Cisco IOS IPv6 Command Reference
show crypto isakmp policy through show ipv6 eigrp neighbors
Download this chapter
show crypto isakmp policy through show ipv6 eigrp neighborsshow crypto isakmp policy through show ipv6 eigrp neighbors
Download the complete book
Cisco IOS IPv6 Command ReferenceCisco IOS IPv6 Command Reference (PDF - 11 MB)
give_us_feedback

Table Of Contents

show crypto isakmp policy

show crypto isakmp profile

show crypto map (IPsec)

show crypto session

show crypto socket

show dmvpn

show erm statistics

show glbp

show interfaces accounting

show ip sockets

show ipv6 access-list

show ipv6 cef

show ipv6 cef adjacency

show ipv6 cef non-recursive

show ipv6 cef platform

show ipv6 cef summary

show ipv6 cef switching statistics

show ipv6 cef traffic prefix-length

show ipv6 cef tree

show ipv6 cef unresolved

show ipv6 cef vrf

show ipv6 dhcp

show ipv6 dhcp binding

show ipv6 dhcp database

show ipv6 dhcp interface

show ipv6 dhcp pool

show ipv6 eigrp interfaces

show ipv6 eigrp neighbors


show crypto isakmp policy

To display the parameters for each Internet Key Exchange (IKE) policy, use the show crypto isakmp policy command in privileged EXEC mode.

show crypto isakmp policy

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release
Modification

11.3T

This command was introduced.

12.2(13)T

The command output was expanded to include a warning message for users who try to configure an IKE encryption method that the hardware does not support.

12.4(4)T

Support for IPv6 was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.4(20)T

The command output was expanded to include default IKE policies.


Usage Guidelines

There are eight default IKE default policies supported with protection suites of priorities 65507-65514, where 65507 is the highest priority and 65514 is the lowest priority. If you have neither manually configured IKE policies with the crypto isakmp policy command nor disabled the default IKE policies by issuing the no crypto isakmp default policy command, the default IKE policies will be displayed when the show crypto isakmp policy command is issued.

Examples

The following is sample output from the show crypto isakmp policy command, after two IKE policies have been configured (with priorities 15 and 20, respectively): 

Router# show crypto isakmp policy


Protection suite priority 15

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm:  Message Digest 5

        authentication method:   Rivest-Shamir-Adleman Signature

        Diffie-Hellman Group:    #2 (1024 bit)

        lifetime:      5000 seconds, no volume limit

Protection suite priority 20

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm: Secure Hash Standard

        authentication method:   preshared Key

        Diffie-Hellman Group:    #1 (768 bit)

        lifetime:      10000 seconds, no volume limit

Default protection suite

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm: Secure Hash Standard

        authentication method:   Rivest-Shamir-Adleman Signature

        Diffie-Hellman Group:    #1 (768 bit)

        lifetime:      86400 seconds, no volume limit

Note Although the output shows "no volume limit" for the lifetimes, you can currently configure only a time lifetime (such as 86,400 seconds); volume limit lifetimes are not used.

The following sample output from the show crypto isakmp policy command displays a warning message after a user tries to configure an IKE encryption method that the hardware does not support: 

Router# show crypto isakmp policy


Protection suite of priority 1

        encryption algorithm:  AES - Advanced Encryption Standard (256 bit keys).

WARNING:encryption hardware does not support the configured

encryption method for ISAKMP policy 1

        hash algorithm:        Secure Hash Standard

        authentication method: Pre-Shared Key

        Diffie-Hellman group:  #1 (768 bit)

        lifetime:              3600 seconds, no volume limit

The following sample output from the show crypto isakmp policy command displays the default IKE policies. The manually configured IKE policies with priorities 10 and 20 have been removed. 

Router(config)# no crypto isakmp policy 10

Router(config)# no crypto isakmp policy 20

Router(config)# exit

R1# show crypto isakmp policy


Default IKE policy

Protection suite of priority 65507

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65508

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65509

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Message Digest 5

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65510

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Message Digest 5

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65511

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65512

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65513

        encryption algorithm:   Three key triple DES

        hash algorithm:         Message Digest 5

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65514

        encryption algorithm:   Three key triple DES

        hash algorithm:         Message Digest 5

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Related Commands

Command
Description

authentication (IKE policy)

Specifies the authentication method within an IKE policy.

crypto isakmp policy

Defines an IKE policy.

encryption (IKE policy)

Specifies the encryption algorithm within an IKE policy.

group (IKE policy)

Specifies the DH group identifier within an IKE policy.

hash (IKE policy)

Specifies the hash algorithm within an IKE policy.

lifetime (IKE policy)

Specifies the lifetime of an IKE SA.

show crypto isakmp default policy

Displays the default IKE policies.


show crypto isakmp profile

To list all the Internet Security Association and Key Management Protocol (ISAKMP) profiles that are defined on a router, use the show crypto isakmp profile command in privileged EXEC mode.

show crypto isakmp profile [tag profilename | vrf vrfname]

Syntax Description

tag profilename

(Optional) Displays ISAKMP profile details specified by the profile name.

vrf vrfname

(Optional) Displays ISAKMP profile details specified by the VPN routing/forwarding instance (VRF) name.


Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(15)T

This command was introduced.

12.4(4)T

IPv6 support was added.

12.4(11)T

The tag profilename and vrf vrfname keywords and arguments were added.


Examples

The following is sample output from the show crypto isakmp profile command: 

Router# show crypto isakmp profile


ISAKMP PROFILE vpn1-ra

   Identities matched are:

group vpn1-ra

   Identity presented is: ip-address

The following sample output shows information for an IPv6 router: 

Router# show crypto isakmp profile


ISAKMP PROFILE tom

Identities matched are:

ipv6-address 2001:0DB8:0:1::1/32 

Certificate maps matched are:

Identity presented is: ipv6-address fqdn

keyring(s): <none>

trustpoint(s): <all>

Table 77 describes the significant fields shown in the display.

Table 77 show crypto isakmp profile Field Descriptions

Field
Description

ISAKMP PROFILE

Name of the ISAKMP profile.

Identities matched are:

Lists all identities that the ISAKMP profile will match.

Identity presented is:

The identity that the ISAKMP profile will present to the remote endpoint.


The following configuration was in effect when the preceding show crypto isakmp profile command was issued: 

crypto isakmp profile vpn1-ra

 vrf vpn1

 self-identity address

 match identity group vpn1-ra

 client authentication list aaa-list

 isakmp authorization list aaa

 client configuration address initiate

 client configuration address respond

Related Commands

Command
Description

show crypto isakmp key

Lists the keyrings and their preshared keys.


show crypto map (IPsec)

To display the crypto map configuration, use the show crypto map command in user EXEC or privileged EXEC mode.

show crypto map [interface interface | tag map-name]

Syntax Description

interface interface

(Optional) Displays only the crypto map set that is applied to the specified interface.

tag map-name

(Optional) Displays only the crypto map set that is specified.


Command Default

No crypto maps are shown.

Command Modes

User EXEC (>)

Privileged EXEC (#)

Command History

Release
Modification

11.2

This command was introduced.

12.3(8)T

Output has been modified to display the crypto input and output access control lists (ACLs) that have been configured.

12.4(4)T

IPv6 address information was added to command output.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.4(20)T

Default transform set information was added to command output.


Usage Guidelines

The show crypto map command allows you to specify a particular crypto map. The crypto maps shown in the command output have been dynamically generated; the user does not have to configure crypto maps in order for them to appear in this command output.

There are two default transform sets supported in Cisco IOS k9 images only:

Esp-aes esp-sha-hmac

Esp-3des esp-sha-hmac

The show crypto map command will display the default transform sets if there are no other transform sets configured for the crypto map, you have not disabled the default transform sets by issuing the no crypto ipsec default transform-set command, and the crypto engine supports the encryption algorithm.

Examples

The following example shows that crypto input and output ACLs have been configured: 

Router# show crypto map


Crypto Map "test" 10 ipsec-isakmp

 Peer

 Extended IP access list ipsec_acl 

  access-list ipsec_acl permit ip 192.168.2.0 0.0.0.255 192.168.102.0 0.0.0.255 

 Extended IP access check IN list 110 

  access-list 110 permit ip host 192.168.102.47 192.168.2.0 10.0.0.15

  access-list 110 permit ip host 192.168.102.47 192.168.2.32 10.0.0.15

  access-list 110 permit ip host 192.168.102.47 192.168.2.64 10.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.0 10.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.32 10.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.64 10.0.0.15

 Extended IP access check OUT list 120

  access-list 120 permit ip 192.168.2.0 10.0.0.15 host 192.168.102.47 

  access-list 120 permit ip 192.168.2.32 10.0.0.15 host 192.168.102.47

  access-list 120 permit ip 192.168.2.64 10.0.0.15 host 192.168.102.47

  access-list 120 permit ip 192.168.2.0 10.0.0.15 host 192.168.102.57

  access-list 120 permit ip 192.168.2.32 10.0.0.15 host 192.168.102.57

  access-list 120 permit ip 192.168.2.64 10.0.0.15 host 192.168.102.57

 Current peer: 10.0.0.2 

 Security association lifetime: 4608000 kilobytes/3600 seconds 

 PFS (Y/N): N 

 Transform sets=test

 Interfaces using crypto map test: 

  Serial0/1

Table 78 describes the output in the display.

Table 78 show crypto map Field Descriptions 

Field
Description

Peer

Possible peers that are configured for this crypto map entry.

Extended IP access list

Access list that is used to define which data packets are to be encrypted. Packets that are denied by this access list are forwarded but not encrypted. The "reverse" of this access list is used to check the inbound return packets, which are also encrypted. Packets that are denied by the "reverse" access list are dropped because they should have been encrypted but were not.

Extended IP access list check

Access lists that are used to more finely control which data packets are allowed into or out of the IPSec tunnel. Packets that are allowed by the "Extended IP access list" ACL but denied by the "Extended IP access list check" ACL are dropped.

Current peer

Current peer that is being used for this crypto map entry.

Security association lifetime

Number of bytes that are allowed to be encrypted or decrypted or the age of the security association before new encryption keys must be negotiated.

PFS

(Perfect Forward Secrecy) If "Yes," the Internet Security Association and Key Management Protocol (ISAKMP) SKEYID-d key is also renegotiated each time IPSec security association (SA) encryption keys are renegotiated (requires another Diffie-Hillman calculation). Otherwise, the same ISAKMP SKEYID-d key is used when renegotiating IPSec SA encryption keys. ISAKMP keys are renegotiated on a separate schedule, with a default time of 24 hours.

Transform sets

List of transform sets (encryption, authentication, and compression algorithms) that can be used with this crypto map.

Interfaces using crypto map test

Interfaces to which this crypto map is applied. Packets that are leaving from this interface are subject to the rules of this crypto map for encryption. Encrypted packets may enter the router on any interface, and they will be decrypted. Nonencrypted packets that are entering the router through this interface are subject to the "reverse" crypto access list check.


The following example displays the output of the show crypto map command. There are no transform sets configured for the crypto map "mymap", the default transform sets are enabled, and the crypto engine supports the encryption algorithm. 

Router# show crypto map 


Crypto Map "mymap" 1 ipsec-isakmp

        Peer = 10.1.1.1

        Extended IP access list 102

            access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={ 

                #$!default_transform_set_1:  { esp-aes esp-sha-hmac  } , 

                #$!default_transform_set_0:  { esp-3des esp-sha-hmac  } , 

        }

        Reverse Route Injection Enabled

        Interfaces using crypto map mymap:

The following example displays the output of the show crypto map command. There are no transform sets configured for the crypto map "mymap" and the default transform sets have been disabled. 

Router(config)# no crypto ipsec default transform-set

Router(config)# exit

Router# configure terminal

Router# show crypto map 

Crypto Map "mymap" 1 ipsec-isakmp

        Peer = 10.1.1.1

        Extended IP access list 102

            access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={ 

        }


! There are no transform sets for the crypto map "mymap."

        Reverse Route Injection Enabled

        Interfaces using crypto map mymap:

Related Commands

Command
Description

show crypto ipsec default transform-set

Displays the default IPsec transform sets.

show crypto ipsec transform-set

Displays the configured transform sets.


show crypto session

To display status information for active crypto sessions, use the show crypto session command in privileged EXEC mode.

show crypto session [[brief | detail] [local ip-address [port local-port] [remote ip-address]] [remote ip-address [port remote-port]] | [fvrf fvrf-name] [ivrf ivrf-name] |
[interface interface-type] | [isakmp group group-name] | [ isakmp profile profile-name] | [username username]] | [groups] | [summary group-name]

IPsec and IKE Stateful Failover Syntax

show crypto session [active | standby]

Syntax Description

brief

(Optional) Provides brief information about the session, such as the peer IP address, interface, username, group name/phase1 ID, length of session uptime, and current session status (up/down).

detail

(Optional) Provides more detailed information about the session, such as the capability of the Internet Key Exchange (IKE) security association (SA), connection ID, remaining lifetime of the IKE SA, inbound or outbound encrypted or decrypted packet number of the IP security (IPsec) flow, dropped packet number, and kilobyte-per-second lifetime of the IPsec SA.

local ip-address

(Optional) Displays status information about crypto sessions of a local crypto endpoint.

The ip-address value is the IP address of the local crypto endpoint.

port local-port

(Optional) Port of the local crypto endpoint.

The local-port value can be 1 through 65535. The default value is 500.

remote ip-address

(Optional) Displays status information about crypto sessions of a remote session.

The ip-address value is the IP address of the remote crypto endpoint.

port remote-port

(Optional) Displays status information about crypto sessions of a remote crypto endpoint.

The remote-port value can be 1 through 65535. The default value is 500.

fvrf fvrf-name

(Optional) Displays status information about the front door virtual routing and forwarding (FVRF) session.

The fvrf-name value is the name of the (FVRF) session.

ivrf ivrf-name

(Optional) Displays status information about the inside VRF (IVRF) session.

The ivrf-name value is the name of the (IVRF) session.

interface interface-type

(Optional) Displays crypto sessions on the connected interface.

The interface-type value is the type of interface connection.

isakmp group group-name

(Optional) Displays crypto sessions using the Internet Security Association and Key Management Protocol (ISAKMP) group.

The group-name value is the name of the group.

isakmp profile profile-name

(Optional) Displays crypto sessions using the Internet Security Association and Key Management Protocol (ISAKMP) profile.

The profile-name value is the name of the profile.

username username

(Optional) Displays the crypto session for the specified AAA Authentication (Xauth) or public key infrastructure (PKI) and authentication, authorization, and accounting (AAA) username.

groups

(Optional) Displays all crypto session group usage.

summary

(Optional) Displays a list of crypto session groups and associated group members.

active

(Optional) Displays all crypto sessions in the active state.

standby

(Optional) Displays all crypto sessions that are in the standby state.


Command Default

All existing sessions will be displayed.

Command Modes

Privileged EXEC (#)

Command History

Release
Modification

12.3(4)T

This command was introduced.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.3(11)T

The active and standby keywords were added.

12.4(4)T

IPv6 address information was added to command output.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.4(11)T

The brief, groups, interface interface-type, isakmp group group-name, isakmp profile profile-name, summary, and username username keywords and arguments were added. The show crypto session output has been updated to include username, isakmp profile, isakmp group, assigned address, and session uptime.


Usage Guidelines

You can get a list of all the active Virtual Private Network (VPN) sessions and of the IKE and IPsec SAs for each VPN session by entering the show crypto session command. The listing will include the following information:

Interface

IKE peer description, if available

IKE SAs that are associated with the peer by whom the IPsec SAs are created

IPsec SAs serving the flows of a session

Multiple IKE or IPsec SAs may be established for the same peer (for the same session), in which case IKE peer descriptions will be repeated with different values for the IKE SAs that are associated with the peer and for the IPsec SAs that are serving the flows of the session.

IPv6 does not support the fvfr or ivrf keywords or the vrf-name argument.

Examples

The following examples shows active VPN sessions:

The following example shows sample output for the show crypto session command. 

Router# show crypto session 


Crypto session current status


Interface: Virtual-Access2

Username: cisco

Profile: prof

Group: easy

Assigned address: 10.3.3.4

Session status: UP-ACTIVE     

Peer: 10.1.1.2 port 500 

  IKE SA: local 10.1.1.1/500 remote 10.1.1.2/500 Active 

  IKE SA: local 10.1.1.1/500 remote 10.1.1.2/500 Inactive 

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 3.3.3.4 

        Active SAs: 2, origin: crypto map

The following example shows sample output for the show crypto session brief command. 

Router# show crypto session brief 


Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating 

        K - No IKE

ivrf = (none)

           Peer        I/F     Username     Group/Phase1_id    Uptime      Status        

           10.1.1.2    Vi2     cisco        easy               00:50:30    UA

The following example shows sample output for the show crypto session detail command. 

Router# show crypto session detail


Crypto session current status 


Code: C - IKE Configuration mode, D - Dead Peer Detection 

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication 


Interface: Virtual-Access2

Username: cisco

Profile: prof

Group: easy

Assigned address: 10.3.3.4

Uptime: 00:49:33

Session status: UP-ACTIVE 

Peer: 10.1.1.2 port 500 fvrf: (none) ivrf: (none)

Phase1_id: easy

Desc: (none)

IKE SA: local 10.1.1.1/500 remote 10.1.1.2/500 Active 

Capabilities:CX connid:1002 lifetime:23:10:15

IPSEC FLOW: permit ip 10.0.0.0/0.0.0.0 host 10.3.3.4 

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4425776/626

Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4425776/626

Table 79 describes the significant fields shown in the display.

Table 79 show crypto session Field Descriptions 

Field
Description

Interface

Interface to which the crypto session is related.

Session status

Current status of the crypto (VPN) sessions. See Table 80 for the status of the IKE SA, IPsec SA, and tunnel as shown in the display.

IKE SA

Information is provided about the IKE SA, such as local and remote address and port, SA status, SA capabilities, crypto engine connection ID, and remaining lifetime of the IKE SA.

IPSEC FLOW

A snapshot of information about the IPsec-protected traffic flow, such as what the flow is (for example, permit ip host 10.1.1.5 host 10.1.2.5); how many IPsec SAs there are; the origin of the SA, such as manual keyed, dynamic, or static crypto map; the number of encrypted or decrypted packets or dropped packets; and the IPsec SA remaining lifetime in kilobytes per second.


Table 80 provides an explanation of the current status of the VPN sessions shown in the display.

Table 80 Current Status of the VPN Sessions

IKE SA
IPsec SA
Tunnel Status

Exist, active

Exist (flow exists)

UP-ACTIVE

Exist, active

None (flow exists)

UP-IDLE

Exist, active

None (no flow)

UP-IDLE

Exist, inactive

Exist (flow exists)

UP-NO-IKE

Exist, inactive

None (flow exists)

DOWN-NEGOTIATING

Exist, inactive

None (no flow)

DOWN-NEGOTIATING

None

Exist (flow exists)

UP-NO-IKE

None

None (flow exists)

DOWN

None

None (no flow)

DOWN


Note IPsec flow may not exist if a dynamic crypto map is being used.

The following sample output shows all crypto sessions that are in the standby state: 

Router# show crypto session standby


Crypto session current status


Interface: Ethernet0/0

Session status: UP-STANDBY    

Peer: 10.165.200.225 port 500 

  IKE SA: local 10.165.201.3/500 remote 10.165.200.225/500 Active 

  IKE SA: local 10.165.201.3/500 remote 10.165.200.225/500 Active 

  IPSEC FLOW: permit ip host 192.168.0.1 host 172.16.0.1 

        Active SAs: 4, origin: crypto map

Related Commands

Command
Description

clear crypto session

Deletes crypto sessions (IPsec and IKE SAs).

description

Adds a description for an IKE peer.

show crypto isakmp peer

Displays peer descriptions.


show crypto socket

To list crypto sockets, use the show crypto socket command in privileged EXEC mode.

show crypto socket

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(11)T

This command was introduced.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.4(5)

The Flags field was added to command output.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.


Usage Guidelines

Use this command to list crypto sockets and the state of the sockets.

Examples

The following sample output shows the number of crypto socket connections (2) and its state: 

Router# show crypto socket


Number of Crypto Socket connections 2


   Tu0 Peers (local/remote): 192.168.2.2/192.168.1.1 

       Local Ident  (addr/mask/port/prot): (192.168.2.2/255.255.255.255/0/47)

       Remote Ident (addr/mask/port/prot): (192.168.1.1/255.255.255.255/0/47)

       Flags: shared

       Socket State: Open

       Client: "TUNNEL SEC" (Client State: Active)

   Tu1 Peers (local/remote): 192.168.2.2/192.168.1.3 

       Local Ident  (addr/mask/port/prot): (192.168.2.2/255.255.255.255/0/47)

       Remote Ident (addr/mask/port/prot): (192.168.1.3/255.255.255.255/0/47)

       Flags: shared

       Socket State: Open

       Client: "TUNNEL SEC" (Client State: Active)


Crypto Sockets in Listen state:

Client: "TUNNEL SEC" Profile: "dmvpn-profile" Map-name: "dmvpn-profile-head-2"

Significant fields are described in Table 81.

Table 81 show crypto socket Field Descriptions 

Field
Description

Number of Crypto Socket connections

Number of crypto sockets in the system.

Socket State

This state can be Open, which means that active IPSec security associations (SAs) exist, or it can be Closed, which means that no active IPSec SAs exist.

Client

Application name and its state.

Crypto Sockets in Listen state

Name of the crypto IPSec profile.

Flags

If this field says "shared," the socket is shared with more than one tunnel interface.


show dmvpn

To display Dynamic Multipoint VPN (DMVPN) specific session information, use the show dmvpn command in privileged EXEC mode.

show dmvpn [peer [nbma | tunnel {ip-address | ipv6-address}] | network {ip-address mask | ipv6-address}] [vrf vrf-name] [interface tunnel number] [detail] [static] [debug-condition]

Syntax Description

peer

(Optional) Displays information for a specific DMVPN peer.

nbma

(Optional) Displays DMVPN information based on nonbroadcast multiaccess (NBMA) addresses.

tunnel

(Optional) Displays DMVPN information based on the peer virtual private network (VPN) address.

ip-address

(Optional) Specifies DMVPN peer IP address.(Optional) The DMVPN peer IPv6 address.

ipv6-address

(Optional) The DMVPN peer IPv6 address.

network ip-address mask

(Optional) Displays DMVPN information based on a specific destination network and mask address.

network ipv6-address

(Optional) Displays DMVPN information based on a specific destination IPv6 address.

vrf vrf-name

(Optional) Displays information based on the specified virtual routing forwarding (VRF).

interface

(Optional) Displays DMVPN information based on a specific interface.

tunnel number

(Optional) Specifies tunnel address for DMVPN peer.

detail

(Optional) Displays detail DMVPN information for each session, including Next Hop Server (NHS) and NHS status, crypto session information, and socket details.

static

(Optional) Displays only static DMVPN information.

debug-condition

(Optional) Displays DMVPN conditional debugging.


Command Default

This command is not enabled.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.4(9)T

This command was introduced.

12.4(20)T

The ipv6-address argument and the network ipv6-address keyword and argument combination were added.


Usage Guidelines

Use this command to obtain DMVPN specific session information. By default, summary information will be displayed.

When the detail keyword is used, command output will include information from the show crypto session detail command, including inbound and outbound security parameter indexes (SPI) and the show crypto socket command.

Examples

The following example shows sample summary output: 

Router# show dmvpn


Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer


! The line below indicates that the sessions are being displayed for Tunnel1. 

! Tunnel1 is acting as a spoke and is a peer with three other NBMA peers.


Tunnel1, Type: Spoke, NBMA Peers: 3, 


 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     2    192.0.2.21       192.0.2.116   IKE     3w0d D    

     1    192.0.2.102      192.0.2.11   NHRP 02:40:51 S    

     1    192.0.2.225      192.0.2.10     UP     3w0d S    


Tunnel2, Type: Spoke, NBMA Peers: 1, 

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb

 ----- --------------- --------------- ----- -------- -----

     1      192.0.2.25     192.0.2.171   IKE    never S

Table 82 describes the significant fields shown in the display.

Table 82 show dmvpn Field Descriptions 

Field
Description

# Ent

The number of Next Hop Routing Protocol (NHRP) entries in the current session.

Peer NBMA Addr

The remote NBMA address.

Peer Tunnel Add

The remote tunnel endpoint IP address.

State

The state of the DMVPN session. The DMVPN session is either up or down. If the DMVPN state is down, the reason for the down state error is displayed—Internet Key Exchange (IKE), IPsec, or NHRP.

UpDn Tm

Displays how long the session has been in the current state.

Attrib

Displays any associated attributes of the current session. One of the following attributes will be displayed—dynamic (D), static (S), incomplete (I), Network Address Translation (NAT) for the peer address, or NATed, (N), local (L), no socket (X).


The following example shows example output of the show dmvpn command with the detail keyword: 

Router# show dmvpn detail


Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete

        N - NATed, L - Local, X - No Socket

        # Ent --> Number of NHRP entries with same NBMA peer

-------------- Interface Tunnel1 info: -------------- 

Intf. is up, Line Protocol is up, Addr. is 192.0.2.5

   Source addr: 192.0.2.229, Dest addr: MGRE

  Protocol/Transport: "multi-GRE/IP", Protect "gre_prof",

Tunnel VRF "" ip vrf forwarding ""

NHRP Details: NHS: 192.0.2.10 RE 192.0.2.11  E

Type: Spoke, NBMA Peers: 4

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    2        192.0.2.21      192.0.2.116    UP 00:14:59 D      192.0.2.118/24

                                            UP 00:14:59 D      192.0.2.116/32


  IKE SA: local 192.0.2.229/500 remote 192.0.2.21/500 Active 

          Capabilities:(none) connid:1031 lifetime:23:45:00

  Crypto Session Status: UP-ACTIVE     

  fvrf: (none)

  IPSEC FLOW: permit 47 host 192.0.2.229 host 192.0.2.21 

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 1 drop 0 life (KB/Sec) 4494994/2700

        Outbound: #pkts enc'ed 1 drop 0 life (KB/Sec) 4494994/2700

   Outbound SPI : 0xD1EA3C9B, transform : esp-3des esp-sha-hmac 

    Socket State: Open


# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    1     192.0.2.229       192.0.2.5    UP 00:15:00 DLX        192.0.2.5/32


# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    1     192.0.2.102      192.0.2.11 NHRP 02:55:47  S         192.0.2.11/32


  IKE SA: local 192.0.2.229/4500 remote 192.0.2.102/4500 Active 

          Capabilities:N connid:1028 lifetime:11:45:37

  Crypto Session Status: UP-ACTIVE     

  fvrf: (none)

  IPSEC FLOW: permit 47 host 192.0.2.229 host 192.0.2.102 

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 199056 drop 393401 life (KB/Sec) 4560270/1524

        Outbound: #pkts enc'ed 416631 drop 10531 life (KB/Sec) 4560322/1524

   Outbound SPI : 0x9451AF5C, transform : esp-3des esp-sha-hmac 

    Socket State: Open

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    1     192.0.2.225      192.0.2.10    UP     3w0d S         192.0.2.10/32


  IKE SA: local 192.0.2.229/500 remote 192.0.2.225/500 Active 

          Capabilities:(none) connid:1030 lifetime:03:46:44

  Crypto Session Status: UP-ACTIVE     

  fvrf: (none)

  IPSEC FLOW: permit 47 host 192.0.2.229 host 192.0.2.225 

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 430261 drop 0 life (KB/Sec) 4415197/3466

        Outbound: #pkts enc'ed 406232 drop 4 life (KB/Sec) 4415197/3466

   Outbound SPI : 0xAF3E15F2, transform : esp-3des esp-sha-hmac 

    Socket State: Open


 -------------- Interface Tunnel2 info: -------------- 

Intf. is up, Line Protocol is up, Addr. is 192.0.2.172

   Source addr: 192.0.2.20, Dest addr: MGRE

  Protocol/Transport: "multi-GRE/IP", Protect "gre_prof",

Tunnel VRF "" ip vrf forwarding ""


NHRP Details: NHS:         192.0.2.171  E


Type: Spoke, NBMA Peers: 1

# Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network

----- --------------- --------------- ----- -------- ----- -----------------

    1      192.0.2.25     192.0.2.171  IKE     never S        192.0.2.171/32


  IKE SA: local 192.0.2.20/500 remote 192.0.2.25/500 Inactive 

          Capabilities:(none) connid:0 lifetime:0

  IKE SA: local 192.0.2.20/500 remote 192.0.2.25/500 Inactive 

          Capabilities:(none) connid:0 lifetime:0

  Crypto Session Status: DOWN-NEGOTIATING

  fvrf: (none)

  IPSEC FLOW: permit 47 host 192.0.2.20 host 192.0.2.25 

        Active SAs: 0, origin: crypto map

        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

        Outbound: #pkts enc'ed 0 drop 436431 life (KB/Sec) 0/0

   Outbound SPI : 0x       0, transform : 

    Socket State: Closed


Pending DMVPN Sessions:

!There are no pending DMVPN sessions.

The following example shows DMVPN debug-condition information: 

Router# show dmvpn debug-condition 


NBMA addresses under debug are:

Interfaces under debug are:

Tunnel101, 

Crypto DMVPN filters:

Interface = Tunnel101

DMVPN Conditional debug context unmatched flag: OFF

Related Commands

Command
Description

debug dmvpn

Debugs DMVPN sessions.

show crypto session detail

Displays detailed status information for active crypto sessions.