ports, these values are applied when establishing the unique security associations.
Use this command with care, as multiple streams between given subnets can rapidly consume system resources.
Examples
The following example shows what happens with an access list entry of permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255 and a per-host level:
•
•
•
Without the per-host level, any of the above packets will initiate a single security association request originated via permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255.
Related Commands
set security-association lifetime
To override (for a particular crypto map entry) the global lifetime value, which is used when negotiating IP Security security associations, use the set security-association lifetime command in crypto map configuration mode. To reset a crypto map entry's lifetime value to the global value, use the no form of this command.
set security-association lifetime {seconds seconds | kilobytes kilobytes}
no set security-association lifetime {seconds | kilobytes}
Syntax Description
Defaults
The crypto map's security associations are negotiated according to the global lifetimes.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command is available only for ipsec-isakmp crypto map entries and dynamic crypto map entries.
IPSec security associations use shared secret keys. These keys and their security associations time out together.
Assuming that the particular crypto map entry has lifetime values configured, when the router requests new security associations during security association negotiation, it will specify its crypto map lifetime value in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.
There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. The session keys/security association expires after the first of these lifetimes is reached.
If you change a lifetime, the change will not be applied to existing security associations, but will be used in subsequent negotiations to establish security associations for data flows supported by this crypto map entry. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command. Refer to the clear crypto sa command for more detail.
To change the timed lifetime, use the set security-association lifetime seconds form of the command. The timed lifetime causes the keys and security association to time out after the specified number of seconds have passed.
To change the traffic-volume lifetime, use the set security-association lifetime kilobytes form of the command. The traffic-volume lifetime causes the key and security association to time out after the specified amount of traffic (in kilobytes) has been protected by the security association's key.
Shorter lifetimes can make it harder to mount a successful key recovery attack, because the attacker has less data encrypted under the same key to work with. However, shorter lifetimes need more CPU processing time.
The lifetime values are ignored for manually established security associations (security associations installed via an ipsec-manual crypto map entry).
How These Lifetimes Work
Assuming that the particular crypto map entry does not have lifetime values configured, when the router requests new security associations it will specify its global lifetime values in the request to the peer; it will use this value as the lifetime of the new security associations. When the router receives a negotiation request from the peer, it will use the smaller of either the lifetime value proposed by the peer or the locally configured lifetime value as the lifetime of the new security associations.
The security association (and corresponding keys) will expire according to whichever occurs sooner, either after the seconds time out or after the kilobytes amount of traffic is passed.
A new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires. The new security association is negotiated either 30 seconds before the seconds lifetime expires or when the volume of traffic through the tunnel reaches 256 kilobytes less than the kilobytes lifetime (whichever occurs first).
If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPSec sees another packet that should be protected.
Examples
The following example shortens the timed lifetime for a particular crypto map entry, because there is a higher risk that the keys could be compromised for security associations belonging to the crypto map entry. The traffic-volume lifetime is not changed because there is not a high volume of traffic anticipated for these security associations. The timed lifetime is shortened to 2700 seconds (45 minutes).
crypto map mymap 10 ipsec-isakmpset security-association lifetime seconds 2700Related Commands
set security-association replay disable
To disable anti-replay checking for a particular crypto map, dynamic crypto map, or crypto profile, use the set security-association replay disable command in crypto map configuration or crypto profile configuration mode. To enable anti-replay checking, use the no form of this command.
set security-association replay disable
no set security-association replay disable
Syntax Description
This command has no arguments or keywords.
Defaults
Anti-replay checking is enabled.
Command Modes
Crypto map configuration
Crypto profile configurationCommand History
Examples
The following example shows that anti-replay checking has been disabled for the crypto map named "mymap."
crypto map mymap 30set security-association replay disableRelated Commands
set security-association replay window-size
Controls the SAs that are created using the policy specified by a particular crypto map, dynamic crypto map, or crypto profile.
set security-association replay window-size
To control the security associations (SAs) that are created using the policy specified by a particular crypto map, dynamic crypto map, or crypto profile, use the set security-association replay window-size command in crypto map configuration or crypto profile configuration mode. To reset the crypto map to follow the global configuration that was specified by the crypto ipsec security-association replay window-size command, use the no form of this command.
set security-association replay window-size [N]
no set security-association replay window-size
Syntax Description
N
(Optional) Size of the window. The value can be 64, 128, 256, 512, or 1024. This value sets the window size for a particular crypto map, dynamic crypto map, or crypto profile.
Defaults
Window size is not set.
Command Modes
Crypto map configuration
Crypto profile configurationCommand History
Examples
The following example shows that the SA window size has been set to 256 for the crypto map named "mymap":
crypto map mymap 10set security-association replay window-size 256Related Commands
set security-association replay disable
Disables anti-replay checking for a particular crypto map, dynamic crypto map, or crypto profile.
set session-key
To manually specify the IP Security session keys within a crypto map entry, use the set session-key command in crypto map configuration mode. This command is available only for ipsec-manual crypto map entries. To remove IPSec session keys from a crypto map entry, use the no form of this command.
Authentication Header (AH) Protocol Syntax
set session-key {inbound | outbound} ah spi hex-key-string
no set session-key {inbound | outbound} ah
Encapsulation Security Protocol (ESP) Syntax
set session-key {inbound | outbound} esp spi cipher hex-key-string [authenticator hex-key-string]
no set session-key {inbound | outbound} esp
Syntax Description
Defaults
No session keys are defined by default.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
Use this command to define IPSec keys for security associations via ipsec-manual crypto map entries. (In the case of ipsec-isakmp crypto map entries, the security associations with their corresponding keys are automatically established via the IKE negotiation.)
If the crypto map's transform set includes an AH protocol, you must define IPSec keys for AH for both inbound and outbound traffic. If the crypto map's transform set includes an ESP encryption protocol, you must define IPSec keys for ESP encryption for both inbound and outbound traffic. If your transform set includes an ESP authentication protocol, you must define IPSec keys for ESP authentication for inbound and outbound traffic.
When you define multiple IPSec session keys within a single crypto map, you can assign the same security parameter index (SPI) number to all the keys. The SPI is used to identify the security association used with the crypto map. However, not all peers have the same flexibility in SPI assignment. You should coordinate SPI assignment with your peer's operator, making certain that the same SPI is not used more than once for the same destination address/protocol combination.
Security associations established via this command do not expire (unlike security associations established via IKE).
Session keys at one peer must match the session keys at the remote peer.
If you change a session key, the security association using the key will be deleted and reinitialized.
Examples
The following example shows a crypto map entry for manually established security associations. The transform set "t_set" includes only an AH protocol.
crypto ipsec transform-set t_set ah-sha-hmaccrypto map mymap 20 ipsec-manualmatch address 102set transform-set t_setset peer 10.0.0.21set session-key inbound ah 300 1111111111111111111111111111111111111111set session-key outbound ah 300 2222222222222222222222222222222222222222The following example shows a crypto map entry for manually established security associations. The transform set "someset" includes both an AH and an ESP protocol, so session keys are configured for both AH and ESP for both inbound and outbound traffic. The transform set includes both encryption and authentication ESP transforms, so session keys are created for both using the cipher and authenticator keywords.
crypto ipsec transform-set someset ah-sha-hmac esp-des esp-sha-hmaccrypto map mymap 10 ipsec-manualmatch address 101set transform-set somesetset peer 10.0.0.1set session-key inbound ah 300 9876543210987654321098765432109876543210set session-key outbound ah 300 fedcbafedcbafedcbafedcbafedcbafedcbafedcset session-key inbound esp 300 cipher 0123456789012345authenticator 0000111122223333444455556666777788889999set session-key outbound esp 300 cipher abcdefabcdefabcdauthenticator 9999888877776666555544443333222211110000Related Commands
set transform-set
To specify which transform sets can be used with the crypto map entry, use the set transform-set command in crypto map configuration mode. To remove all transform sets from a crypto map entry, use the no form of this command.
set transform-set transform-set-name [transform-set-name2...transform-set-name6]
no set transform-set
Syntax Description
Defaults
No transform sets are included by default.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
This command is required for all static and dynamic crypto map entries.
Use this command to specify which transform sets to include in a crypto map entry.
For an ipsec-isakmp crypto map entry, you can list multiple transform sets with this command. List the higher priority transform sets first.
If the local router initiates the negotiation, the transform sets are presented to the peer in the order specified in the crypto map entry. If the peer initiates the negotiation, the local router accepts the first transform set that matches one of the transform sets specified in the crypto map entry.
The first matching transform set that is found at both peers is used for the security association. If no match is found, IPSec will not establish a security association. The traffic will be dropped because there is no security association to protect the traffic.
For an ipsec-manual crypto map entry, you can specify only one transform set. If the transform set does not match the transform set at the remote peer's crypto map, the two peers will fail to correctly communicate because the peers are using different rules to process the traffic.
If you want to change the list of transform sets, re-specify the new list of transform sets to replace the old list. This change is only applied to crypto map entries that reference this transform set. The change will not be applied to existing security associations, but will be used in subsequent negotiations to establish new security associations. If you want the new settings to take effect sooner, you can clear all or part of the security association database by using the clear crypto sa command.
Any transform sets included in a crypto map must previously have been defined using the crypto ipsec transform-set command.
Examples
The following example defines two transform sets and specifies that they can both be used within a crypto map entry. (This example applies only when IKE is used to establish security associations. With crypto maps used for manually established security associations, only one transform set can be included in a given crypto map entry.)
crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmaccrypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmaccrypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1 my_t_set2set peer 10.0.0.1set peer 10.0.0.2In this example, when traffic matches access list 101, the security association can use either transform set "my_t_set1" (first priority) or "my_t_set2" (second priority) depending on which transform set matches the remote peer's transform sets.
sgbp aaa authentication
To enable a Stack Group Bidding Protocol (SGBP) authentication list, use the sgbp aaa authentication command in global configuration mode. To disable the SGBP authentication list, use the no form of this command.
sgbp aaa authentication list list-name
no sgbp aaa authentication list list-name
Syntax Description
Defaults
A SGBP authentication list is not enabled. You must use the same authentication, authorization and accounting (AAA) method list as PPP usersl.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the sgbp aaa authentication command to create a list different from the AAA list that is used by PPP users.
Examples
The following example shows how to create the AAA list "SGBP" that is to be used by SGBP users:
Router(config)# sgbp aaa authentication list SGBPRelated Commands
show aaa attributes
To display the mapping between an authentication, authorization, and accounting (AAA) attribute number and the corresponding AAA attribute name, use the show aaa attributes command in EXEC configuration mode.
show aaa attributes [protocol radius]
Syntax Description
protocol radius
(Optional) Displays the mapping between a RADIUS attribute and a AAA attribute name and number.
Command Modes
EXEC
Command History
Examples
The following example is sample output for the show aaa attributes command. In this example, all RADIUS attributes that have been enabled are displayed.
Router# show aaa attributes protocol radiusAAA ATTRIBUTE LIST:Type=1 Name=disc-cause-ext Format=EnumProtocol:RADIUSNon-Standard Type=195 Name=Ascend-Disconnect-Cau Format=EnumCisco VSA Type=1 Name=Cisco AVpair Format=StringType=2 Name=Acct-Status-Type Format=EnumProtocol:RADIUSIETF Type=40 Name=Acct-Status-Type Format=EnumType=3 Name=acl Format=UlongProtocol:RADIUSIETF Type=11 Name=Filter-Id Format=BinaryType=4 Name=addr Format=IPv4 AddressProtocol:RADIUSIETF Type=8 Name=Framed-IP-Address Format=IPv4 AddreType=5 Name=addr-pool Format=StringProtocol:RADIUSNon-Standard Type=218 Name=Ascend-IP-Pool Format=UlongType=6 Name=asyncmap Format=UlongProtocol:RADIUSNon-Standard Type=212 Name=Ascend-Asyncmap Format=UlongType=7 Name=Authentic Format=EnumProtocol:RADIUSIETF Type=45 Name=Authentic Format=EnumType=8 Name=autocmd Format=StringThe following example is sample output for the show aaa attributes command. In this example, all the T.38 fax relay statistics are displayed.
Router# show aaa attributes!Type=485 Name=originating-line-info Format=UlongType=486 Name=charge-number Format=StringType=487 Name=transmission-medium-req Format=UlongType=488 Name=redirecting-number Format=StringType=489 Name=backward-call-indicators Format=StringType=490 Name=remote-media-udp-port Format=UlongType=491 Name=remote-media-id Format=StringType=492 Name=supp-svc-xfer-by Format=StringType=493 Name=faxrelay-start-time Format=StringType=494 Name=faxrelay-max-jit-buf-depth Format=StringType=495 Name=faxrelay-jit-buf-ovflow Format=StringType=496 Name=faxrelay-mr-hs-mod Format=StringType=497 Name=faxrelay-init-hs-mod Format=StringType=498 Name=faxrelay-num-pages Format=StringType=499 Name=faxrelay-direction Format=StringType=500 Name=faxrelay-ecm-in-use Format=StringType=501 Name=faxrelay-encap-prot Format=StringType=502 Name=faxrelay-nsf-country-code Format=StringType=503 Name=faxrelay-nsf-manuf-code Format=StringType=504 Name=faxrelay-fax-success Format=StringType=505 Name=faxrelay-tx-packets Format=StringType=506 Name=faxrelay-rx-packets Format=StringTable 31 provides an alphabetical listing of the fields displayed in the output of the show aaa attributes command displaying T.38 statistics and a description of each field.
Related Commands
debug voip aaa
Enables debugging messages for gateway authentication, authorization, and accounting (AAA) to be sent to the system console.
show aaa cache filterserver
To display the cache status, use the show aaa cache filterserver command in EXEC mode.
show aaa cache filterserver
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Usage Guidelines
The show aaa cache filterserver command shows how many times a particular filter has been referenced or refreshed. This function may be used in administration to determine which filters are actually being used.
Examples
The following is sample output for the show aaa cache filterserver command:
Router# show aaa cache filterserverFilter Server Age Expires Refresh Access-Control-Lists--------------------------------------------------------------------------------aol 1.2.3.4 0 1440 100 ip in icmp dropip out icmp dropip out forward tcp dstip 1.2.3...msn 1.2.3.4 N/A Never 2 ip in tcp dropmsn2 1.2.3.4 N/A Never 2 ip in tcp dropvone 1.2.3.4 N/A Never 0 ip in tcp dropTable 32 describes the significant fields shown in the display.
Related Commands
aaa authorization cache filterserver
Enables AAA authorization caches and the downloading of ACL configurations from a RADIUS filter server.
show aaa dead-criteria
To display dead-criteria detection information for an authentication, authorization, and accounting (AAA) server, use the show aaa dead-criteria command in privileged EXEC mode.
show aaa dead-criteria {security-protocol ip-address} [auth-port port-number] [acct-port port-number] [server-group-name]
Syntax Description
Defaults
Currently, the port-number argument for the auth-port keyword and the port-number argument for the acct-port keyword default to 1645 and 1646, respectively. The default for the server-group-name argument is radius.
Command Modes
Privileged EXEC
Command History
12.3(6)
This command was introduced.
12.3(7)T
This command was integrated into Cisco IOS Release 12.3(7)T.
Usage Guidelines
Multiple RADIUS servers having the same IP address can be configured on a router. The auth-port and acct-port keywords are used to differentiate the servers. The dead-detect interval of a server that is associated with a specified server group can be obtained by using the server-group-name keyword. (The dead-detect interval and retransmit values of a RADIUS server are set on the basis of the server group to which the server belongs. The same server can be part of multiple server groups.)
Examples
The following example shows that dead-criteria-detection information has been requested for a RADIUS server at the IP address 172.19.192.80:
Router# show aaa dead-criteria radius 172.19.192.80 radiusRADIUS Server Dead Critieria:=============================Server Details:Address : 172.19.192.80Auth Port : 1645Acct Port : 1646Server Group : radiusDead Criteria Details:Configured Retransmits : 62Configured Timeout : 27Estimated Outstanding Transactions: 5Dead Detect Time : 25sComputed Retransmit Tries: 22Statistics Gathered Since Last Successful Transaction=====================================================Max Computed Outstanding Transactions: 5Max Computed Dead Detect Time: 25sMax Computed Retransmits : 22The "Max Computed Dead Detect Time" is displayed in seconds. The other fields shown in the display are self-explanatory.
Related Commands
show aaa local user locked
To display a list of all locked-out users, use the show aaa local user locked command in privileged EXEC mode.
show aaa local user locked
Syntax Description
This command has no arguments or keywords.
Defaults
Names of locked-out users are not displayed.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command can be used only by users having root privilege.
Examples
The following output of the show aaa local user locked command illustrates that user1 is locked out:
Router# show aaa local user lockedLocal-user Lock timeuser1 04:28:49 UTC Sat Jun 19 2004The fields in the output example are self-explanatory.Related Commands
show aaa server-private
To display the status of all private RADIUS servers, use the show aaa server-private command in user EXEC or privileged EXEC mode.
show aaa server-private
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC or privileged EXEC
Command History
12.3
This command was introduced.
12.3(7)T
This command was integrated into Cisco IOS Release 12.3(7)T.
Examples
The following is sample output from the show aaa server-private command. Only the first four lines of the display pertain to the status of private RADIUS servers, and the fields in this part of the display are described in Table 33.
Router# show aaa server-privateRADIUS: id 24, priority 1, host 172.31.164.120, auth-port 1645,acct-port 1646State: current UP, duration 18s, previous duration 0sDead: total time 0s, count 0Authen: request 0, timeouts 0Response: unexpected 0, server error 0, incorrect 0, time 0msTransaction: success 0, failure 0Author: request 0, timeouts 0Response: unexpected 0, server error 0, incorrect 0, time 0msTransaction: success 0, failure 0Account: request 0, timeouts 0Response: unexpected 0, server error 0, incorrect 0, time 0msTransaction: success 0, failure 0Elapsed time since counters last cleared: 2h1mTable 33 describes the significant fields in the display.
Related Commands
show aaa servers
To display information about the number of packets sent to and received from authentication, authorization, and accounting (AAA) servers, use the show aaa servers command in user EXEC and privileged EXEC mode.
show aaa servers
Syntax Description
This command has no arguments or keywords.
Command Modes
User and privileged EXEC
Command History
12.2(6)T
This command was introduced.
12.3(7)T
This command was integrated into Cisco IOS Release 12.3(7)T.
Usage Guidelines
Only RADIUS servers are supported by the show aaa servers command.
The command displays information about packets sent and received for all AAA transaction types—authentication, authorization, and accounting.
Examples
The following is sample output from the show aaa servers command:
Router# show aaa serversRADIUS: id 1, priority 1, host 172.19.192.238, auth-port 2195, acct-port 2196State: current UP, duration 323109s, previous duration 0sDead: total time 0s, count 1Authen: request 0, timeouts 0Response: unexpected 0, server error 0, incorrect 0, time 0msTransaction: success 0, failure 0Author: request 0, timeouts 0Response: unexpected 0, server error 0, incorrect 0, time 0msTransaction: success 0, failure 0Account: request 6, timeouts 5Response: unexpected 0, server error 0, incorrect 1, time 20msTransaction: success 1, failure 2Elapsed time since counters last cleared: 3d17h45mThe fields in the output are mapped to Simple Network Management Protocol (SNMP) objects in the Cisco AAA-SERVER-MIB and are used in SNMP reporting. The first line of the report is mapped to the Cisco AAA-SERVER-MIB as follows:
•
•
•
•
•
Mapping the following set of objects listed in the Cisco AAA-SERVER-MIB map to fields displayed by the show aaa servers command is more straightforward. For example, the casAuthenRequests field corresponds to the Authen: request portion of the report, casAuthenRequestTimeouts corresponds to the Authen: timeouts portion of the report, and so on.
casStatisticsGroup OBJECT-GROUPOBJECTS {casAuthenRequests,casAuthenRequestTimeouts,casAuthenUnexpectedResponses,casAuthenServerErrorResponses,casAuthenIncorrectResponses,casAuthenResponseTime,casAuthenTransactionSuccesses,casAuthenTransactionFailures,casAuthorRequests,casAuthorRequestTimeouts,casAuthorUnexpectedResponses,casAuthorServerErrorResponses,casAuthorIncorrectResponses,casAuthorResponseTime,casAuthorTransactionSuccesses,casAuthorTransactionFailures,casAcctRequests,casAcctRequestTimeouts,casAcctUnexpectedResponses,casAcctServerErrorResponses,casAcctIncorrectResponses,casAcctResponseTime,casAcctTransactionSuccesses,casAcctTransactionFailures,casState,casCurrentStateDuration,casPreviousStateDuration,casTotalDeadTime,casDeadCount}To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibsTable 34 describes the significant fields in the display.
Related Commands
show aaa user
To display attributes related to an authentication, authorization, and accounting (AAA) session, use the show aaa user command in privileged EXEC mode.
show aaa user {all | unique id}
Syntax Description
all
Displays information about all users for which AAA currently has knowledge.
unique id
Displays information for only this user.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
When a user logs into a Cisco router and uses AAA, a unique ID is assigned to the session. Throughout the life of the session, various attributes that are related to the session are collected and stored internally within a AAA database. These attributes can include the IP address of the user, the protocol being used to access the router (such as PPP or Serial Line Internet Protocol [SLIP]), the speed of the connection, and the number of packets or bytes that are received or transmitted.
The output of this command provides a snapshot of various subdatabases that are associated with a AAA unique ID. Some of the more important ones are listed in Table 35.
The output also shows various AAA call events that are associated with a particular session. For example, when a session comes up, the events generally recorded are CALL START, NET UP, and IP Control Protocol UP (IPCP UP).
In addition, the output provides a snapshot of the dynamic attributes that are associated with a particular session. (Dynamic attributes are those that keep changing values throughout the life of the session.) Some of the more important ones are listed in Table 35.
The unique ID of a session can be obtained from the output of the show aaa sessions command.
Note
Note
Examples
The following example shows that information is requested for all users:
Router# show aaa user allThe following example shows that information is requested for user 5:
Router# show aaa user 5The following is sample output from the show aaa user command. The session information displayed is for a PPP over Ethernet over Ethernet (PPPoEoE) session.
Router# show aaa user 3Load for five secs: 0%/0%; one minute: 0%; five minutes: 0%Time source is hardware calendar, *20:32:49.199 PST Wed Dec 172003Unique id 3 is currently in use.Accounting:log=0x20C201Events recorded :CALL STARTNET UPIPCP_PASSINTERIM STARTVPDN NET UPupdate method(s) :NONEupdate interval = 0Outstanding Stop Records : 0Dynamic attribute list:63CCF138 0 00000001 connect-progress(30) 4 LAN Ses Up63CCF14C 0 00000001 pre-session-time(239) 4 3(3)63CCF160 0 00000001 nas-tx-speed(337) 4 102400000(61A8000)63CCF174 0 00000001 nas-rx-speed(33) 4 102400000(61A8000)63CCF188 0 00000001 elapsed_time(296) 4 2205(89D)63CCF19C 0 00000001 bytes_in(97) 4 6072(17B8)63CCF1B0 0 00000001 bytes_out(223) 4 6072(17B8)63CCF1C4 0 00000001 pre-bytes-in(235) 4 86(56)63CCF1D8 0 00000001 pre-bytes-out(236) 4 90(5A)63CCF1EC 0 00000001 paks_in(98) 4 434(1B2)63CCF244 0 00000001 paks_out(224) 4 434(1B2)63CCF258 0 00000001 pre-paks-in(237) 4 7(7)63CCF26C 0 00000001 pre-paks-out(238) 4 9(9)No data for type EXECNo data for type CONNNET: Username=peer1Session Id=00000003 Unique Id=00000003Start Sent=1 Stop Only=Nstop_has_been_sent=NMethod List=63B4A10C : Name = defaultAttribute list:63CCF138 0 00000001 session-id(293) 4 3(3)63CCF14C 0 00000001 Framed-Protocol(62) 4 PPP63CCF160 0 00000001 protocol(241) 4 ip63CCF174 0 00000001 addr(5) 4 70.0.0.1No data for type CMDNo data for type SYSTEMNo data for type RM CALLNo data for type RM VPDNNo data for type AUTH PROXYNo data for type IPSEC-TUNNELNo data for type RESOURCENo data for type 10No data for type CALLDebg: No data availableRadi: 641AACACInterface:TTY Num = -1Stop Received = 0Byte/Packet Counts till Call Start:Start Bytes In = 106 Start Bytes Out = 168Start Paks In = 3 Start Paks Out = 4Byte/Packet Counts till Service Up:Pre Bytes In = 192 Pre Bytes Out = 258Pre Paks In = 10 Pre Paks Out = 13Cumulative Byte/Packet Counts :Bytes In = 6264 Bytes Out = 6330Paks In = 444 Paks Out = 447StartTime = 19:56:01 PST Dec 17 2003AuthenTime = 19:56:04 PST Dec 17 2003Component = PPoEAuthen: service=PPP type=CHAP method=RADIUSKerb: No data availableMeth: No data availablePreauth: No Preauth data.General:Unique Id = 00000003Session Id = 00000003Attribute List:63CCF180 0 00000001 port-type(156) 4 PPP over Ethernet63CCF194 0 00000009 interface(152) 7 0/0/0/0PerU: No data availableTable 35 lists the significant fields shown in the display.
Table 35 show aaa user Field Descriptions
Related Commands
show aaa sessions
Displays information about AAA sessions as seen in the AAA Session MIB.
show accounting
The show accounting command is replaced by the show aaa user command. See the show aaa user command for more information.
show appfw
To display application firewall policy configuration information, use the show appfw configuration command in privileged EXEC mode.
show appfw configuration [name]
Syntax Description
Defaults
If no keywords are specified, information for all policies is shown.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display information regarding the application firewall policy configuration.
Examples
This sample output for the show appfw configuration command and the show ip inspect configuration command displays the configuration for the inspection rule "mypolicy," which has been applied to all incoming HTTP traffic on the FastEthernet0/0 interface. In this example, you can see that all available HTTP inspection parameters have been defined.
Router# show appfw configurationApplication Firewall Rule configurationApplication Policy name mypolicyApplication httpstrict-http action allow alarmcontent-length minimum 0 maximum 1 action allow alarmcontent-type-verification match-req-rsp action allow alarmmax-header-length request length 1 response length 1 action allow alarmmax-uri-length 1 action allow alarmport-misuse default action allow alarmrequest-method rfc default action allow alarmrequest-method extension default action allow alarmtransfer-encoding default action allow alarmRouter# show ip inspect configSession audit trail is disabledSession alert is enabledone-minute (sampling period) thresholds are [400:500] connectionsmax-incomplete sessions thresholds are [400:500]max-incomplete tcp connections per host is 50. Block-time 0 minute.tcp synwait-time is 30 sec -- tcp finwait-time is 5 sectcp idle-time is 3600 sec -- udp idle-time is 30 secdns-timeout is 5 secInspection Rule ConfigurationInspection name firewallhttp alert is on audit-trail is off timeout 3600Related Commands
show auto secure config
To display AutoSecure configurations, use the show auto secure config command in privileged EXEC mode.
show auto secure config
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following sample output from the show auto secure config command shows what has been enabled and disabled via the auto secure command:
Router# show auto secure configno service fingerno service padno service udp-small-serversno service tcp-small-serversservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-outno cdp runno ip bootp serverno ip http serverno ip fingerno ip source-routeno ip gratuitous-arpsno ip identdsecurity passwords min-length 6security authentication failure rate 10 logenable secret 5 $1$CZ6G$GkGOnHdNJCO3CjNHHyTUA.aaa new-modelaaa authentication login local_auth localline console 0login authentication local_authexec-timeout 5 0transport output telnetline aux 0login authentication local_authexec-timeout 10 0transport output telnetline vty 0 4login authentication local_authtransport input telnetip domain-name cisco.comcrypto key generate rsa general-keys modulus 1024ip ssh time-out 60ip ssh authentication-retries 2line vty 0 4transport input ssh telnetservice timestamps debug datetime localtime show-timezone msecservice timestamps log datetime localtime show-timezone mseclogging facility local2logging trap debuggingservice sequence-numberslogging console criticallogging bufferedinterface FastEthernet0/1no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-replyno mop enabled!interface FastEthernet1/0no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-replyno mop enabled!interface FastEthernet1/1no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-replyno mop enabled!interface FastEthernet0/0no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-replyno mop enabled!ip cefinterface FastEthernet0/0ip verify unicast reverse-pathip inspect audit-trailip inspect dns-timeout 7ip inspect tcp idle-time 14400ip inspect udp idle-time 1800ip inspect name autosec_inspect cuseeme timeout 3600ip inspect name autosec_inspect ftp timeout 3600ip inspect name autosec_inspect http timeout 3600ip inspect name autosec_inspect rcmd timeout 3600ip inspect name autosec_inspect realaudio timeout 3600ip inspect name autosec_inspect smtp timeout 3600ip inspect name autosec_inspect tftp timeout 30ip inspect name autosec_inspect udp timeout 15ip inspect name autosec_inspect tcp timeout 3600access-list 100 deny ip any anyinterface FastEthernet0/0ip inspect autosec_inspect outip access-group 100 inRelated Commands
show call admission statistics
To monitor the global Call Admission Control (CAC) configuration parameters and the behavior of CAC, use the show call admission statistics command in user EXEC or privileged EXEC mode.
show call admission statistics
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC
Privileged EXECCommand History
Examples
The following is sample output from the show call admission statistics command:
Router# show call admission statisticsTotal Call admission charges: 0, limit 25Total calls rejected 12, accepted 51Load metric: charge 0, unscaled 0Table 36 describes the significant fields shown in the display.
Related Commands
show crypto ca certificates
Note
To display information about your certificate, the certification authority certificate, and any registration authority certificates, use the show crypto ca certificates command in EXEC mode.
show crypto ca certificates
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Usage Guidelines
This command shows information about the following certificates:
•
•
•
Examples
The following is sample output from the show crypto ca certificates command after you authenticated the CA by requesting the CA's certificate and public key with the crypto pki authenticate command:
CA CertificateStatus: AvailableCertificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5FKey Usage: Not SetThe CA certificate might show Key Usage as "Not Set."
The following is sample output from the show crypto ca certificates command, and shows the router's certificate and the CA's certificate. In this example, a single, general purpose RSA key pair was previously generated, and a certificate was requested but not received for that key pair.
CertificateSubject NameName: myrouter.example.comIP Address: 10.0.0.1Serial Number: 04806682Status: PendingKey Usage: General PurposeFingerprint: 428125BD A3419600 3F6C7831 6CD8FA95 00000000CA CertificateStatus: AvailableCertificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5FKey Usage: Not SetNote that in the previous sample, the router's certificate Status shows "Pending." After the router receives its certificate from the CA, the Status field changes to "Available" in the show output.
The following is sample output from the show crypto ca certificates command, and shows two router's certificates and the CA's certificate. In this example, special usage RSA key pairs were previously generated, and a certificate was requested and received for each key pair.
CertificateSubject NameName: myrouter.example.comIP Address: 10.0.0.1Status: AvailableCertificate Serial Number: 428125BDA34196003F6C78316CD8FA95Key Usage: SignatureCertificateSubject NameName: myrouter.example.comIP Address: 10.0.0.1Status: AvailableCertificate Serial Number: AB352356AFCD0395E333CCFD7CD33897Key Usage: EncryptionCA CertificateStatus: AvailableCertificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5FKey Usage: Not SetThe following is sample output from the show crypto ca certificates command when the CA supports an RA. In this example, the CA and RA certificates were previously requested with the crypto ca authenticate command.
CA CertificateStatus: AvailableCertificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5FKey Usage: Not SetRA Signature CertificateStatus: AvailableCertificate Serial Number: 34BCF8A0Key Usage: SignatureRA KeyEncipher CertificateStatus: AvailableCertificate Serial Number: 34BCF89FKey Usage: EncryptionRelated Commands
show crypto ca crls
Note
To display the current certificate revocation list (CRL) on router, use the show crypto ca crls command in EXEC mode.
show crypto ca crls
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
The following is sample output of the show crypto ca crls command:
Router# show crypto ca crlsCRL Issuer Name:OU = sjvpn, O = cisco, C = usLastUpdate: 16:17:34 PST Jan 10 2002NextUpdate: 17:17:34 PST Jan 11 2002Retrieved from CRL Distribution Point:LDAP: CN = CRL1, OU = sjvpn, O = cisco, C = usRelated Commands
crypto pki crl request
Requests that a new CRL be obtained immediately from the CA.
show crypto ca roots
The show crypto ca roots command is replaced by the show crypto pki trustpoints command. See the show crypto pki trustpoints command for more information.
show crypto ca timers
Note
To display the status of the managed timers that are maintained by Cisco IOS for public key infrastructure (PKI), use the show crypto ca timers command in EXEC mode.
show crypto ca timers
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Usage Guidelines
For each timer, this command displays the time remaining before the timer expires. It also associates trustpoint certification authorities (CAs), except for certificate revocation list (CRL) timers, by displaying the CRL distribution point.
Examples
The following example is sample output for the show crypto ca timers command:
Router# show crypto ca timersPKI Timers| 4d15:13:33.144| 4d15:13:33.144 CRL http://msca-root.cisco.com/CertEnroll/msca-root.crl|328d11:56:48.372 RENEW msroot| 6:43.201 POLL verisignRelated Commands
auto-enroll
Enables autoenrollment.
crypto pki trustpoint
Declares the CA that your router should use.
show crypto ca trustpoints
Note
To display the trustpoints that are configured in the router, use the show crypto pki trustpoints command in privileged EXEC or user EXEC mode.
show crypto ca trustpoints
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC mode
User EXEC modeCommand History
Usage Guidelines
This command replaces the show crypto ca roots command. If you enter the show crypto ca roots command, the output will be written back as the show crypto pki trustpoints command.
Examples
The following is sample output from the show crypto ca trustpoints command:
Router# show crypto ca trustpointsTrustpoint bo:Subject Name:CN = bomborra Certificate ManagerO = cisco.comC = USSerial Number:01Certificate configured.CEP URL:http://bomborraCRL query url:ldap://bomborraRelated Commands
show crypto call admission statistics
To monitor Crypto Call Admission Control (CAC) statistics, use the show crypto call admission statistics command in user EXEC or privileged EXEC mode.
show crypto call admission statistics
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC
Privileged EXECCommand History
Usage Guidelines
Enter this command to display information about the Crypto CAC configuration parameters and their history, including statistics regarding the current security association (SA) count, SAs being negotiated, total new SA requests, the number of Internet Key Exchange (IKE) SA requests accepted and rejected, and details regarding why requests were rejected.
Examples
The following example shows sample output from the show crypto call admission statistics command:
Router# show crypto call admission statisticsCrypto Call Admission Control Statistics-----------------------------------------------------------System Resource Limit: 0 Max IKE SAs 0Total IKE SA Count: 0 active: 0 negotiating: 0Incoming IKE Requests: 0 accepted: 0 rejected: 0Outgoing IKE Requests: 0 accepted: 0 rejected: 0Rejected IKE Requests: 0 rsrc low: 0 SA limit: 0Table 37 describes the significant fields shown in the display.
Related Commands
clear crypto call admission statistics
Clears the counters that track the number of accepted and rejected IKE SA requests.
show crypto debug-condition
To display crypto debug conditions that have already been enabled in the router, use the show crypto debug-condition command in privileged EXEC mode.
show crypto debug-condition {[peer] [connid] [spi] [fvrf] [ivrf] [unmatched]}
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can specify as many filter values as specified via the debug crypto condition command. (You cannot specify a filter value that you did not use in the debug crypto condition command.) If no keywords are specified, all configured crypto conditions will be shown.
Examples
The following example shows how to display debug messages when the peer IP address is 10.1.1.1, 10.1.1.2, or 10.1.1.3 and when the connection ID 2000 of crypto engine 0 is used. This example also shows how to enable global debug crypto CLIs and enable the show crypto debug-condition command to verify conditional settings.
Router# debug crypto condition connid 2000 engine-id 1Router# debug crypto condition peer ipv4 10.1.1.1Router# debug crypto condition peer ipv4 10.1.1.2Router# debug crypto condition peer ipv4 10.1.1.3Router# debug crypto condition unmatched! Verify crypto conditional settings.Router# show crypto debug-conditionCrypto conditional debug currently is turned ONIKE debug context unmatched flag:ONIPsec debug context unmatched flag:ONCrypto Engine debug context unmatched flag:ONIKE peer IP address filters:10.1.1.1 10.1.1.2 10.1.1.3Connection-id filters:[connid:engine_id]2000:1,! Enable global crypto CLIs to start conditional debugging.Router# debug crypto isakmpRouter# debug crypto ipsecRouter# debug crypto engineThe following example shows how to disable all crypto conditional settings via the reset keyword:
Router# debug crypto condition reset! Verify that all crypto conditional settings have been disabled.Router# show crypto debug-conditionCrypto conditional debug currently is turned OFFIKE debug context unmatched flag:OFFIPsec debug context unmatched flag:OFFCrypto Engine debug context unmatched flag:OFFRelated Commands
show crypto dynamic-map
To display a dynamic crypto map set, use the show crypto dynamic-map command in EXEC mode.
show crypto dynamic-map [tag map-name]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
Use the show crypto dynamic-map command to view a dynamic crypto map set.
Examples
The following is sample output for the show crypto dynamic-map command:
Router# show crypto dynamic-mapCrypto Map Template"vpn1" 1ISAKMP Profile: vpn1-raNo matching address list set.Security association lifetime: 4608000 kilobytes/3600 secondsPFS (Y/N): NTransform sets={vpn1,The following partial configuration was in effect when the above show crypto dynamic-map command was issued:
crypto dynamic-map vpn1 1set transform-set vpn1set isakmp-profile vpn1-rareverse-routeRelated Commands
show crypto eng qos
To monitor and maintain low latency queueing (LLQ) for IP security (IPsec) encryption engines, use the show crypto eng qos command in privileged EXEC mode.
show crypto eng qos
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
12.2(13)T
This command was introduced.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
Usage Guidelines
Use the show crypto eng qos command to determine whether quality of service (QoS) is enabled on LLQ for IPsec encryption engines.
Examples
The following example shows whether LLQ for IPsec encryption engines is enabled:
Router# show crypto eng qoscrypto engine name: Multi-ISA Using VAM2crypto engine type: hardwareslot: 5queuing: enabledvisible bandwidth: 30000 kbpsllq size: 0default queue size/max: 0/64interface table size: 32FastEthernet0/0 (3), iftype 1, ctable size 16, input filter:ipprecedence 5class voice (1/3), match ip precedence 5bandwidth 500 kbps, max token 100000IN match pkt/byte 0/0, police drop 0OUT match pkt/byte 0/0, police drop 0class default, match pkt/byte 0/0, qdrop 0crypto engine bandwidth:total 30000 kbps, allocated 500 kbpsThe field descriptions in the above display are self-explanatory.
show crypto engine
To display a summary of the configuration information for the crypto engines, use the
show crypto engine command in privileged EXEC mode.show crypto engine [accelerator | brief | configuration | connections | qos]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command displays all crypto engines and displays the AIM-VPN product name.
Examples
The following example of the show crypto engine command and the brief keyword shows typical crypto engine summary information:
Router# show crypto engine briefcrypto engine name: Virtual Private Network (VPN) Modulecrypto engine type: hardwareVPN Module in slot: 1Product Name: AIM-VPN/EPIISoftware Serial #: 55AADevice ID: 0014Vendor ID: 13A3VSK revision: 0Boot version: 255DPU version: 0HSP version: 2.0(0x0) (PRODUCTION)Time running: 0 SecondsCompression: YesDES: Yes3 DES: YesAES CBC: Yes (128,192,256)AES CNTR: NoMaximum buffer length: 4096Maximum DH index: 2000Maximum SA index: 2000Maximum Flow index: 4000Maximum RSA key size: 2048crypto engine in slot: 1crypto engine name: unknowncrypto engine type: softwareserial number: 0DDC7C0Dcrypto engine state: installedcrypto engine in slot: N/ATable 38 describes significant fields shown in the display.
Related Commands
crypto engine accelerator
Enables the use of the onboard hardware accelerator for IPSec encryption.
show crypto engine accelerator logs
To display information about the last 32 CryptoGraphics eXtensions (CGX) Library packet processing commands and associated parameters sent from the VPN module driver to the VPN module hardware, use the show crypto engine accelerator logs command in privileged EXEC mode.
show crypto engine accelerator logs
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
12.1(1)XC
This command was introduced on the Cisco 1720 and Cisco 1750 platforms.
12.1(2)T
This command was integrated into Cisco IOS Release 12.1(2)T.
Usage Guidelines
Use this command when encrypted traffic is sent to the router and a problem with the encryption module is suspected. Use the debug crypto engine accelerator logs command to enable command logging before using this command.
Note
Examples
The following is sample output for the show crypto engine accelerator logs command:
Router# show crypto engine accelerator logsContents of packet log (current index = 20):tag = 0x5B02, cmd = 0x5000param[0] = 0x000E, param[1] = 0x57E8param[2] = 0x0008, param[3] = 0x0000param[4] = 0x0078, param[5] = 0x0004param[6] = 0x142C, param[7] = 0x142Cparam[8] = 0x0078, param[9] = 0x000Ctag = 0x5B03, cmd = 0x4100param[0] = 0x000E, param[1] = 0x583Cparam[2] = 0x0034, param[3] = 0x0040param[4] = 0x00B0, param[5] = 0x0004param[6] = 0x1400, param[7] = 0x1400param[8] = 0x0020, param[9] = 0x000Ctag = 0x5C00, cmd = 0x4100param[0] = 0x000E, param[1] = 0x57BCparam[2] = 0x0034, param[3] = 0x0040param[4] = 0x00B0, param[5] = 0x0004param[6] = 0x1400, param[7] = 0x1400param[8] = 0x0020, param[9] = 0x000C...tag = 0x5A01, cmd = 0x4100param[0] = 0x000E, param[1] = 0x593Cparam[2] = 0x0034, param[3] = 0x0040param[4] = 0x00B0, param[5] = 0x0004param[6] = 0x1400, param[7] = 0x1400param[8] = 0x0020, param[9] = 0x000CContents of cgx log (current index = 12):cmd = 0x0074 ret = 0x0000param[0] = 0x0010, param[1] = 0x028Eparam[2] = 0x0039, param[3] = 0x0D1Eparam[4] = 0x0100, param[5] = 0x0000param[6] = 0x0000, param[7] = 0x0000param[8] = 0x0000, param[9] = 0x0000cmd = 0x0062 ret = 0x0000param[0] = 0x0035, param[1] = 0x1BE0param[2] = 0x0100, param[3] = 0x0222param[4] = 0x0258, param[5] = 0x0000param[6] = 0x0000, param[7] = 0x0000param[8] = 0x0000, param[9] = 0x0000cmd = 0x0063 ret = 0x0000param[0] = 0x0222, param[1] = 0x0258param[2] = 0x0000, param[3] = 0x0000param[4] = 0x0000, param[5] = 0x0000param[6] = 0x0000, param[7] = 0x020Aparam[8] = 0x002D, param[9] = 0x0000...cmd = 0x0065 ret = 0x0000param[0] = 0x0222, param[1] = 0x0258param[2] = 0x0010, param[3] = 0x028Eparam[4] = 0x00A0, param[5] = 0x0008param[6] = 0x0001, param[7] = 0x0000param[8] = 0x0000, param[9] = 0x0000Related Commands
debug crypto engine acclerator logs
Enables logging of commands and associated parameters sent from the VPN module driver to the VPN module hardware using a debug flag.
show crypto engine accelerator ring
To display the contents and status of the control command, transmit packets, and receive packet rings used by the hardware accelerator crypto engine, use the show crypto engine accelerator ring command in privileged EXEC mode.
show crypto engine accelerator ring [control | packet | pool]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command displays the command ring information.
If there were valid data in any of the rings, the ring entry would be printed.
Examples
The following example shows the command ring information:
Router# show crypto engine accelerator ring packetPPQ RING:cmd ring:head = 10 tail =10result ring:head = 10 tail =10destination ring:head = 10 tail =10source ring:head = 10 tail =10free ring:head = 0 tail =25500000000 071A96C500000000 071A96C500000001 071A946500000001 071A946500000002 071A920500000002 071A9205...Related Commands
show crypto engine accelerator sa-database
To display active (in-use) entries in the platform-specific virtual private network (VPN) module database, use the show crypto engine accelerator sa-database command in privileged EXEC mode.
show crypto engine accelerator sa-database
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
12.1(1)XC
This command was introduced on the Cisco 1720 and Cisco 1750 platforms.
12.1(2)T
This command was integrated into Cisco IOS Release 12.1(2)T.
Usage Guidelines
Use this command when encrypted traffic is sent to the router and a problem with the encryption module is suspected.
Note
Examples
The following is sample output for the show crypto engine accelerator sa-database command:
Router# show crypto engine accelerator sa-databaseFlow SummaryIndex Algorithms005 tunnel inbound esp-md5-hmac esp-des ah-sha-hmac006 tunnel outbound esp-md5-hmac esp-des ah-sha-hmac007 tunnel inbound esp-md5-hmac esp-des ah-sha-hmac008 tunnel outbound esp-md5-hmac esp-des ah-sha-hmac009 tunnel inbound esp-md5-hmac esp-des ah-sha-hmac010 tunnel outbound esp-md5-hmac esp-des ah-sha-hmacSA Summary:Index DH-Index Algorithms003 001(deleted) DES SHA004 002(deleted) DES SHADH SummaryIndex Group ConfigRelated Commands
debug crypto engine acclerator logs
Enables logging of commands and associated parameters sent from the VPN module driver to the VPN module hardware using a debug flag.
show crypto engine accelerator statistic
To display the statistics and error counters for the onboard hardware accelerator of the router for IP Security (IPSec) encryption, use the show crypto engine accelerator statistic command in privileged EXEC mode.
show crypto engine accelerator statistic
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following example displays compression statistics:
Router# show crypto engine accelerator statisticStatistics for Hardware VPN Module:ds: 8235C3D8 idb: 82359A64Statistics for Encryption Module:0 packets in 0 packets out0 packet overruns 0 output packets dropped0 packets decompressed 0 packets compressed0 compressed bytes in 0 encompassed bytes in0 packets bypass compression 0 packet abort compression0 packets fail compression4:1 compression ratio 2:1 overall compression ratio0 decompressed bytes out 0 compressed bytes out0 packets decrypted 0 packets encrypted0 bytes decrypted 0 bytes encrypted0 bytes before decrypt 0 bytes after encrypt0 paks/sec in 0 paks/sec out0 Kbits/sec decrypted 0 Kbits/sec encrypted0 packet overrunsrx_no_endp: 0 rx_hi_discards: 0 fw_failure: 0invalid_sa: 0 invalid_flow: 0 cgx_errors 0fw_qs_filled: 0 fw_resource_lock:0 lotx_full_err: 0null_ip_error: 0 pad_size_error: 0 out_bound_dh_acc: 0esp_auth_fail: 0 ah_auth_failure: 0 crypto_pad_error: 0ah_prot_absent: 0 ah_seq_failure: 0 ah_spi_failure: 0esp_prot_absent:0 esp_seq_fail: 0 esp_spi_failure: 0obound_sa_acc: 0 invalid_sa: 0 out_bound_sa_flow: 0invalid_dh: 0 bad_keygroup: 0 out_of_memory: 0no_sh_secret: 0 no_skeys: 0 invalid_cmd: 0dsp_coproc_err: 0 comp_unsupported:0 pak_too_big: 0null packets: 0pak_mp_length_spec_fault: 0tx_lo_queue_size_max 0 cmd_unimplemented: 0219 seconds since last clear of countersInterrupts: 4 Immed: 3 HiPri ints: 0LoPri ints: 0 POST Errs: 0 Alerts: 1Unk Cmds: 0 UnexpCmds: 0cgx_cmd_pending:0 packet_loop_max: 0 packet_loop_limit: 0Table 39 describes significant fields shown in the display.
The following sample output displays a typical output of the current statistics and error counters for the hardware accelerator of the router:
Router# show crypto engine accelerator statisticVirtual Private Network (VPN) Module in slot :0Statistics for Hardware VPN Module since the last clearof counters 1379 seconds ago167874 packets in 167874 packets out201596210 bytes in 201596059 bytes out121 paks/sec in 121 paks/sec out1169 Kbits/sec in 1169 Kbits/sec out0 packets decrypted 0 packets encrypted0 bytes before decrypt 0 bytes encrypted0 bytes decrypted 0 bytes after encrypt0 packets decompressed 0 packets compressed0 bytes before decomp 0 bytes before comp0 bytes after decomp 0 bytes after comp0 packets bypass decompr 0 packets bypass compres0 bytes bypass decompres 0 bytes bypass compressi0 packets not decompress 0 packets not compressed0 bytes not decompressed 0 bytes not compressed1.0:1 compression ratio 1.0:1 overall20 commands out 20 commands acknowledgedLast 5 minutes:46121 packets in 46121 packets out153 paks/sec in 153 paks/sec out1667834 Kbits/sec in 1667836 Kbits/sec out0 bytes decrypted 0 bytes encrypted0 Kbits/sec decrypted 0 Kbits/sec encrypted1.0:1 compression ratio 1.0:1 overallErrors:ppq full errors : 0 ppq rx errors : 0cmdq full errors : 0 cmdq rx errors : 0no buffer : 0 replay errors : 0dest overflow : 0 authentication errors : 0Out of memory : 0 Access denied : 0Out of handles : 0 Bad function code : 0Invalid parameter : 0 Bad handle value : 0Output buffer overrun : 0 Input Underrun : 0Input Overrun : 0 Invalid Key : 0Invalid Packet : 0 Decrypt Failure : 0Verification Fail : 0 Bad Attribute : 0Invalid attrribute val: 0 Missing attribute : 0Unwrappable object : 0 Hash Miscompare : 0DF Bit set : 0 RNG self test fail : 0Other error : 0sessions : 0Warnings:sessions_expired:0 packets_fragmented:0general: 0
Tip
Related Commands
show crypto ha
To display all virtual IP (VIP) addresses that are currently in use by IP Security (IPSec) and Internet Key Exchange (IKE), use the show crypto ha command in privileged EXEC mode.
show crypto ha
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following output from the show crypto ha command shows all VIP addresses that are being used by IPSec and IKE:
Router# show crypto haIKE VIP: 209.165.201.3stamp: 74 BA 70 27 9C 4F 7F 81 3A 70 13 C9 65 22 E7 76IKE VIP: 255.255.255.253stamp: Not setIKE VIP: 255.255.255.254stamp: Not setIPSec VIP: 209.165.201.3IPSec VIP: 255.255.255.253IPSec VIP: 255.255.255.254show crypto ipsec client ezvpn
To display the Cisco Easy VPN Remote configuration, use the show crypto ipsec client ezvpn command in privileged EXEC mode.
show crypto ipsec client ezvpn
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following example shows a typical display from the show crypto ipsec client ezvpn command for an active Virtual Private Network (VPN) connection when the router is in client mode:
Router# show crypto ipsec client ezvpnTunnel name: hw1Inside interface list: FastEthernet0/0, Serial1/0,Outside interface: Serial0/0Current State: IPSEC_ACTIVELast Event: SOCKET_UPAddress: 209.165.201.0Mask: 255.255.255.224DNS Primary: 209.165.201.1DNS Secondary: 209.165.201.2NBMS/WINS Primary: 209.165.201.3NBMS/WINS Secondary: 209.165.201.4Default Domain: cisco.comThe following example shows a typical display from the show crypto ipsec client ezvpn command for an active VPN connection when the router is in network-extension mode:
Router# show crypto ipsec client ezvpnTunnel name: hw1Inside interface list: FastEthernet0/0, Serial1/0,Outside interface: Serial0/0Current State: IPSEC_ACTIVELast Event: SOCKET_UPAddress: 209.165.202.128Mask: 255.255.255.224Default Domain: cisco.comSplit Tunnel List: 1Address : 209.165.200.225Mask : 255.255.255.224Protocol : 0x0Source Port: 0Dest Port : 0The following example shows a typical display from the show crypto ipsec client ezvpn command for an inactive VPN connection:
Router# show crypto ipsec client ezvpnCurrent State: IDLELast Event: REMOVE INTERFACE CFGRouter#Table 40 describes significant fields shown by the show crypto ipsec client ezvpn command:
Related Commands
show crypto ipsec transform
Displays the specific configuration for one or all transformation sets.
show crypto ipsec sa
To display the settings used by current security associations (SAs), use the show crypto ipsec sa command in privileged EXEC mode.
show crypto ipsec sa [map map-name | address | identity | interface interface | peer [vrf fvrf-name] address | vrf ivrf-name] [detail]
IPSec and IKE Stateful Failover Syntax
show crypto ipsec sa [active | standby]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
If no keyword is used, all SAs are displayed. They are sorted first by interface, and then by traffic flow (for example, source or destination address, mask, protocol, or port). Within a flow, the SAs are listed by protocol (ESP or AH) and direction (inbound or outbound).
Examples
The following is sample output for the show crypto ipsec sa command:
Router# show crypto ipsec sa vrf vpn2interface: Ethernet1/2Crypto map tag: ra, local addr. 172.16.1.1protected vrf: vpn2local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)remote ident (addr/mask/prot/port): (10.4.1.4/255.255.255.255/0/0)current_peer: 10.1.1.1:500PERMIT, flags={}#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 172.16.1.1, remote crypto endpt.: 10.1.1.1path mtu 1500, media mtu 1500current outbound spi: 50110CF8inbound esp sas:spi: 0xA3E24AFD(2749516541)transform: esp-3des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5127, flow_id: 7, crypto map: rasa timing: remaining key lifetime (k/sec): (4603517/3503)IV size: 8 bytesreplay detection support: Yinbound ah sas:inbound pcp sas:outbound esp sas:spi: 0x50110CF8(1343294712)transform: esp-3des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5128, flow_id: 8, crypto map: rasa timing: remaining key lifetime (k/sec): (4603517/3502)IV size: 8 bytesreplay detection support: Youtbound ah sas:outbound pcp sas:The following configuration was in effect when the above show crypto ipsec sa vrf command was issued. The IPSec remote access tunnel was "UP" when this command was issued.
crypto dynamic-map vpn1 1set transform-set vpn1set isakmp-profile vpn1-rareverse-route!crypto dynamic-map vpn2 1set transform-set vpn2set isakmp-profile vpn2-rareverse-route!!crypto map ra 1 ipsec-isakmp dynamic vpn1crypto map ra 2 ipsec-isakmp dynamic vpn2
IPSec and IKE Stateful Failover Examples
The following sample output shows the IPSec SA status of only the active device:
Router# show crypto ipsec sa activeinterface: Ethernet0/0Crypto map tag: to-peer-outside, local addr 209.165.201.3protected vrf: (none)local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/0/0)current_peer 209.165.200.225 port 500PERMIT, flags={origin_is_acl,}#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 209.165.201.3, remote crypto endpt.: 209.165.200.225path mtu 1500, media mtu 1500current outbound spi: 0xD42904F0(3559458032)inbound esp sas:spi: 0xD3E9ABD0(3555306448)transform: esp-3des ,in use settings ={Tunnel, }conn id: 2006, flow_id: 6, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4586265/3542)HA last key lifetime sent(k): (4586267)ike_cookies: 9263635C CA4B4E99 C14E908E 8EE2D79CIV size: 8 bytesreplay detection support: YStatus: ACTIVEThe following sample output shows the IPSec SA status of only the standby device:
Router# show crypto ipsec sa standbyinterface: Ethernet0/0Crypto map tag: to-peer-outside, local addr 209.165.201.3protected vrf: (none)local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/0/0)current_peer 209.165.200.225 port 500PERMIT, flags={origin_is_acl,}#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 209.165.201.3, remote crypto endpt.: 209.165.200.225path mtu 1500, media mtu 1500current outbound spi: 0xD42904F0(3559458032)inbound esp sas:spi: 0xD3E9ABD0(3555306448)transform: esp-3des ,in use settings ={Tunnel, }conn id: 2012, flow_id: 12, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4441561/3486)HA last key lifetime sent(k): (4441561)ike_cookies: 00000000 00000000 00000000 00000000IV size: 8 bytesreplay detection support: YStatus: STANDBYinbound ah sas:spi: 0xF3EE3620(4092474912)transform: ah-md5-hmac ,in use settings ={Tunnel, }conn id: 2012, flow_id: 12, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4441561/3486)HA last key lifetime sent(k): (4441561)ike_cookies: 00000000 00000000 00000000 00000000replay detection support: YStatus: STANDBYinbound pcp sas:outbound esp sas:spi: 0xD42904F0(3559458032)transform: esp-3des ,in use settings ={Tunnel, }conn id: 2011, flow_id: 11, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4441561/3485)HA last key lifetime sent(k): (4441561)ike_cookies: 00000000 00000000 00000000 00000000IV size: 8 bytesreplay detection support: YStatus: STANDBYoutbound ah sas:spi: 0x75251086(1965363334)transform: ah-md5-hmac ,in use settings ={Tunnel, }conn id: 2011, flow_id: 11, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4441561/3485)HA last key lifetime sent(k): (4441561)ike_cookies: 00000000 00000000 00000000 00000000replay detection su
