Table Of Contents
show crypto ace redundancy
show crypto ca certificates
show crypto ca crls
show crypto ca roots
show crypto ca timers
show crypto ca trustpoints
show crypto call admission statistics
show crypto ctcp
show crypto datapath
show crypto debug-condition
show crypto dynamic-map
show crypto eli
show crypto eng qos
show crypto engine
show crypto engine accelerator logs
show crypto engine accelerator ring
show crypto engine accelerator sa-database
show crypto engine accelerator statistic
show crypto gdoi
show crypto ha
show crypto identity
show crypto ikev2 diagnose error
show crypto ikev2 policy
show crypto ikev2 profile
show crypto ikev2 proposal
show crypto ikev2 sa
show crypto ikev2 session
show crypto ikev2 stats
show crypto ipsec client ezvpn
show crypto ipsec default transform-set
show crypto ipsec sa
show crypto ipsec security-association idle-time
show crypto ipsec security-association lifetime
show crypto ipsec transform-set
show crypto isakmp default policy
show crypto isakmp key
show crypto isakmp peers
show crypto isakmp policy
show crypto isakmp profile
show crypto isakmp sa
show crypto key mypubkey rsa
show crypto key pubkey-chain rsa
show crypto map (IPsec)
show crypto mib ipsec flowmib endpoint
show crypto mib ipsec flowmib failure
show crypto mib ipsec flowmib global
show crypto mib ipsec flowmib history
show crypto mib ipsec flowmib history failure size
show crypto mib ipsec flowmib history tunnel size
show crypto mib ipsec flowmib spi
show crypto mib ipsec flowmib tunnel
show crypto mib ipsec flowmib version
show crypto mib isakmp flowmib failure
show crypto mib isakmp flowmib global
show crypto mib isakmp flowmib history
show crypto mib isakmp flowmib peer
show crypto mib isakmp flowmib tunnel
show crypto pki benchmarks
show crypto pki certificates
show crypto pki certificates storage
show crypto pki counters
show crypto pki crls
show crypto pki server
show crypto pki server certificates
show crypto pki server crl
show crypto pki server requests
show crypto pki timers
show crypto pki token
show crypto pki trustpoints
show crypto route
show crypto ruleset
show crypto session
show crypto session group
show crypto session summary
show crypto socket
show crypto tech-support
show crypto vlan
show crypto ace redundancy
To display information about a Blade Failure Group, use the show crypto ace redundancy command in privileged EXEC mode.
show crypto ace redundancy
Defaults
No default behavior or values.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2(18)SXE2
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Examples
The following example shows information about a Blade Failure Group that has a group ID of 1 and consists of two IPSec VPN SPAs—one IPSec VPN SPA is in slot 3, subslot 0 and one IPSec VPN SPA is in slot 5, subslot 0:
Router# show crypto ace redundancy
--------------------------------------
LC Redundancy Group ID :1
Pending Configuration Transactions:0
Current State :OPERATIONAL
Number of blades in the group :2
--------------------------------------
Completed Bulk Synchronization
Initialization Timer not running
Completed Bulk Synchronization
Initialization Timer not running
ACE B2B Group State:OPERATIONAL Event:BULK DONE
ACE B2B Group State:CREATED Event:CONFIG_DOWNLOAD_DONE
ACE B2B Group State:DELETED Event:CONFIG_DELETE
ACE B2B Group State:OPERATIONAL Event:BULK DONE
ACE B2B Group State:CREATED Event:CONFIG_DOWNLOAD_DONE
ACE B2B Group State:DELETED Event:CONFIG_DELETE
ACE B2B Group State:OPERATIONAL Event:CONFIG_DOWNLOAD_DONE
ACE B2B Group State:DELETED Event:CONFIG_ADD
ACE B2B Group State:CREATED Event:UNDEFINED B2B HA EVENT
ACE B2B Group State:CREATED Event:CONFIG_DOWNLOAD_DONE
Related Commands
Command
|
Description
|
linecard-group feature card
|
Assigns a group ID to a Blade Failure Group.
|
redundancy
|
Enters redundancy configuration mode.
|
show redundancy linecard-group
|
Displays the components of a Blade Failure Group.
|
show crypto ca certificates
Note
This command was replaced by the show crypto pki certificates command effective with Cisco IOS Release 12.3(7)T.
To display information about your certificate, the certification authority certificate, and any registration authority certificates, use the show crypto ca certificates command in privileged EXEC mode.
show crypto ca certificates
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
This command shows information about the following certificates:
•
Your certificate, if you have requested one from the CA (see the crypto pki enroll command)
•
The certificate of the CA, if you have received the CA's certificate (see the crypto pki authenticate command)
•
RA certificates, if you have received RA certificates (see the crypto pki authenticate command)
Examples
The following is sample output from the show crypto ca certificates command after you authenticated the CA by requesting the CA's certificate and public key with the crypto pki authenticate command:
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
The CA certificate might show Key Usage as "Not Set."
The following is sample output from the show crypto ca certificates command, and shows the router's certificate and the CA's certificate. In this example, a single, general purpose RSA key pair was previously generated, and a certificate was requested but not received for that key pair.
Name: myrouter.example.com
Key Usage: General Purpose
Fingerprint: 428125BD A3419600 3F6C7831 6CD8FA95 00000000
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
Note that in the previous sample, the router's certificate Status shows "Pending." After the router receives its certificate from the CA, the Status field changes to "Available" in the show output.
The following is sample output from the show crypto ca certificates command, and shows two router's certificates and the CA's certificate. In this example, special usage RSA key pairs were previously generated, and a certificate was requested and received for each key pair.
Name: myrouter.example.com
Certificate Serial Number: 428125BDA34196003F6C78316CD8FA95
Name: myrouter.example.com
Certificate Serial Number: AB352356AFCD0395E333CCFD7CD33897
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
The following is sample output from the show crypto ca certificates command when the CA supports an RA. In this example, the CA and RA certificates were previously requested with the crypto ca authenticate command.
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
Certificate Serial Number: 34BCF8A0
RA KeyEncipher Certificate
Certificate Serial Number: 34BCF89F
Related Commands
Command
|
Description
|
crypto pki authenticate
|
Authenticates the CA (by obtaining the certificate of the CA).
|
crypto pki enroll
|
Obtains the certificates of your router from the CA.
|
debug crypto pki messages
|
Displays debug messages for the details of the interaction (message dump) between the CA and the route.
|
debug crypto pki transactions
|
Displays debug messages for the trace of interaction (message type) between the CA and the router.
|
show crypto ca crls
Note
This command was replaced by the show crypto pki crls command effective with Cisco IOS Release 12.3(7)T.
To display the current certificate revocation list (CRL) on router, use the show crypto ca crls command in privileged EXEC mode.
show crypto ca crls
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.1
|
This command was introduced.
|
Examples
The following is sample output of the show crypto ca crls command:
Router# show crypto ca crls
OU = sjvpn, O = cisco, C = us
LastUpdate: 16:17:34 PST Jan 10 2002
NextUpdate: 17:17:34 PST Jan 11 2002
Retrieved from CRL Distribution Point:
LDAP: CN = CRL1, OU = sjvpn, O = cisco, C = us
Related Commands
Command
|
Description
|
crypto pki crl request
|
Requests that a new CRL be obtained immediately from the CA.
|
show crypto ca roots
The show crypto ca roots command is replaced by the show crypto ca trustpoints command. See the show crypto ca trustpoints command for more information.
show crypto ca timers
Note
This command was replaced by the show crypto pki timers command effective with Cisco IOS Release 12.3(8)T.
To display the status of the managed timers that are maintained by Cisco IOS for public key infrastructure (PKI), use the show crypto ca timers command in privileged EXEC mode.
show crypto ca timers
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
12.2(18)SXD
|
This command was integrated into Cisco IOS Release 12.2(18)SXD.
|
Usage Guidelines
For each timer, this command displays the time remaining before the timer expires. It also associates trustpoint certification authorities (CAs), except for certificate revocation list (CRL) timers, by displaying the CRL distribution point.
Examples
The following example is sample output for the show crypto ca timers command:
Router# show crypto ca timers
| 4d15:13:33.144 CRL http://msca-root.cisco.com/CertEnroll/msca-root.crl
|328d11:56:48.372 RENEW msroot
Related Commands
Command
|
Description
|
auto-enroll
|
Enables autoenrollment.
|
crypto pki trustpoint
|
Declares the CA that your router should use.
|
show crypto ca trustpoints
Note
This command was replaced by the show crypto pki trustpoints command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXD.
To display the trustpoints that are configured in the router, use the show crypto pki trustpoints command in privileged EXEC or user EXEC mode.
show crypto ca trustpoints
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
User EXEC (>)
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
Usage Guidelines
This command replaces the show crypto ca roots command. If you enter the show crypto ca roots command, the output will be written back as the show crypto pki trustpoints command.
Examples
The following is sample output from the show crypto ca trustpoints command:
Router# show crypto ca trustpoints
CN = bomborra Certificate Manager
CRL query url:ldap://bomborra
Related Commands
Command
|
Description
|
crypto pki trustpoint
|
Declares the CA that your router should use.
|
show crypto call admission statistics
To monitor Crypto Call Admission Control (CAC) statistics, use the show crypto call admission statistics command in user EXEC or privileged EXEC mode.
show crypto call admission statistics
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC (>)
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
12.2(18)SXD1
|
This command was integrated into Cisco IOS Release 12.2(18)SXD1.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2(33)SXH
|
This command was integrated into Cisco IOS Release 12.2(33)SXH.
|
15.1(3)T
|
This command was modified. The output of this command was updated to display information about IPsec SAs.
|
Usage Guidelines
Enter this command to display information about the Crypto CAC configuration parameters and their history, including statistics regarding the current security association (SA) count, SAs being negotiated, total new SA requests, the number of Internet Key Exchange (IKE) and IPsec SA requests accepted and rejected, and details regarding why requests were rejected.
Examples
The following is sample output from the show crypto call admission statistics command:
Router# show crypto call admission statistics
---------------------------------------------------------------------
Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit: 111 Max IKE SAs: 0 Max in nego: 1000
Total IKE SA Count: 0 active: 0 negotiating: 0
Incoming IKE Requests: 0 accepted: 0 rejected: 0
Outgoing IKE Requests: 0 accepted: 0 rejected: 0
Rejected IKE Requests: 0 rsrc low: 0 Active SA limit: 0
IKE packets dropped at dispatch: 0
Total IPSEC SA Count: 0 active: 0 negotiating: 0
Incoming IPSEC Requests: 0 accepted: 0 rejected: 0
Outgoing IPSEC Requests: 0 accepted: 0 rejected: 0
Phase1.5 SAs under negotiation: 0
Table 82 describes the significant fields shown in the display.
Table 82 show crypto call admission statistics Field Descriptions
Field
|
Description
|
System Resource Limit
|
Percentage of system resources that a router is using before IKE starts dropping all SA requests.
|
Max IKE SAs
|
Number of active IKE SA requests allowed on the router.
|
Total IKE SA Count
|
Number of IKE SAs.
|
active
|
Number of active SAs.
|
negotiating
|
Number of SA requests being negotiated.
|
Incoming IKE Requests
|
Number of incoming IKE SA requests.
|
Incoming IKE Requests accepted
|
Number of accepted IKE SA requests.
|
Incoming IKE Requests rejected
|
Number of rejected incoming IKE SA requests.
|
Outgoing IKE Requests
|
Number of outgoing IKE SA requests.
|
Outgoing IKE requests accepted
|
Number of accepted outgoing IKE SA requests.
|
Outgoing IKE requests rejected
|
Number of rejected outgoing IKE SA requests.
|
Rejected IKE Requests
|
Number of IKE requests that were rejected.
|
rsrc low
|
Number of IKE requests that were rejected because system resources were low or the preconfigured system resource limit was exceeded.
|
SA limit
|
Number of IKE SA requests that were rejected because the SA limit has been reached.
|
Incoming IPSEC Requests
|
Number of incoming IPsec SA requests.
|
Incoming IPSEC Requests accepted
|
Number of accepted IPsec SA requests.
|
Incoming IPSEC Requests rejected
|
Number of rejected incoming IPsec SA requests.
|
Outgoing IPSEC Requests
|
Number of outgoing IPsec SA requests.
|
Outgoing IPSEC requests accepted
|
Number of accepted outgoing IPsec SA requests.
|
Outgoing IPSEC requests rejected
|
Number of rejected outgoing IPsec SA requests.
|
Phase1.5 SAs
|
Number of negotiations in XAUTH or configuration exchange mode.
|
Related Commands
Command
|
Description
|
clear crypto call admission statistics
|
Clears the counters that track the number of accepted and rejected IKE SA requests.
|
show crypto ctcp
To display information about a Cisco Tunnel Control Protocol (cTCP) session, use the show crypto ctcp command in privileged EXEC mode.
show crypto ctcp [peer ip-address] [detail]
Syntax Description
peer
|
(Optional) Displays information about a specific peer.
|
ip-address
|
(Optional) IP address of the specific peer.
|
detail
|
(Optional) Displays information about the local TCP sequence number and the TCP sequence number of the packets for the peer.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(9)T
|
This command was introduced.
|
Examples
The following show command output displays detailed information about a specific peer:
Router# show crypto ctcp peer 10.76.235.21 detail
10.76.235.21:3519 10.76.248.239:10000 CTCP_ACK_R
LocalSeq#6807392F RemoteSeq#010116C7
Table 83 provides information about significant fields in the display.
Table 83 show crypto ctcp Field Descriptions
Field
|
Description
|
Remote
|
IP address of the remote peer with which this cTCP session is set up.
|
Local
|
IP address of the server to which the cTCP packets are addressed.
|
VRF
|
Name of the Virtual Private Network routing and forwarding (VRF) instance to which this session belongs. If the VRF is blank, the global routing table is used.
|
Status
|
Status of the cTCP session. CTCP_ACK_R is a successful cTCP setup. Any other state indicates that cTCP is not yet set up or failed to be set up.
|
LocalSeq
|
Sequence number of the last Transmission Control Protocol (TCP) packet sent by the server on this connection.
|
RemoteSeq
|
Sequence number of the last TCP packet that was received by the peer on this connection.
|
Related Commands
Command
|
Description
|
crypto ctcp
|
Configures cTCP encapsulation for Easy VPN.
|
show crypto datapath
To display the counters that help troubleshoot an encrypted data path, use the show crypto datapath command in privileged EXEC mode.
show crypto datapath {ipv4 | ipv6} {realtime | snapshot} {all | non-zero} [error | internal | punt
| success]
Syntax Description
ipv4
|
Designate IPv4 is used in the network.
|
ipv6
|
Designate IPv6 is used in the network.
|
realtime
|
Displays the counters that capture traffic statistics as they occur.
|
snapshot
|
Displays the counters that capture traffic statistics as of a single point in time.
|
all
|
Display all counters.
|
non-zero
|
Display all counters that have at least one event recorded.
|
error
|
(Optional) Display the packet processing and dropped packet errors.
|
internal
|
(Optional) Track the movement of a packet from end to end across an encrypted data path.
|
punt
|
(Optional) Display the instances when the configured processing method failed, and an alternative was used.
|
success
|
(Optional) Display the interfaces where packets were successfully processed.
|
Command Default
The command defaults are:
•
IP version: ipv4
•
Counters: all
•
Display time: realtime
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(9)T
|
This command was introduced.
|
Usage Guidelines
Use the show crypto datapath counters command to troubleshoot an encrypted data path.
Note
Cisco recommends use of this command only for troubleshooting under the guidance of a Cisco TAC engineer.
You must specify the IP version used in the network. You can display all counters, only the counters that have recorded events, or one of these specific counters:
•
Error counters track packet processing errors and associated packet drops. When a packet encounters an error, the first 64 bytes of that packet are stored in a buffer, to facilitate troubleshooting.
•
Internal counters show the detailed movement of a packet, end to end, across an encrypted data path.
•
Punt counters track instances when the configured packet processing method failed, and an alternative method was used. Because such instances might indicate a problem, it is useful to track them.
•
Success counters help diagnose network performance problems. Frequently, although a network is configured for fast switching or CEF, packets are using a slower path. Success counters record the interfaces in the data path where packets were successfully processed and reveal the actual processing path.
You must also choose the display timeframe for the counters:
•
The realtime option captures traffic statistics as they occur, and results in significant discrepancies between the first data reports and later data, because the counters increment with the traffic flow. This is the default option.
•
The snapshot option captures traffic statistics as of a specific point in time, and results in a close match among all counts, because the counters do not increment with the continuing traffic flow.
Examples
The following example shows output from the show crypto datapath command. In this example, the snapshot option is specified for the timeframe, and only counters that have recorded events are displayed. The output of this command is intended for use by Cisco TAC engineers.
Router# show crypto datapath ipv4 snapshot non-zero
Success Statistics: Snapshot at 21:34:30 PST Mar 4 2006
2nd round ok: 245 1st round ok: 118
post encrypt ipflowok: 230
crypto ceal post encrypt switch
post encrypt ipflowok-2: 230
Error Statistics: Snapshot at 21:34:30 PST Mar 4 2006
Punt Statistics: Snapshot at 21:34:30 PST Mar 4 2006
crypto ceal post decrypt switch
Internal Statistics: Snapshot at 21:34:30 PST Mar 4 2006
check input core not con 378 check input core consume 623
came back from ce: 245 deny pak: 15
crypto decrypt ipsec sa check
crypto ceal post decrypt switch
crypto ceal post decrypt fs
les ip turbo fs: 245 tunnel ip les fs: 245
crypto ceal post decrypt ps
crypto ceal punt to process inline
coalesce: 245 simple enq: 245
crypto ceal post encrypt switch
crypto ceal post encrypt ps
ps coalesce: 230 simple enq: 230
ucast next hop: 230 ip ps send: 230
Related Commands
Command
|
Description
|
show monitor event-trace
|
Displays contents of error history buffers.
|
show crypto debug-condition
To display crypto debug conditions that have already been enabled in the router, use the show crypto debug-condition command in privileged EXEC mode.
show crypto debug-condition {[peer] [connid] [spi] [fvrf] [gdoi-group groupname]
[isakmp profile profile-name] [ivrf] [local ip-address] [unmatched] [username username]}
Syntax Description
peer
|
(Optional) Displays debug conditions related to the peer. Possible conditions can include peer IP address, subnet mask, hostname, username, and group key.
|
connid
|
(Optional) Displays debug conditions related to the connection ID.
|
spi
|
(Optional) Displays debug conditions related to the security parameter index (SPI).
|
fvrf
|
(Optional) Displays debug conditions related to the front-door virtual private network (VPN) routing and forwarding (FVRF) instance.
|
gdoi-group groupname
|
(Optional) Displays debug conditions related to the Group Domain of Interpretation (GDOI) group filter.
• The groupname value is the name of the GDOI group.
|
isakmp profile profile-name
|
(Optional) Displays debug conditions related to the Internet Security Association Key Management Protocol (ISAKMP) profile filter.
• The profile-name value is the name of the profile filter.
|
ivrf
|
(Optional) Displays debug conditions related to the inside VRF (IVRF) instance.
|
local ip-address
|
(Optional) Displays debug conditions related to the local address debug condition filters.
• The ip-address is the IP address of the local crypto endpoint.
|
unmatched
|
(Optional) Displays debug messages related to the Internet Key Exchange (IKE), IP Security (IPsec), or the crypto engine, depending on what was specified via the debug crypto condition unmatched [engine | gdoi-group | ipsec | isakmp] command.
|
username username
|
(Optional) Displays debug messages related to the AAA Authentication (Xauth) or public key infrastructure (PKI) and authentication, authorization, and accounting (AAA) username filter.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.3(2)T
|
This command was introduced.
|
12.2(18)SXD
|
This command was integrated into Cisco IOS Release 12.2(18)SXD.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.4(11)T
|
The gdoi-group groupname, isakmp profile profile-name, local ip-address, and username username keywords and arguments were added.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
You can specify as many filter values as specified via the debug crypto condition command. (You cannot specify a filter value that you did not use in the debug crypto condition command.)
Examples
The following example shows how to display debug messages when the peer IP address is 10.1.1.1, 10.1.1.2, or 10.1.1.3 and when the connection ID 2000 of crypto engine 0 is used. This example also shows how to enable global debug crypto CLIs and enable the show crypto debug-condition command to verify conditional settings.
Router# debug crypto condition connid 2000 engine-id 1
Router# debug crypto condition peer ipv4 10.1.1.1
Router# debug crypto condition peer ipv4 10.1.1.2
Router# debug crypto condition peer ipv4 10.1.1.3
Router# debug crypto condition unmatched
! Verify crypto conditional settings.
Router# show crypto debug-condition
Crypto conditional debug currently is turned ON
IKE debug context unmatched flag:ON
IPsec debug context unmatched flag:ON
Crypto Engine debug context unmatched flag:ON
IKE peer IP address filters:
10.1.1.1 10.1.1.2 10.1.1.3
Connection-id filters:[connid:engine_id]2000:1,
! Enable global crypto CLIs to start conditional debugging.
Router# debug crypto isakmp
Router# debug crypto ipsec
Router# debug crypto engine
The following example shows how to disable all crypto conditional settings via the reset keyword:
Router# debug crypto condition reset
! Verify that all crypto conditional settings have been disabled.
Router# show crypto debug-condition
Crypto conditional debug currently is turned OFF
IKE debug context unmatched flag:OFF
IPsec debug context unmatched flag:OFF
Crypto Engine debug context unmatched flag:OFF
Related Commands
Command
|
Description
|
debug crypto condition
|
Defines conditional debug filters.
|
debug crypto condition unmatched
|
Displays crypto conditional debug messages when context information is unavailable to check against debug conditions.
|
show crypto dynamic-map
To display a dynamic crypto map set, use the show crypto dynamic-map command in privileged EXEC mode.
show crypto dynamic-map [tag map-name]
Syntax Description
tag map-name
|
(Optional) Displays only the crypto dynamic map set with the specified map-name.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use the show crypto dynamic-map command to view a dynamic crypto map set.
Examples
The following is sample output for the show crypto dynamic-map command:
Router# show crypto dynamic-map
Crypto Map Template"vpn1" 1
No matching address list set.
Security association lifetime: 4608000 kilobytes/3600 seconds
The following partial configuration was in effect when the above show crypto dynamic-map command was issued:
crypto dynamic-map vpn1 1
set isakmp-profile vpn1-ra
Related Commands
Command
|
Description
|
show crypto map
|
Views the crypto map configuration.
|
show crypto eli
To display how many IKE-SAs and IPSec sessions are active and how many Diffie-Hellman keys are in use for each hardware crypto engine, use the show crypto eli in user EXEC or privileged EXEC mode.
show crypto eli
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC (>)
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.1(5)E
|
This command was introduced.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.2(33)SRA.
|
12.2(33)SXH
|
This command was integrated into Cisco IOS release 12.2(33)SXH.
|
Usage Guidelines
Use this command to obtain a snapshot of how many Internet Key Exchange (IKE) and IP Security (IPSec) sessions are active and how many Diffie-Hellman keys are in use for each hardware crypto engine. The show crypto eli command also allows you to see how far an ISA is from reaching its maximum limit.
Note
IKE is a key management protocol standard that is used in conjunction with the IPSec standard. IPSec can be configured without IKE. However, IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. When IKE is used with IPSec, IKE automatically negotiates the IPSec security associations (SAs).
(The eli component of the command calls the Encryption Layer Interface.)
Examples
The following is sample output for the show crypto eli command:
Encryption Layer : ACTIVE
Number of crypto engines = 2.
Slot-3 crypto engine details.
Capability-IPSec :No-IPPCP, 3DES, NoRSA
IKE-Session : 0 active, 2029 max, 0 failed
DH-Key : 0 active, 1014 max, 0 failed
IPSec-Session : 0 active, 4059 max, 0 failed
Slot-5 crypto engine details.
Capability-IPSec :No-IPPCP, 3DES, NoRSA
IKE-Session : 0 active, 2029 max, 0 failed
DH-Key : 0 active, 1014 max, 0 failed
IPSec-Session : 0 active, 4059 max, 0 failed
The following is sample output for the show crypto eli command for the IPSec VPN SPA:
>>Hardware Encryption : ACTIVE
>> Number of hardware crypto engines = 2
>> CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active
>> IPSEC: DES, 3DES, AES, RSA
>> IKE-Session : 0 active, 16383 max, 0 failed
>> DH : 0 active, 9999 max, 0 failed
>> IPSec-Session : 0 active, 65534 max, 0 failed
>> CryptoEngine SPA-IPSEC-2G[3/1] details: state = Active
>> IPSEC: DES, 3DES, AES, RSA
>> IKE-Session : 1 active, 16383 max, 0 failed
>> DH : 0 active, 9999 max, 0 failed
>> IPSec-Session : 2 active, 65534 max, 0 failed
Table 84 describes significant fields shown in the display.
Table 84 show crypto eli summary Field Descriptions
Field
|
Description
|
active
|
The number of sessions that are active on a given hardware crypto engine.
|
max
|
The maximum number of sessions allowed for any given IKE, DH, or IPSec entry.
|
failed
|
The number of times that Cisco IOS software attempted to create more sessions than the number specified in "max."
|
show crypto eng qos
To monitor and maintain low latency queueing (LLQ) for IPSec encryption engines, use the show crypto eng qos command in privileged EXEC mode.
show crypto eng qos
Syntax Description
This command has no keywords or arguments.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2(13)T
|
This command was introduced in Cisco IOS Release 12.2(13)T.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use the show crypto eng qos command to determine if QoS is enabled on LLQ for IPSec encryption engines.
Examples
The following example shows how to determine if LLQ for IPSec encryption engines is enabled:
Router# show crypto eng qos
crypto engine name: Multi-ISA Using VAM2
crypto engine type: hardware
visible bandwidth: 30000 kbps
default queue size/max: 0/64
FastEthernet0/0 (3), iftype 1, ctable size 16, input filter:ip
class voice (1/3), match ip precedence 5
bandwidth 500 kbps, max token 100000
IN match pkt/byte 0/0, police drop 0
OUT match pkt/byte 0/0, police drop 0
class default, match pkt/byte 0/0, qdrop 0
crypto engine bandwidth:total 30000 kbps, allocated 500 kbps
The field descriptions in the above display are self-explanatory.
show crypto engine
To display a summary of the configuration information for the crypto engines, use the show crypto engine command in privileged EXEC mode.
show crypto engine {accelerator {statistic | ring {control | packet | pool}} | brief | configuration
| connections {active | dh | dropped-packet | flow} | qos | token [detail]}
Syntax Description
accelerator
|
Displays crypto accelerator information.
|
statistic
|
Displays crypto accelerator statistic information.
|
ring
|
Displays crypto accelerator ring information.
|
control
|
Displays control ring information.
|
packet
|
Displays packet ring information.
|
pool
|
Displays pool ring information.
|
brief
|
Displays a summary of the configuration information for the crypto engine.
|
configuration
|
Displays the version and configuration information for the crypto engine.
|
connections
|
Displays information about the crypto engine connections.
|
active
|
Displays all active crypto engine connections.
|
dh
|
Displays crypto engine Diffie-Hellman table entries.
|
dropped-packet
|
Displays crypto engine dropped packets.
|
flow
|
Displays crypto engine flow table entries.
|
qos
|
Displays quality of service (QoS) information.
• This keyword has a null output if any advanced integration module (AIM) except AIM-VPN/SSL-1 is used. The command-line interface (CLI) will accept the command, but there will be no output.
|
token
|
Displays the crypto token engine information.
|
detail
|
(Optional) Displays the detailed information of the crypto token engine.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
11.2
|
This command was introduced on the Cisco 7200, RSP7000, and 7500 series routers.
|
12.2(15)ZJ
|
This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
12.4(4)T
|
IPv6 address information was added to command output.
|
12.4(9)T
|
AIM-VPN/SSL-3 encryption module information was added to command output.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
12.4(22)T
|
The token and detail keywords were added.
|
Cisco IOS XE Release 2.2
|
This command was integrated into Cisco IOS XE Release 2.2. The accelerator, control, packet, pool, ring, and static keywords were added.
|
Usage Guidelines
This command displays all crypto engines and displays the AIM-VPN product name.
If a hardware crypto engine does not support native Group Domain of Interpretation (GDOI) header preservation, the show crypto engine connections active output for Group Encrypted Transport VPN (GET VPN) IP security (IPsec) connections displays a disallowed IP address of 0.0.0.0 (see the show crypto engine connections active "Examples" section).
Examples
The following is sample output from the show crypto engine brief command shows typical crypto engine summary information:
Router# show crypto engine brief
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
Product Name: AIM-VPN/SSL-3
Device ID: 001F - revision 0000
HSP version: 3.3(18) (PRODUCTION)
AES CBC: Yes (128,192,256)
Maximum buffer length: 4096
Maximum RSA key size: 2048
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
crypto engine state: installed
crypto engine in slot: N/A
Table 85 describes the significant fields shown in the display.
Table 85 show crypto engine brief Field Descriptions
Field
|
Description
|
crypto engine name
|
Name of the crypto engine as assigned with the key-name argument in the crypto key generate dss command.
|
crypto engine type
|
If "software" is listed, the crypto engine resides in either the Route Switch Processor (RSP) (the Cisco IOS crypto engine) or in a second-generation Versatile Interface Processor (VIP2).
If "crypto card" or "Encryption Service Adapter" (ESA) is listed, the crypto engine is associated with an ESA.
|
crypto engine state
|
The state "installed" indicates that a crypto engine is located in the given slot, but it is not configured for encryption.
The state "dss key generated" indicates the crypto engine found in that slot has Digital Signature Standard (DSS) keys already generated.
|
crypto engine in slot
|
Chassis slot number of the crypto engine. For the Cisco IOS crypto engine, this is the chassis slot number of the RSP.
|
The following is sample output from show crypto engine command shows IPv6 information:
Router# show crypto engine connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Et2/0 IPsec MD5 0 46 FE80::A8BB:CCFF:FE01:2C02
2 Et2/0 IPsec MD5 41 0 FE80::A8BB:CCFF:FE01:2C02
5 Tu0 IPsec SHA+DES 0 0
3FFE:2002::A8BB:CCFF:FE01:2C02
6 Tu0 IPsec SHA+DES 0 0
3FFE:2002::A8BB:CCFF:FE01:2C02
1001 Tu0 IKE SHA+DES 0 0
3FFE:2002::A8BB:CCFF:FE01:2C02
The following show crypto engine command output displays information for a situation in which a hardware crypto engine does not support native GDOI:
Router# show crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1079 Se0/0/0.10 IPsec AES+SHA 0 0 0.0.0.0
1080 Se0/0/0.10 IPsec AES+SHA 0 0 0.0.0.0
4364 <none> IKE SHA+3DES 0 0
4381 <none> IKE SHA+3DES 0 0
Related Commands
Command
|
Description
|
crypto engine accelerator
|
Enables the use of the onboard hardware accelerator for IPSec encryption.
|
show crypto engine accelerator logs
To display information about the last 32 CryptoGraphics eXtensions (CGX) Library packet processing commands and associated parameters sent from the VPN module driver to the VPN module hardware, use the show crypto engine accelerator logs command in privileged EXEC mode.
show crypto engine accelerator logs
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.1(1)XC
|
This command was introduced on the Cisco 1720 and Cisco 1750 platforms.
|
12.1(2)T
|
This command was integrated into Cisco IOS Release 12.1(2)T.
|
Usage Guidelines
Use this command when encrypted traffic is sent to the router and a problem with the encryption module is suspected. Use the debug crypto engine accelerator logs command to enable command logging before using this command.
Note
The show crypto engine accelerator logs command is intended only for Cisco Systems TAC personnel to collect debugging information.
Examples
The following is sample output for the show crypto engine accelerator logs command:
Router# show crypto engine accelerator logs
Contents of packet log (current index = 20):
tag = 0x5B02, cmd = 0x5000
param[0] = 0x000E, param[1] = 0x57E8
param[2] = 0x0008, param[3] = 0x0000
param[4] = 0x0078, param[5] = 0x0004
param[6] = 0x142C, param[7] = 0x142C
param[8] = 0x0078, param[9] = 0x000C
tag = 0x5B03, cmd = 0x4100
param[0] = 0x000E, param[1] = 0x583C
param[2] = 0x0034, param[3] = 0x0040
param[4] = 0x00B0, param[5] = 0x0004
param[6] = 0x1400, param[7] = 0x1400
param[8] = 0x0020, param[9] = 0x000C
tag = 0x5C00, cmd = 0x4100
param[0] = 0x000E, param[1] = 0x57BC
param[2] = 0x0034, param[3] = 0x0040
param[4] = 0x00B0, param[5] = 0x0004
param[6] = 0x1400, param[7] = 0x1400
param[8] = 0x0020, param[9] = 0x000C
tag = 0x5A01, cmd = 0x4100
param[0] = 0x000E, param[1] = 0x593C
param[2] = 0x0034, param[3] = 0x0040
param[4] = 0x00B0, param[5] = 0x0004
param[6] = 0x1400, param[7] = 0x1400
param[8] = 0x0020, param[9] = 0x000C
Contents of cgx log (current index = 12):
cmd = 0x0074 ret = 0x0000
param[0] = 0x0010, param[1] = 0x028E
param[2] = 0x0039, param[3] = 0x0D1E
param[4] = 0x0100, param[5] = 0x0000
param[6] = 0x0000, param[7] = 0x0000
param[8] = 0x0000, param[9] = 0x0000
cmd = 0x0062 ret = 0x0000
param[0] = 0x0035, param[1] = 0x1BE0
param[2] = 0x0100, param[3] = 0x0222
param[4] = 0x0258, param[5] = 0x0000
param[6] = 0x0000, param[7] = 0x0000
param[8] = 0x0000, param[9] = 0x0000
cmd = 0x0063 ret = 0x0000
param[0] = 0x0222, param[1] = 0x0258
param[2] = 0x0000, param[3] = 0x0000
param[4] = 0x0000, param[5] = 0x0000
param[6] = 0x0000, param[7] = 0x020A
param[8] = 0x002D, param[9] = 0x0000
cmd = 0x0065 ret = 0x0000
param[0] = 0x0222, param[1] = 0x0258
param[2] = 0x0010, param[3] = 0x028E
param[4] = 0x00A0, param[5] = 0x0008
param[6] = 0x0001, param[7] = 0x0000
param[8] = 0x0000, param[9] = 0x0000
Related Commands
Command
|
Description
|
debug crypto engine acclerator logs
|
Enables logging of commands and associated parameters sent from the VPN module driver to the VPN module hardware using a debug flag.
|
show crypto engine accelerator ring
To display the contents and status of the control command, transmit packets, and receive packet rings used by the hardware accelerator crypto engine, use the show crypto engine accelerator ring command in privileged EXEC mode.
show crypto engine accelerator ring [control | packet | pool]
Syntax Description
control
|
(Optional) Number of control commands that are queued for execution by the hardware accelerator crypto engine are displayed.
|
packet
|
(Optional) Contents and status information for the transmit packet rings that are used by the hardware accelerator crypto engine are displayed.
|
pool
|
(Optional) Contents and status information for the receive packet rings that are used by the hardware accelerator crypto engine are displayed.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.1(3)XL
|
This command was introduced for the Cisco uBR905 cable access router.
|
12.2(2)XA
|
Support was added for the Cisco uBR925 cable access router.
|
12.2(13)T
|
This command was integrated into Cisco IOS Release 12.2(13)T and implemented for the AIM-VPN/EPII and AIM-VPN/HPII on the following platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745.
|
12.2(15)ZJ
|
This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
|
12.3(4)T
|
The AIM-VPN/BPII was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
|
Usage Guidelines
This command displays the command ring information.
If there were valid data in any of the rings, the ring entry would be printed.
Examples
The following example shows the command ring information:
Router# show crypto engine accelerator ring packet
cmd ring:head = 10 tail =10
result ring:head = 10 tail =10
destination ring:head = 10 tail =10
source ring:head = 10 tail =10
free ring:head = 0 tail =255
Related Commands
Command
|
Description
|
clear crypto engine accelerator counter
|
Resets the statistical and error counters for the hardware accelerator to zero.
|
crypto ca
|
Defines the parameters for the certification authority used for a session.
|
crypto cisco
|
Defines the encryption algorithms and other parameters for a session.
|
crypto dynamic-map
|
Creates a dynamic map crypto configuration for a session.
|
crypto engine accelerator
|
Enables the use of the onboard hardware accelerator for IPSec encryption.
|
crypto ipsec
|
Defines the IPSec SAs and transformation sets.
|
crypto isakmp
|
Enables and defines the IKE protocol and its parameters.
|
crypto key
|
Generates and exchanges keys for a cryptographic session.
|
crypto map
|
Creates and modifies a crypto map for a session.
|
debug crypto engine accelerator control
|
Displays each control command as it is given to the crypto engine.
|
debug crypto engine accelerator packet
|
Displays information about each packet sent for encryption and decryption.
|
show crypto engine accelerator sa-database
|
Displays the active (in-use) entries in the crypto engine SA database.
|
show crypto engine accelerator statistic
|
Displays the current run-time statistics and error counters for the crypto engine.
|
show crypto engine brief
|
Displays a summary of the configuration information for the crypto engine.
|
show crypto engine configuration
|
Displays the version and configuration information for the crypto engine.
|
show crypto engine connections
|
Displays a list of the current connections maintained by the crypto engine.
|
show crypto engine accelerator sa-database
To display active (in-use) entries in the platform-specific virtual private network (VPN) module database, use the show crypto engine accelerator sa-database command in privileged EXEC mode.
show crypto engine accelerator sa-database
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.1(1)XC
|
This command was introduced on the Cisco 1720 and Cisco 1750 platforms.
|
12.1(2)T
|
This command was integrated into Cisco IOS Release 12.1(2)T.
|
Usage Guidelines
Use this command when encrypted traffic is sent to the router and a problem with the encryption module is suspected.
Note
The show crypto engine accelerator sa-database command is intended only for Cisco Systems TAC personnel to collect debugging information.
Examples
The following is sample output for the show crypto engine accelerator sa-database command:
Router# show crypto engine accelerator sa-database
005 tunnel inbound esp-md5-hmac esp-des ah-sha-hmac
006 tunnel outbound esp-md5-hmac esp-des ah-sha-hmac
007 tunnel inbound esp-md5-hmac esp-des ah-sha-hmac
008 tunnel outbound esp-md5-hmac esp-des ah-sha-hmac
009 tunnel inbound esp-md5-hmac esp-des ah-sha-hmac
010 tunnel outbound esp-md5-hmac esp-des ah-sha-hmac
Index DH-Index Algorithms
Related Commands
Command
|
Description
|
debug crypto engine acclerator logs
|
Enables logging of commands and associated parameters sent from the VPN module driver to the VPN module hardware using a debug flag.
|
show crypto engine accelerator statistic
To display IP Security (IPsec) encryption statistics and error counters for the onboard hardware accelerator of the router or the IPsec Virtual Private Network (VPN) Shared Port Adapter (SPA), use the show crypto engine accelerator statistic command in privileged EXEC mode.
show crypto engine accelerator statistic
IPsec VPN SPA (SPA-IPSEC-2G) and VSPA (WS-IPSEC-3G)
show crypto engine accelerator statistic [slot slot/subslot | all] [coreutil | detail]
Syntax Description
slot slot/subslot
|
(IPsec VPN SPA and VSPA only—Optional) Chassis slot number and secondary slot number on the SPA Interface Processor (SIP) where the SPA is installed. Refer to the appropriate hardware manual for slot information. For SIPs, refer to the platform-specific SPA hardware installation guide or the corresponding "Identifying Slots and Subslots for SIPs and SPAs" topic in the platform-specific SPA software configuration guide.
Displays platform statistics for the corresponding SPA. This output will not include network interface controller statistics.
|
all
|
(IPsec VPN SPA and VSPA only—Optional) Displays platform statistics for all IPsec VPN SPAs or VSPAs on the router. This output will not include network interface controller statistics.
|
coreutil
|
(VSPA only—Optional) Displays VPN core utilization statistics.
|
detail
|
(IPsec VPN SPA and VSPA only—Optional) Displays platform statistics for the SPA and network interface controller statistics. Note that the controller statistics contain Layer 2 (L2) counters.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.1(1)XC
|
This command was introduced for the Cisco 1700 series router and other Cisco routers that support hardware accelerators for IPsec encryption.
|
12.1(3)XL
|
This command was implemented on the Cisco uBR905 cable access router.
|
12.2(2)XA
|
Support was added for the Cisco uBR925 cable access router.
|
12.2(13)T
|
This command was integrated into Cisco IOS Release 12.2(13)T and implemented for the AIM-VPN/EPII and AIM-VPN/HPII on the following platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745. In addition, the output for this show command was enhanced to display compression statistics.
|
12.2(15)ZJ
|
This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
|
12.3(4)T
|
The AIM-VPN/BPII was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA to support the IPsec VPN SPA on Cisco 7600 series routers.
|
12.4(9)T
|
Output was added for the AIM-VPN Secure Sockets Layer (SSL) encryption module.
|
12.2(33)SXH
|
This command was integrated into Cisco IOS Release 12.2(33)SXH to support the IPsec VPN SPA on Catalyst 6500 series switches.
|
12.2(33)SXI
|
The coreutil keyword was added for the VSPA, and output was added to display the percent utilization with other utilization statistics in the crypto engine.
|
12.4(24)T
|
Output was modified to display reassembly and fragmentation-drop counters for VPN Service Adaptor (VSA) traffic statistics.
|
Usage Guidelines
No specific usage guidelines apply to the hardware accelerators.
IPsec VPN SPA and VSPA
Enter the slot keyword to display platform statistics for the corresponding SPA. This output will not include network interface controller statistics.
Enter the all keyword to display platform statistics for all IPsec VPN SPAs and VSPAs on the router. This output will not include network interface controller statistics.
Enter the detail keyword to display platform statistics for the SPA and network interface controller statistics. Note that the controller statistics contain L2 counters.
VSPA
Enter the coreutil keyword to display VPN core utilization statistics. This output will not include network interface controller statistics.
Tip
In Cisco IOS Release 12.2(8)T and later releases, you can add a time stamp to show commands using the exec prompt timestamp command in line configuration mode.
Examples
Hardware VPN Module
The following example displays compression statistics for a hardware VPN module:
Router# show crypto engine accelerator statistic
Virtual Private Network (VPN) Module in slot : 0
Statistics for Hardware VPN Module since the last clear
of counters 85319 seconds ago
560 packets in 560 packets out
95600 bytes in 124720 bytes out
0 paks/sec in 0 paks/sec out
0 Kbits/sec in 0 Kbits/sec out
0 packets decrypted 560 packets encrypted
0 bytes before decrypt 124720 bytes encrypted
0 bytes decrypted 95600 bytes after encrypt
0 packets decompressed 0 packets compressed
0 bytes before decomp 0 bytes before comp
0 bytes after decomp 0 bytes after comp
0 packets bypass decompr 0 packets bypass compres
0 bytes bypass decompres 0 bytes bypass compressi
0 packets not decompress 0 packets not compressed
0 bytes not decompressed 0 bytes not compressed
1.0:1 compression ratio 1.0:1 overall
10426 commands out 10426 commands acknowledged
0 packets in 0 packets out
0 paks/sec in 0 paks/sec out
0 bits/sec in 0 bits/sec out
0 bytes decrypted 0 bytes encrypted
0 Kbits/sec decrypted 0 Kbits/sec encrypted
1.0:1 compression ratio 1.0:1 overall
ppq full errors : 0 ppq rx errors : 0
cmdq full errors : 0 cmdq rx errors : 0
ppq down errors : 0 cmdq down errors : 0
no buffer : 0 replay errors : 0
dest overflow : 0 authentication errors : 0
Other error : 0 Raw Input Underrun : 0
IPSEC Unsupported Option: 0 IPV4 Header Length : 0
ESP Pad Length : 0 IPSEC Decompression : 0
AH ESP seq mismatch : 0 AH Header Length : 0
AH ICV Incorrect : 0 IPCOMP CPI Mismatch : 0
IPSEC ESP Modulo : 0 Unexpected IPV6 Extensio: 0
Unexpected Protocol : 0 Dest Buf overflow : 0
IPSEC Pkt is fragment : 0 IPSEC Pkt src count : 0
Invalid IP Version : 0 Unwrappable : 0
SSL Output overrun : 0 SSL Decompress failure : 0
SSL BAD Decomp History : 0 SSL Version Mismatch : 0
SSL Input overrun : 0 SSL Conn Modulo : 0
SSL Input Underrun : 0 SSL Connection closed : 0
SSL Unrecognised content: 0 SSL record header length: 0
PPTP Duplicate packet : 0 PPTP Exceed max missed p: 0
RNG self test fail : 0 DF Bit set : 0
Hash Miscompare : 0 Unwrappable object : 0
Missing attribute : 0 Invalid attrribute value: 0
Bad Attribute : 0 Verification Fail : 0
Decrypt Failure : 0 Invalid Packet : 0
Invalid Key : 0 Input Overrun : 0
Input Underrun : 0 Output buffer overrun : 0
Bad handle value : 0 Invalid parameter : 0
Bad function code : 0 Out of handles : 0
Access denied : 0 Out of memory : 0
NR overflow : 0 pkts dropped : 0
sessions_expired : 0 packets_fragmented : 0
hsp_operations : 10441 hsp_sessio
Table 86 describes significant fields shown in the above display.
Table 86 show crypto engine accelerator statistic Compression Statistics Descriptions
Counter
|
Description
|
packets decompressed
|
Number of packets that were decompressed by the interface.
|
packets compressed
|
Number of packets that were compressed by the interface.
|
bytes before decomp
|
Number of compressed bytes that were presented to the compression algorithm from the input interface on decrypt.
|
bytes before comp
|
Number of uncompressed bytes (payload) that were presented to the compression algorithm from Cisco IOS on encrypt.
|
bytes after decomp
|
Number of decompressed bytes that were sent to Cisco IOS by the compression algorithm on decryption.
|
bytes after comp
|
Number of compressed bytes that were forwarded to Cisco IOS by the algorithm on encryption.
|
packets bypass compres
|
Number of packets that were not compressed because they were too small (<128 bytes).
|
packets not compressed
|
Number of packets that were not compressed because the packets were expanded rather than compressed.
|
compression ratio
|
Ratio of compression and decompression of packets presented to the compression algorithm that were successfully compressed or decompressed. This statistic measures the efficiency of the algorithm for all packets that were compressed or decompressed.
|
overall
|
Ratio of compression and decompression of packets presented to the compression algorithm, including those that were not compressed due to expansion or too small. This ratio indicates whether the data traffic on this interface is suitable for compression. A ratio of 1:1 would imply that no successful compression is being performed on this data traffic.
|
7200/VSA
The following example is output from a Cisco 7200 with VSA:
Router# show crypto engine accelerator statistic 0
Inbound rate: 0pps 0kb/s Outbound rate: 0pps 0kb/s
TRAFFIC Transmitted Received
-------------------------------------------------------------------------------
Message Byte Count: 1212 256
Outbound Byte Count: 12472 30332
Inbound Byte Count: 26304 19864
-------------------------------------------------------------------------------
Outbound Traffic: Route cache Processor
-------------------------------------------------------------------------------
------------------------------------------------------------------------------
TXRing Current Queue Depth:
VSA RX Exception statistics:
Invalid SA : 0 Enc Dec mismatch : 0
Next Header mismatch : 0 Pad mismatch : 0
MAC mismatch : 0 Anti replay failed : 0
Enc Seq num overflow : 0 Dec IPver mismatch : 0
Enc IPver mismatch : 0 TTL Decr : 0
Selector checks : 0 UDP mismatch : 0
IP Parse error : 0 Fragmentation Error : 0
IB Selector check : 0 TimeBased Replay Err : 0
Table 87 describes significant fields shown in the above display.
Table 87 show crypto engine statistic Field Descriptions for a Cisco 7200/VSA
Field
|
Description
|
Message Count
|
Number of messages sent to the VSA.
|
Message Byte Count
|
Byte count for the above messages.
|
Message Overflow
|
Number of messages that could not be sent because there was no space in the transmission (TX) ring.
|
Outbound Count
|
Number of outbound packets sent to the VSA for classification and/or encryption (includes packets for encryption/passthrough).
|
Outbound Byte Count
|
Byte count of the above packets.
|
Outbound Overflow
|
Number of outbound packets that could not be sent.
|
Inbound Count
|
Number of inbound packets sent to the VSA for classification and/or decryption.
|
Inbound Byte Count
|
Byte count for the above packets.
|
Inbound Overflow
|
Number of inbound packets that could not be sent because the TX ring was full.
|
Reassembled Pkt
|
Number of reassembled packets.
|
Fragments Dropped
|
Total number of fragments dropped.
|
IPPE
|
Number of inbound fragments dropped by the Ingress Packet Processing Engine (IPPE)
|
EPPE
|
Number of outbound fragments dropped by the Egress Packet Processing Engine (EPPE).
|
FIFO
|
Number of fragments dropped by the FIFO (First In First Out) fragment queue.
|
RAE
|
Number of fragments dropped by the Reassembly Engine (RAE).
|
Inbound Traffic
|
Decrypted Pkt
|
Number of decrypted packets.
|
Passthrough Pkt
|
Clear packets in the inbound direction.
|
IKE Pkt
|
Internet Key Exchange (IKE) packets that were received.
|
SPI Error
|
Received packets having an invalid Security Parameter Index (SPI).
|
Policy Violation
|
The VSA received clear packets that should have come encrypted as per the policy.
|
Outbound Traffic
|
Encrypted Pkt
|
Number of encrypted packets.
|
Passthrough Pkt
|
Outbound clear packets.
|
Policy Violation
|
No outbound SA to encrypt the packet.
|
Queue Depth
|
TXRing Current Queue Depth
|
Current queue depth of the three TX rings.
|
VSA RX Exception statistics
|
Errors from the crypto chip.
|
Invalid SA
|
Specified SA does not exist.
|
Enc Dec mismatch
|
Packet came on the wrong type of SA.
|
Next Header mismatch
|
Wrong nextheader field was found in the packet.
|
Pad mismatch
|
Wrong pad found in the packet.
|
MAC mismatch
|
Authentication check failed.
|
Anti replay failed
|
Anti-replay error.
|
Enc Seq num overflow
|
Sequence number reached the max for the SA.
|
Dec IPver mismatch
|
Wrong IP version for the packet to be decrypted (for example, an IPv4 packet came in for an IPv6 SA).
|
Enc IPver mismatch
|
Wrong IP version for the packet to be encrypted. Wrong IP version for the packet to be encrypted.
|
TTL Decr
|
Time to Live decremented to 0 (zero).
|
Selector checks
|
Decrypted packet failed the policy check.
|
UDP mismatch
|
User Data Protocol (UDP) packet failed the sanity check.
|
IP Parse error
|
Error in IP packet parsing.
|
Fragmentation Error
|
Could not fragment; DF bit set.
|
IB Selector check
|
Decrypted packet failed the policy check (for Group Encrypted Transport Virtual Private Network [GET VPN]).
|
TimeBased Replay Err
|
Time-based anti-replay failed (for GET VPN).
|
Misc. Exceptions
|
Errors not classified as any of the above.
|
IPsec VPN SPA and VSPA
The following example shows the platform statistics for the IPsec VPN SPA in slot 1 subslot 0 and also displays the network interface controller statistics (this platform output is from a Catalyst 6500 series with installed IPsec VPN SPA):
Router# show crypto engine accelerator statistic slot 1/0 detail
Decryption Side Data Path Statistics
====================================
Packets RX...............: 454260
Packets TX...............: 452480
IPSec Transport Mode.....: 0
IPSec Tunnel Mode........: 452470
AH Packets...............: 0
ESP Packets..............: 452470
GRE Decapsulations.......: 0
NAT-T Decapsulations.....: 0
Clear....................: 8
ICMP.....................: 0
Packets Drop.............: 193
Authentication Errors....: 0
Decryption Errors........: 0
Replay Check Failed......: 0
Policy Check Failed......: 0
Illegal CLear Packet.....: 0
GRE Errors...............: 0
SPD Errors...............: 0
HA Standby Drop..........: 0
Hard Life Drop...........: 0
Invalid SA...............: 191
SPI No Match.............: 0
Destination No Match.....: 0
Protocol No Match........: 0
Reassembly Frag RX.......: 0
IPSec Fragments..........: 0
IPSec Reasm Done.........: 0
Clear Fragments..........: 0
Clear Reasm Done.........: 0
Datagrams Drop...........: 0
Fragments Drop...........: 0
Decryption Side Controller Statistics
=====================================
Frames RX................: 756088
Bytes RX.................: 63535848
Mcast/Bcast Frames RX....: 2341
RX Less 128Bytes.........: 756025
RX Less 512Bytes.........: 58
RX Less 1KBytes..........: 2
RX Less 9KBytes..........: 3
RX Frames Drop...........: 0
Frames TX................: 452365
Bytes TX.................: 38001544
Mcast/Bcast Frames TX....: 9
TX Less 128Bytes.........: 452343
TX Less 512Bytes.........: 22
TX Less 1KBytes..........: 0
TX Less 9KBytes..........: 0
Encryption Side Data Path Statistics
====================================
Packets RX...............: 756344
Packets TX...............: 753880
IPSec Transport Mode.....: 0
IPSec Tunnel Mode........: 753869
GRE Encapsulations.......: 0
NAT-T Encapsulations.....: 0
LAF prefragmented........: 0
Fragmented...............: 0
Clear....................: 753904
ICMP.....................: 0
Packets Drop.............: 123
IKE/TED Drop.............: 27
Authentication Errors....: 0
Encryption Errors........: 0
HA Standby Drop..........: 0
Hard Life Drop...........: 0
Invalid SA...............: 191
Reassembly Frag RX.......: 0
Clear Fragments..........: 0
Clear Reasm Done.........: 0
Datagrams Drop...........: 0
Fragments Drop...........: 0
Encryption Side Controller Statistics
=====================================
Frames RX................: 454065
Bytes RX.................: 6168274/
Mcast/Bcast Frames RX....: 1586
RX Less 128Bytes.........: 1562
RX Less 512Bytes.........: 452503
RX Less 1KBytes..........: 0
RX Less 9KBytes..........: 0
RX Frames Drop...........: 0
Frames TX................: 753558
Bytes TX.................: 100977246
Mcast/Bcast Frames TX....: 2
TX Less 128Bytes.........: 3
TX Less 512Bytes.........: 753555
TX Less 1KBytes..........: 0
TX Less 9KBytes..........: 0
Table 88 describes significant fields shown in the above display.
Table 88 show crypto engine accelerator statistic IPsec VPN SPA
Statistics Descriptions
Field
|
Description
|
Decryption Data Side Path Statistics
|
Packets RX
|
Number of packets received on the decryption side of the IPsec VPN SPA.
|
Packets TX
|
Number of packets transmitted by the IPsec VPN SPA in the decryption direction.
|
IPSec Transport Mode
|
Number of packets in IPsec Transport Mode.
|
IPSec Tunnel Mode
|
Number of packets in IPsec Tunnel Mode.
|
AH Packets
|
Number of packets with authentication headers (AHs).
|
ESP Packets
|
Number of packets with Encapsulating Security Payload (ESP) headers.
|
GRE Decapsulations
|
Number of packets that were generic routing encapsulating (GRE) decapsulated.
|
NAT-T Decapsulations
|
Number of packets that were Network Address Translation-Traversal (NAT-T) decapsulated.
|
Clear
|
Number of clear packets received.
|
ICMP
|
Number of Internet Control Message Protocol (ICMP) packets received.
|
Packets Drop
|
Number of packet drops.
Note Does not represent the sum of the individual drop subtotals displayed (does not include BPDU/CDP/MOP packets dropped).
|
Authentication Errors
|
Number of authentication errors.
|
Decryption Errors
|
Number of decryption errors.
|
Replay Check Failed
|
Number of replay check errors.
|
Policy Check Failed
|
Number of policy check errors.
|
Illegal Clear Packet
|
Number of illegal clear packets.
|
GRE Errors
|
Number of GRE errors due to invalid packets or invalid security associations (SAs).
Note These errors correspond to the sum of the following GRE errors in the output of the show stats icpu command: "GRE Packet Errors," "GRE SA No Match," and "Invalid GRE SA," which count, respectively, the number of GRE packets that are RFC compliant but that use a format currently not supported by the VPN module, the number of GRE packets in which the SA lookup results is a no match, and the number of GRE packets in which the SA lookup matches an entry marked as invalid.
|
SPD Errors
|
Number of Security Policy Database (SPD) errors.
Note These errors correspond to the sum of the following SPD errors in the output of the show stats icpu command: "SPD Lookup Failed," "SPD Invalid," and "SPD ID No Match."
|
HA Standby Drop
|
Number of packet drops on a High Availability (HA) standby IPsec VPN SPA.
Note The standby IPsec VPN SA is not supposed to receive packets.
|
Hard Life Drop
|
Number of packet drops due to SA hard life expiration.
Note These packets are dropped during rekeying after the SA volume lifetime has been reached.
|
Invalid SA
|
Number of packet drops due to invalid SA.
|
SPI No Match
|
Number of packet drops due to a Security Parameter Index (SPI) mismatch.
|
Destination No Match
|
Number of packet drops due to destination no match.
|
Protocol No Match
|
Number of packet drops due to protocol no match.
|
Reassembly Frag RX
|
Number of packets that required reassembly processing.
|
IPSec Fragments
|
Number of IPsec fragments.
|
IPSec Reasm Done
|
Number of IPsec fragments reassembled.
|
Clear Fragments
|
Number of clear fragments.
|
Clear Reasm Done
|
Number of clear fragments reassembled.
|
Datagrams Drop
|
Number of reassembled datagrams dropped.
|
Fragments Drop
|
Number of fragments dropped.
|
Decryption Side Controller Statistics
|
Frames RX
|
Number of frames received.
|
Bytes RX
|
Number of bytes received.
|
Mcast/Bcast Frames RX
|
Number of multicast/broadcast frames received.
|
RX Less 128Bytes
|
Number of frames having a size less than 128 bytes.
|
RX Less 512Bytes
|
Number of frames having a size greater than or equal to 128 bytes and less than 512 bytes.
|
RX Less 1KBytes
|
Number of frames having a size greater than or equal to 512 bytes and less than 1 kilobyte (KB).
|
RX Less 9KBytes
|
Number of frames having a size greater than or equal to 1 KB and less than 9 KBs.
|
RX Frames Drop
|
Number of frames dropped.
|
Frames TX
|
Number of frames transmitted.
|
Bytes TX
|
Number of bytes transmitted.
|
Mcast/Bcast Frames TX
|
Number of multicast/broadcast frames transmitted.
|
TX Less 128Bytes
|
Number of frames having a size less than 128 bytes.
|
TX Less 512Bytes
|
Number of frames having a size greater than or equal to 128 bytes and less than 512 bytes.
|
TX Less 1KBytes
|
Number of frames having a size greater than or equal to 512 bytes and less than 1 KB.
|
TX Less 9KBytes
|
Number of frames having a size greater than or equal to 1 KB and less than 9 KBs.
|
Encryption Side Data Path Statistics
|
Packets RX
|
Number of packets received on the encryption side of the IPsec VPN SPA.
|
Packets TX
|
Number of packets transmitted by the IPsec VPN SPA in the encryption direction.
|
IPSec Transport Mode
|
Number of packets in IPsec Transport Mode.
|
IPSec Tunnel Mode
|
Number of packets in IPsec Tunnel Mode.
|
GRE Encapsulations
|
Number of packets that were GRE encapsulated.
|
NAT-T Encapsulations
|
Number of packets that were NAT-T encapsulated.
|
LAF prefragmented
|
Number of packets with Look Ahead Fragmentation set and that were prefragmented.
|
Fragmented
|
Number of packets fragmented.
|
Clear
|
Number of clear packets.
|
ICMP
|
Number of ICMP packets.
|
Packets Drop
|
Number of packet drops.
Note Does not represent the sum of the individual drop subtotals displayed (does not include BPDU/CDP/MOP packets dropped).
|
IKE/TED Drop
|
Number of packet drops because SA has not been set up.
|
Authentication Errors
|
Number of authentication errors.
|
Encryption Errors
|
Number of Encryption errors.
|
HA Standby Drop
|
Number of packet drops on a HA standby IPsec VPN SPA.
Note The standby IPsec VPN SPA is not supposed to receive packets.
|
Hard Life Drop
|
Number of packet drops due to SA hard-life expiration.
Note These packets are dropped during rekeying after the SA volume lifetime has been reached.
|
Invalid SA
|
Number of packet drops due to invalid SA.
|
Reassembly Frag RX
|
Number of packets that required reassembly processing.
|
Clear Fragments
|
Number of clear fragments.
|
Clear Reasm Done
|
Number of clear fragments reassembled.
|
Datagrams Drop
|
Number of reassembled datagrams dropped.
|
Fragments Drop
|
Number of fragments dropped.
|
Encryption Side Controller Statistics
|
Frames RX
|
Number of frames received.
|
Bytes RX
|
Number of bytes received.
|
Mcast/Bcast Frames RX
|
Number of multicast/broadcast frames received.
|
RX Less 128Bytes
|
Number of frames having a size less than 128 bytes.
|
RX Less 512Bytes
|
Number of frames having a size greater than or equal to 128 bytes and less than 512 bytes.
|
RX Less 1KBytes
|
Number of frames having a size greater than or equal to 512 bytes and less than 1 KB.
|
RX Less 9KBytes
|
Number of frames having a size greater than or equal to 1 KB and less than 9 KBs.
|
RX Frames Drop
|
Number of frames dropped.
|
Frames TX
|
Number of frames transmitted.
|
Bytes TX
|
Number of bytes transmitted.
|
Mcast/Bcast Frames TX
|
Number of multicast/broadcast frames transmitted.
|
TX Less 128Bytes
|
Number of frames having a size less than 128 bytes.
|
TX Less 512Bytes
|
Number of frames having a size greater than or equal to 128 bytes and less than 512 bytes.
|
TX Less 1KBytes
|
Number of frames having a size greater than or equal to 512 bytes and less than 1 KB.
|
TX Less 9KBytes
|
Number of frames having a size greater than or equal to 1 KB and less than 9 KBs.
|
VSPA
The following examples show the output when the coreutil keyword is used with the VSPA and the Catalyst 6500 series switch using Cisco IOS Release 12.2(33)SXI and later releases:
Router#: show crypto engine accelerator statistic slot 2/0 coreutil
Utilization Percentages for VPN blade in slot 2/0
Blade Utilization Percentages
==========================
Last 5 seconds ---------------------
Slowpath ...................... 35 %
Inbound ....................... 24 %
Outbound ...................... 32 %
QoS ........................... 44 %
Last 1 minute ----------------------
Slowpath ...................... 12 %
Inbound ....................... 11 %
Outbound ...................... 15 %
QoS ........................... 23 %
Last 5 minutes ---------------------
Slowpath ....................... 8 %
Inbound ....................... 11 %
Outbound ...................... 11 %
QoS ........................... 10 %
Router# show crypto engine accelerator statistic all coreutil
Utilization Percentages for VPN blade in slot 2/0
Blade Utilization Percentages
==========================
Last 5 seconds ---------------------
Slowpath ...................... 35 %
Inbound ....................... 24 %
Outbound ...................... 32 %
QoS ........................... 44 %
Last 1 minute ----------------------
Slowpath ...................... 12 %
Inbound ....................... 11 %
Outbound ...................... 15 %
QoS ........................... 23 %
Last 5 minutes ---------------------
Slowpath ....................... 8 %
Inbound ....................... 11 %
Outbound ...................... 11 %
QoS ........................... 10 %
Utilization Percentages for VPN blade in slot 2/1
Blade Utilization Percentages
==========================
Last 5 seconds ---------------------
Slowpath ...................... 88 %
Inbound ....................... 78 %
Outbound ...................... 79 %
QoS ........................... 32 %
Last 1 minute ----------------------
Slowpath ...................... 76 %
Inbound ....................... 80 %
Outbound ...................... 80 %
QoS ........................... 13 %
Last 5 minutes ---------------------
Slowpath ...................... 75 %
Inbound ....................... 65 %
Outbound ...................... 70 %
QoS ........................... 12 %
Table 89 describes significant fields shown in the above display.
Table 89 show crypto engine accelerator statistic coreutil VSPA Statistics Descriptions
Field
|
Description
|
Blade Utilization Percentages
|
Slowpath
|
Utilization of slowpath traffic capacity.
|
Inbound
|
Utilization of inbound traffic capacity.
|
Outbound
|
Utilization of outbound traffic capacity.
|
QoS
|
Utilization of QoS traffic capacity.
|
Related Commands
Command
|
Description
|
clear crypto engine accelerator counter
|
Resets the statistical and error counters for the hardware accelerator to zero.
|
crypto ca
|
Defines the parameters for the certification authority used for a session.
|
crypto cisco
|
Defines the encryption algorithms and other parameters for a session.
|
crypto dynamic-map
|
Creates a dynamic map crypto configuration for a session.
|
crypto engine accelerator
|
Enables the use of the onboard hardware accelerator of the Cisco uBR905 and Cisco uBR925 routers for IPsec encryption.
|
crypto ipsec
|
Defines the IPsec SAs and transformation sets.
|
crypto isakmp
|
Enables and defines the IKE protocol and its parameters.
|
crypto key
|
Generates and exchanges keys for a cryptographic session.
|
crypto map
|
Creates and modifies a crypto map for a session.
|
debug crypto engine accelerator control
|
Displays each control command as it is given to the crypto engine.
|
debug crypto engine accelerator packet
|
Displays information about each packet sent for encryption and decryption.
|
show crypto engine accelerator ring
|
Displays the contents of command and transmit rings for the crypto engine.
|
show crypto engine accelerator sa-database
|
Displays the active (in-use) entries in the crypto engine security association (SA) database.
|
show crypto engine brief
|
Displays a summary of the configuration information for the crypto engine.
|
show crypto engine configuration
|
Displays the version and configuration information for the crypto engine.
|
show crypto engine connections
|
Displays a list of the current connections maintained by the crypto engine.
|
show crypto gdoi
To display information about a Group Domain of Interpretation (GDOI) configuration, use the show crypto gdoi command in privileged EXEC mode.
show crypto gdoi [debug-condition] [group group-name] [gm [acl | rekey | replay] | ks [acl | coop
[version] | members [ip-address] | policy | rekey | replay]] [ipsec sa]
Syntax Description
debug-condition
|
(Optional) Displays GDOI debug conditional filters.
|
group group-name
|
(Optional) Displays information about the group specified.
|
gm
|
(Optional) Displays information about group members.
|
acl
|
(Optional) Displays the access control list (ACL) that has been applied to the GDOI group.
|
rekey
|
(Optional) Displays rekey information.
|
replay
|
(Optional) Displays group information for time-based anti-replay.
|
ks
|
(Optional) Displays information about key servers.
|
coop
|
(Optional) Displays information about the cooperative key servers.
|
version
|
(Optional) Displays information about the cooperative key server and client versions.
|
members [ip-address]
|
(Optional) Displays information about registered group members.
|
policy
|
(Optional) Displays key server policy information.
|
ipsec sa
|
(Optional) Displays information about the IP security (IPsec) security association (SA) for all group members.
• If this keyword is used with the group group-name keyword and argument option, information is displayed for only the group that is specified.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(6)T
|
This command was introduced.
|
12.4(11)T
|
The group group-name keyword and argument and gm, acl, rekey, replay, ks, coop [version], members, policy, and ipsec sa keywords were added.
|
Cisco IOS XE Release 2.3
|
This command was implemented on the Cisco ASR 1000 series routers.
|
15.1(3)T
|
This command was modified. The debug-condition keyword was added.
|
Usage Guidelines
Because the show running-config command does not display enabled debug commands, the debug-condition keyword is useful for displaying GDOI debug conditional filters that are enabled.
Examples
The following output displays information about a configuration for a GDOI group member:
Router# show crypto gdoi group diffint
Group Members Registered : 0
Group Members Registered : 0
The following output displays information about a configuration when entered on a GDOI key server:
Router# show crypto gdoi group diffint ks
Group Members Registered : 1
Group Rekey Lifetime : 300 secs
Remaining Lifetime : 84 secs
IPSec SA Rekey Lifetime : 120 secs
Remaining Lifetime : 64 secs
access-list 120 permit ip host 10.0.1.1 host 192.168.1.1
access-list 120 permit ip host 10.0.100.2 host 192.168.1.1
Group Member List for Group diffint :
Group Members Registered : 0
Group Rekey Lifetime : 600 secs
IPSec SA Rekey Lifetime : 120 secs
access-list 120 permit ip host 10.0.1.1 host 192.168.1.1
access-list 120 permit ip host 10.0.100.2 host 192.168.1.1
The following output displays GDOI key server information for registered GMs when entered on a GDOI key server:
Router# show crypto gdoi ks members
Group Member Information :
Number of rekeys sent for group diffint : 10
Group Member ID : 5.0.6.1
Group Member ID : 5.0.5.1
show crypto ha
To display all virtual IP (VIP) addresses that are currently in use by IP Security (IPSec) and Internet Key Exchange (IKE), use the show crypto ha command in privileged EXEC mode.
show crypto ha
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.3(11)T
|
This command was introduced.
|
Examples
The following output from the show crypto ha command shows all VIP addresses that are being used by IPSec and IKE:
stamp: 74 BA 70 27 9C 4F 7F 81 3A 70 13 C9 65 22 E7 76
IPSec VIP: 255.255.255.253
IPSec VIP: 255.255.255.254
show crypto identity
To display the crypto identity list, use the show crypto identity command in privileged EXEC mode.
show crypto identity [identity-tag]
Syntax Description
identity-tag
|
(Optional) The crypto identity tag value for which to display specific crypto identity list information.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2(33)SRB
|
This command was introduced in a release earlier than Cisco IOS Release 12.2(33)SRB.
|
12.2SX
|
This command was integrated into Cisco IOS Release 12.2SX.
|
12.2(4)T
|
This command was integrated into Cisco IOS Release 12.2(4)T.
|
Cisco IOS XE 2.3
|
This command was integrated into Cisco IOS XE Release 2.3.
|
Usage Guidelines
Use the show crypto identity command to display the configured crypto identity of a router.
Examples
The following are sample outputs from the show crypto identity command:
Router# show crypto identity id12
Router# show crypto identity id11
Router# show crypto identity
Description: Linedescription
Table 90 describes the significant fields shown in the display.
Table 90 show crypto identity Field Descriptions
Field
|
Description
|
Description
|
Line description.
|
fqdn
|
Fully qualified distinguished name identifier
|
show crypto ikev2 diagnose error
To display the current Internet Key Exchange Version 2 (IKEv2) exit path database, use the show crypto ikev2 diagnose error command in privileged EXEC mode.
show crypto ikev2 diagnose error [count]
Syntax Description
count
|
(Optional) Display the error counters from the exit path database.
|
Command Default
The IKEv2 exit path database is displayed.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
15.1(1)T
|
This command was introduced.
|
Cisco IOS XE Release 3.3S
|
This command was integrated into Cisco IOS XE Release 3.3S.
|
Usage Guidelines
Use this command to display the IKEv2 exit path database. Enable or disable IKEv2 exit path logging using the crypto ikev2 diagnose error command. Use the clear crypto ikev2 diagnose error command to clear the IKEv2 exit path database.
Examples
The following example is a sample output from the show crypto ikev2 diagnose error command. The output is self-explanatory.
Router# show crypto ikev2 diagnose error
Exit Path Table - status: enable, current entry 2, deleted 0, max allow 50
-Traceback= 0x37ABEB8z 0x37AC29Cz 0x2C0CA74z 0x2C0CA70z
-Traceback= 0x37B609Cz 0x37ABEB8z 0x37AC29Cz 0x2C0CA74z 0x2C0CA70z
Related Commands
Command
|
Description
|
clear crypto ikev2 diagnose error
|
Clears the IKEv2 exit path database.
|
crypto ikev2 diagnose error
|
Enables IKEv2 error diagnosis.
|
show crypto ikev2 policy
To display the default or a user-defined Internet Key Exchange Version 2 (IKEv2) policy, use the show crypto ikev2 policy command in privileged EXEC mode.
show crypto ikev2 policy [policy-name]
Syntax Description
policy-name
|
(Optional) Displays the specified policy.
|
Command Default
If no option is specified, then this command displays all the policies.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
15.1(1)T
|
This command was introduced.
|
15.1(4)M
|
This command was modified. The command output was updated to support IPv6 addresses.
|
Cisco IOS XE Release 3.3S
|
This command was integrated into Cisco IOS XE Release 3.3S.
|
Usage Guidelines
Use this command to display the default or user-defined IKEv2 policy. User-defined policies display the default values of the commands that are not explicitly configured under the policy.
Examples
The following examples show the output for a default and user-defined policy.
Default IKEv2 Policy
The default IKEv2 policy matches all local addresses in global VRF and uses the default IKEv2 proposal.
Router# show crypto ikev2 policy default
Match address local : any
Router# show crypto ikev2 policy default
This sample output shows the default IKEv2 policy that matches the local IPv6 address in global VRF: IKEv2 policy : default
Match address local : 2001:DB8:1::1
User-defined IKEv2 policy
Router# show crypto ikev2 policy policy-1
Table 91 describes the significant fields shown in the display.
Table 91 show crypto ikev2 policy Field Descriptions
Field
|
Description
|
IKEv2 policy
|
Name of the IKEv2 policy.
|
Match fvrf
|
The front door virtual routing and forwarding (FVRF) specified for matching the IKEv2 policy.
|
Match local
|
The local IP address (IPv4 or IPv6) assigned for matching the IKEv2 policy.
|
Proposal
|
The name of the proposal that is attached to the IKEv2 policy.
|
Related Commands
Command
|
Description
|
crypto ikev2 policy
|
Defines an IKEv2 policy.
|
crypto ikev2 proposal
|
Defines an IKE proposal.
|
match (ikev2 policy)
|
Matches an IKEv2 policy based on the parameters.
|
proposal
|
Specifies the proposals that must be used in the IKEv2 policy.
|
show crypto ikev2 profile
To display a user-defined Internet Key Exchange Version 2 (IKEv2) profile, use the show crypto ikev2 profile command in privileged EXEC mode.
show crypto ikev2 profile [profile-name]
Syntax Description
profile-name
|
(Optional) Name of the IKEv2 profile.
|
Command Default
No default behavior or values.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
15.1(1)T
|
This command was introduced.
|
15.1(4)M
|
This command was modified. The command output was updated to support IPv6 addresses.
|
Cisco IOS XE Release 3.3S
|
This command was integrated into Cisco IOS XE Release 3.3S.
|
Usage Guidelines
Use this command to display information about an IKEv2 profile. This command also displays the default values of the commands that are not explicitly configured in the IKEv2 profile. If a profile name is not specified, the command displays all the user-defined IKEv2 profiles.
Examples
The following example is sample output from the show crypto ikev2 profile command:
Router# show crypto ikev2 profile
Local address/interface: none
Local identity: fqdn dmap-responder
Local authentication method: pre-share
Remote authentication method(s): pre-share
Table 92 describes the significant fields shown in the display.
Table 92 show crypto ikev2 profile Field Descriptions
Field
|
Description
|
IKEv2 profile
|
Name of the IKEv2 profile.
|
Match
|
The match parameter in the profile.
|
Local Identity
|
The local identity type.
|
Local authentication method
|
The local authentication methods.
|
Remote authentication method
|
The remote authentication methods.
|
Keyring
|
The keyring specified in the profile.
|
Trustpoint
|
The trustpoints used in the Rivest, Shamir and Adleman (RSA) signature authentication method.
|
Lifetime
|
The lifetime of the IKEv2 profile.
|
DPD
|
The status of Dead Peer Detection (DPD).
|
Ivrf
|
The Inside VRF (IVRF) in the profile.
|
Virtual-template
|
The virtual template in the profile.
|
show crypto ikev2 proposal
To display the Internet Key Exchange Version 2 (IKEv2) proposal, use the show crypto ikev2 proposal command in privileged EXEC mode.
show crypto ikev2 proposal [name | default]
Syntax Description
name
|
(Optional) The user-defined proposal.
|
default
|
(Optional) The default proposal.
|
Command Default
If no option is specified, the default and user-defined proposals are displayed.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
15.1(1)T
|
This command was introduced.
|
Cisco IOS XE Release 3.3S
|
This command was integrated into Cisco IOS XE Release 3.3S.
|
Usage Guidelines
Use this command to display the user-defined and default proposals.
Examples
The following example is a sample output from the show crypto ikev2 proposal command:
Router# show crypto ikev2 proposal
Encryption : 3DES AES-CBC-192
DH Group : DH_GROUP_768_MODP/Group 1 DH_GROUP_1536_MODP/Group 5
Encryption : AES-CBC-128 3DES
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2
Table 93 describes the significant fields shown in the display.
Table 93 show crypto ikev2 proposal Field Descriptions
Field
|
Description
|
IKEv2 proposal
|
Name of the proposal.
|
Encryption
|
The encryption algorithm configured in the proposal.
|
Integrity
|
The integrity algorithm configured in the proposal.
|
PRF
|
The Pseudo-Random Function in the proposal. This is the same as the integrity algorithm.
|
DH Group
|
The Diffie-Hellman groups configured in the proposal.
|
Related Commands
Command
|
Description
|
crypto ikev2 proposal
|
Defines an IKEv2 proposal.
|
encryption (ikev2 proposal)
|
Specifies the encryption algorithm in an IKEv2 proposal.
|
group (ikev2 proposal)
|
Specifies the DH groups in an IKEv2 proposal.
|
integrity (ikev2 proposal)
|
Specifies the integrity algorithm in an IKEv2 proposal.
|
show crypto ikev2 sa
To display the Internet Key Exchange Version 2 (IKEv2) security associations (SA), use the show crypto ikev2 sa command in privileged EXEC mode.
show crypto ikev2 sa {local ip-address | remote ip-address | fvrf vrf-name} [detailed]
Syntax Description
local ip-address
|
Displays the current IKEv2 security associations matching the local address.
|
remote ip-address
|
Displays the current IKEv2 security associations matching the remote address.
|
fvrf vrf-name
|
Displays the current IKEv2 security associations matching the specified front door virtual routing and forwarding (FVRF).
|
detailed
|
(Optional) Displays detailed information about the current security associations.
|
Command Default
All the current IKEv2 security associations are displayed.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
15.1(1)T
|
This command was introduced.
|
Cisco IOS XE Release 3.3S
|
This command was integrated into Cisco IOS XE Release 3.3S.
|
Usage Guidelines
Use this command to display information about the current IKEv2 security associations.
Examples
The following is sample output from the show crypto ikev2 sa command:
Router# show crypto ikev2 sa
Tunnel-id Local Remote fvrf/ivrf Status
2 10.0.0.1/500 10.0.0.2/500 (none)/(none) READY
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth: PSK
Life/Active Time: 86400/361 sec
The following is sample output from the show crypto ikev2 sa detailed command:
Router# show crypto ikev2 sa detailed
Tunnel-id Local Remote fvrf/ivrf Status
1 1.1.1.1/500 1.1.1.2/500 (none)/(none) READY
Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/12 sec
CE id: 1001, Session-id: 1
Status Description: Negotiation done
Local spi: 41E942F807BA4153 Remote spi: 993043F2AF648C48
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Table 94 describes the significant fields shown in the display.
Table 94 show crypto ikev2 sa detailed Field Descriptions
Field
|
Description
|
Tunnel-id
|
Unique identifier of the IKEv2 tunnel.
|
Local
|
IP address and UDP port of the local IKEv2 endpoint.
|
Remote
|
IP address and UDP port of the remote IKEv2 endpoint.
|
fvrf/ivrf
|
FVRF/IVRF of the local IKEv2 endpoint.
|
Status
|
Status of the IKEv2 tunnel.
|
Encr
|
Encryption algorithm used by the IKEv2 tunnel.
|
Hash
|
Integrity algorithm used by the IKEv2 tunnel.
|
DH Grp
|
Diffie-Hellman (DH) group used by the IKEv2 tunnel.
|
Auth Sign
|
Authentication method used by the local IKEv2 endpoint.
|
Auth Verify
|
Authentication method used by the remote IKEv2 endpoint.
|
Life/Active Time
|
The total and active lifetime of the IKEv2 tunnel.
|
CE id
|
The crypto engine ID used by the local IKEv2 endpoint.
|
Session-id
|
The session ID for the IKEv2 tunnel.
|
MIB-id
|
The MIB identifier for the IKEv2 tunnel.
|
Status Description
|
Description of the IKEv2 tunnel status.
|
Local spi
|
IKEv2 security parameter index (SPI) of the local IKEv2 endpoint.
|
Remote spi
|
IKEv2 SPI of the remote IKEv2 endpoint.
|
Local id
|
IKEv2 identity of the local IKEv2 endpoint
|
Remote id
|
IKEv2 identity of the remote IKEv2 endpoint.
|
Local req mess id
|
Message ID of the last IKEv2 request sent.
|
Remote req mess id
|
Message ID of the last IKEv2 request received.
|
Local next mess id
|
Message ID of the next IKEv2 request to be sent.
|
Remote next mess id
|
Message ID of the next IKEv2 request to be received.
|
Local req queued
|
Number of requests queued to be sent.
|
Remote req queued
|
Number of requests queued to be processed.
|
Local window
|
IKEv2 window size of the local IKEv2 endpoint.
|
Remote window
|
IKEv2 window size of the remote IKEv2 endpoint.
|
DPD
|
DPD interval.
|
NAT-T
|
NAT detection status.
|
show crypto ikev2 session
To display the status of active Internet Key Exchange Version 2 (IKEv2) sessions, use the show crypto ikev2 session command in privileged EXEC mode.
show crypto ikev2 session [detailed]
Syntax Description
detailed
|
(Optional) Displays detailed information about the session.
|
Command Default
The session information is displayed in a brief format.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
15.1(1)T
|
This command was introduced.
|
15.1(4)M
|
This command was modified. The command output was updated to support IPv6 addresses.
|
Cisco IOS XE Release 3.3S
|
This command was integrated into Cisco IOS XE Release 3.3S.
|
Usage Guidelines
Use this command to display information about the active IKEv2 sessions. Use the detailed keyword to display information about IKEv2 parent and child security associations.
Examples
The following is a sample output from the show crypto ikev2 session and show crypto ikev2 session detailed command.
Router# show crypto ikev2 session
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
1 10.0.0.1/500 10.0.0.2/500 (none)/(none) READY
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth: PSK
Life/Active Time: 86400/65 sec
CHild sa: local selector 10.0.0.1/0 - 10.0.0.1/65535
remote selector 10.0.0.2/0 - 10.0.0.2/65535
ESP spi in/out: 0x9360A95/0x6C340600
CPI in/out: 0x9FE5/0xC776
Router# show crypto ikev2 session detailed
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
1 10.0.0.1/500 10.0.0.2/500 (none)/(none) READY
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth: PSK
Life/Remaining/Active Time: 86400/86157/248 sec
CE id: 0, Session-id: 1, MIB-id: 1
Status Description: Negotiation done
Local spi: 750CBE827434A245 Remote spi: 4353FEDBABEBF24C
Local id: 10.0.0.1 Remote id: 10.0.0.2
Local req mess id: 0 Remote req mess id: 0
Local next mess id: 0 Remote next mess id: 2
Local req queued: 0 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds
Child sa: local selector 10.0.0.1/0 - 10.0.0.1/65535
remote selector 10.0.0.2/0 - 10.0.0.2/65535
ESP spi in/out: 0x9360A95/0x6C340600
CPI in/out: 0x9FE5/0xC776
Encr: AES CBC, keysize: 128, esp_hmac: SHA96
ah_hmac: Unknown - 0, comp: IPCOMP_LZS, mode tunnel
Table 95 describes the significant fields shown in the display.
Table 95 show crypto ikev2 session detailed Field Descriptions
Field
|
Description
|
Tunnel id
|
Unique identifier of IKEv2 tunnel.
|
Local
|
IP address (IPv4 or IPv6) and UDP port of the local IKEv2 endpoint.
|
Remote
|
IPv4 or IPv6 address and UDP port of the remote IKEv2 endpoint.
|
fvrf/ivrf
|
FVRF/IVRF of the local IKEv2 endpoint.
|
Status
|
Status of the IKEv2 tunnel.
|
Encr
|
Encryption algorithm used by the IKEv2 tunnel.
|
Hash
|
Integrity algorithm used by the IKEv2 tunnel.
|
DH Grp
|
DH group used by the IKEv2 tunnel.
|
Auth Sign
|
Authentication method used by the local IKEv2 endpoint.
|
Auth Verify
|
Authentication method used by the remote IKEv2 endpoint.
|
Life/Active Time
|
The total and active lifetime of the IKEv2 tunnel.
|
CE id
|
The crypto engine ID used by the local IKEv2 endpoint.
|
Session-id
|
The session ID for the IKEv2 tunnel.
|
MIB-id
|
The MIB identifier for the IKEv2 tunnel.
|
Status Description
|
Description of the IKEv2 tunnel status.
|
Local spi
|
IKEv2 security parameter index (SPI) of the local IKEv2 endpoint.
|
Remote spi
|
IKEv2 SPI of the remote IKEv2 endpoint.
|
Local id
|
IKEv2 identity of the local IKEv2 endpoint
|
Remote id
|
IKEv2 identity of the remote IKEv2 endpoint.
|
Local req mess id
|
Message ID of the last IKEv2 request sent.
|
Remote req mess id
|
Message ID of the last IKEv2 request received.
|
Local next mess id
|
Message ID of the next IKEv2 request to be sent.
|
Remote next mess id
|
Message ID of the next IKEv2 request to be received.
|
Local req queued
|
Number of requests queued to be sent.
|
Remote req queued
|
Number of requests queued to be processed.
|
Local window
|
IKEv2 window size of the local IKEv2 endpoint.
|
Remote window
|
IKEv2 window size of the remote IKEv2 endpoint.
|
DPD
|
DPD interval.
|
NAT
|
NAT detection status.
|
Child sa: local selector
|
Local network protected by the child security association (SA).
|
remote selector
|
Remote network protected by the child SA.
|
ESP spi in/out
|
Inbound and outbound SPI of the Encapsulating Security Payload (ESP) child SA.
|
CPI in/out
|
Inbound and outbound Cisco Product Identification (CPI) of the IP compression (IPComp) child SA.
|
AH spi in/out
|
Inbound and outbound SPI of the Authentication Header (AH) child SA.
|
Encr
|
Encryption algorithm used by the ESP child SA.
|
keysize
|
Size of the key in bits used by the encryption algorithm.
|
esp_hmac
|
Integrity algorithm used by the ESP child SA.
|
ah_hmac
|
Integrity algorithm used in the AH child SA, if available.
|
comp
|
Compression algorithm used by IPComp child SA.
|
mode
|
Tunnel or transport mode used by ESP/AH child SA.
|
show crypto ikev2 stats
To display the Internet Key Exchange Version 2 (IKEv2) security associations (SAs) statistics, use the show crypto ikev2 stats command in privileged EXEC mode.
show crypto ikev2 stats
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
15.1(1)T
|
This command was introduced.
|
Cisco IOS XE Release 3.3S
|
This command was integrated into Cisco IOS XE Release 3.3S.
|
Usage Guidelines
Use this command to display IKEv2 security associations statistics.
Examples
The following example is a sample output from the show crypto ikev2 stats command. The fields in the output are self-explanatory.
Router(#) show crypto ikev2 stats
---------------------------------------------------------------------
Crypto IKEV2 SA Statistics
---------------------------------------------------------------------
System Resource Limit: 0 Max IKEv2 SAs: 0 Max in nego: 1000
Total IKEv2 SA Count: 1 active: 1 negotiating: 0
Incoming IKEv2 Requests: 0 accepted: 0 rejected: 0
Outgoing IKEv2 Requests: 1 accepted: 1 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0
show crypto ipsec client ezvpn
To display the Cisco Easy VPN Remote configuration, use the show crypto ipsec client ezvpn command in privileged EXEC mode.
show crypto ipsec client ezvpn
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2(4)YA
|
This command was introduced on Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
|
12.2(13)T
|
This command was integrated into Cisco IOS Release 12.2(13)T.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
|
Examples
The following example shows a typical display from the show crypto ipsec client ezvpn command for an active Virtual Private Network (VPN) connection when the router is in client mode. The last two lines indicate that a configuration URL and configuration version number have been pushed through the Mode-Configuration Exchange by the server to the Easy VPN remote device.
Router# show crypto ipsec client ezvpn
Inside interface list: FastEthernet0/0, Serial1/0,
Outside interface: Serial0/0
Current State: IPSEC_ACTIVE
DNS Primary: 192.168.201.1
DNS Secondary: 192.168.201.2
NBMS/WINS Primary: 192.168.201.3
NBMS/WINS Secondary: 192.168.201.4
Default Domain: cisco.com
Configuration URL: http://10.8.8.88/easy.cfg
Configuration Version: 10
The following example shows a typical display from the show crypto ipsec client ezvpn command for an active VPN connection when the router is in network-extension mode:
Router# show crypto ipsec client ezvpn
Inside interface list: FastEthernet0/0, Serial1/0,
Outside interface: Serial0/0
Current State: IPSEC_ACTIVE
Default Domain: cisco.com
Address : 192.168.200.225
The following example shows a typical display from the show crypto ipsec client ezvpn command for an inactive VPN connection:
Router# show crypto ipsec client ezvpn
Last Event: REMOVE INTERFACE CFG
The following example displays information about the outside interface "Virtual-Access1", which is bound to the real interface (Ethernet0/0) on which the user has configured Easy VPN as an outside interface:
Router# show crypto ipsec client ezvpn
Inside interface list: Ethernet1/0,
Outside interface: Virtual-Access1 (bound to Ethernet0/0)
Easy VPN connect ACL checking active
Connect : ACL based with access-list 101
Current State: CONNECT_REQUIRED
Last Event: TRACKED OBJECT UP
Save Password: Disallowed
Current EzVPN Peer: 10.0.0.2
Table 96 describes significant fields shown by the show crypto ipsec client ezvpn command:
Table 96 show crypto ipsec client ezvpn Field Descriptions
Field
|
Description
|
Current State
|
Displays whether the VPN tunnel connection is active or idle. Typically, when the tunnel is up, the current state is IPSEC ACTIVE.
|
Last Event
|
Displays the last event performed on the VPN tunnel. Typically, the last event before a tunnel is created is SOCKET UP.
|
Address
|
Displays the IP address used on the outside interface.
|
Mask
|
Displays the subnet mask used for the outside interface.
|
DNS Primary
|
Displays the primary domain name system (DNS) server provided by the Dynamic Host Configuration Protocol (DHCP) server.
|
DNS Secondary
|
Displays the secondary DNS server provided by the DHCP server.
|
Domain Name
|
Displays the domain name provided by the DHCP server.
|
NBMS/WINS Primary
|
Displays the primary NetBIOS Microsoft Windows Name Server provided by the DHCP server.
|
NBMS/WINS Secondary
|
Displays the secondary NetBIOS Microsoft Windows Name Server provided by the DHCP server.
|
Related Commands
Command
|
Description
|
show crypto ipsec transform
|
Displays the specific configuration for one or all transformation sets.
|
show crypto ipsec default transform-set
To display the default IP Security (IPsec) transform sets currently in use by Internet Key Exchange (IKE), use the show crypto ipsec default transform-set command in privileged EXEC mode.
show crypto ipsec default transform-set
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Usage Guidelines
If the default transform sets are in use, the show crypto ipsec default transform-set command displays the two default transform sets each of which defines an Encapsulation Security Protocol (ESP) encryption transform type and an ESP authentication transform type.
Examples
The following example displays the two default transform sets. No user defined transform sets have been configured, the default transform sets have not been disabled, and the crypto engine supports the encryption algorithm.
Router# show crypto ipsec default transform-set
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
Table 97 show crypto ipsec default transform-set Field Descriptions
Default Transform Name
|
ESP Encryption Transform and Description
|
ESP Authentication Transform and Description
|
#$!default_transform_set_1
|
esp-aes
(ESP with the 128-bit Advanced Encryption Standard [AES] encryption algorithm)
|
esp-sha-hmac
(ESP with the Secure Hash Algorithm [SHA-1, HMAC variant] authentication algorithm)
|
#$!default_transform_set_0
|
esp-3des
(ESP with the 168-bit Triple Data Encryption Standard [3DES or Triple DES] encryption algorithm)
|
esp-sha-hmac
|
The following example shows that when the default transform sets are disabled with the no crypto ipsec default transform-set, the show crypto ipsec default transform-set has no output.
Router(config)# no crypto ipsec default transform-set
Router# show crypto ipsec default transform-set
Related Commands
Command
|
Description
|
crypto ipsec transform-set
|
Defines a transform set.
|
show crypto ipsec transform-set
|
Displays the configured transform sets.
|
show crypto map (IPsec)
|
Displays the crypto map configuration.
|
show crypto ipsec sa
To display the settings used by current security associations (SAs), use the show crypto ipsec sa command in privileged EXEC mode.
show crypto ipsec sa [map map-name | address | identity | interface type number | peer
[vrf fvrf-name] address | vrf ivrf-name | ipv6 [interface type number]] [detail]
IPsec and IKE Stateful Failover Syntax
show crypto ipsec sa [active | standby]
Syntax Description
map map-name
|
(Optional) Displays any existing SAs that were created for the crypto map set with the value for the map-name argument.
|
address
|
(Optional) Displays all existing SAs, sorted by the destination address (either the local address or the address of the IP security (IPsec) remote peer) and then by protocol (Authentication Header [AH] or Encapsulation Security Protocol [ESP]).
|
identity
|
(Optional) Displays only the flow information. SA information is not shown.
|
interface type number
|
(Optional) Displays all existing SAs created for the interface value provided in the interface argument.
|
peer [vrf fvrf-name] address
|
(Optional) Displays all existing SAs with the peer address. If the peer address is in the Virtual Routing and Forwarding (VRF), specify vrf and the fvrf-name.
|
vrf ivrf-name
|
(Optional) Displays all existing SAs whose inside virtual routing and forwarding (IVRF) is the same as the valued used for the ivrf-name argument.
|
ipv6
|
(Optional) Displays IPv6 crypto IPsec SAs.
|
detail
|
(Optional) Detailed error counters. (The default is the high-level send or receive error counters.)
|
active
|
(Optional) Displays high availability (HA) - enabled IPsec SAs that are in the active state.
|
standby
|
(Optional) Displays HA-enabled IPsec SAs that are in the standby state.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
11.3T
|
This command was introduced.
|
12.2(13)T
|
The "remote crypto endpt" and "in use settings" fields were modified to support Network Address Translation (NAT) traversal.
|
12.2(15)T
|
The interface keyword and type and number arguments were added. The peer keyword, the vrf keyword, and the fvrf-name argument were added. The address keyword was added to the peer keyword string. The vrf keyword and ivrf-name argument were added.
|
12.3(11)T
|
The active and standby keywords were added.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.(33)SRA.
|
12.4(11)T
|
This command was integrated into Cisco IOS Release 12.4(11)T.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Cisco IOS XE Release 2.1
|
This command was modified. This command was implemented on the Cisco ASR 1000 Series Aggregation Services Routers.
|
Usage Guidelines
If no keyword is used, all SAs are displayed. They are sorted first by interface and then by traffic flow (for example, source or destination address, mask, protocol, or port). Within a flow, the SAs are listed by protocol (ESP or AH) and direction (inbound or outbound).
Examples
The following is sample output from the show crypto ipsec sa command:
Router# show crypto ipsec sa
Crypto map tag: Tunnel1-head-0, local addr 10.5.5.2
local ident (addr/mask/prot/port): (10.5.5.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.5.5.1/255.255.255.255/47/0)
current_peer 10.5.5.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 492908510, #pkts encrypt: 492908510, #pkts digest: 492908510
#pkts decaps: 492908408, #pkts decrypt: 492908408, #pkts verify: 492908408
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 55, #recv errors 0
local crypto endpt.: 10.5.5.2, remote crypto endpt.: 10.5.5.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2
current outbound spi: 0xDE4EE29D(3729711773)
spi: 0xC06CA92B(3228346667)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3139, flow_id: VSA:1139, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (3948785/556)
replay detection support: Y
spi: 0xC87AB936(3363486006)
in use settings ={Tunnel, }
conn id: 3139, flow_id: VSA:1139, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (3948785/556)
replay detection support: Y
spi: 0xDE4EE29D(3729711773)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3140, flow_id: VSA:1140, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (3948785/556)
replay detection support: Y
spi: 0xAEEDD4F1(2934822129)
in use settings ={Tunnel, }
conn id: 3140, flow_id: VSA:1140, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (3948785/556)
replay detection support: Y
The following is sample output from the show crypto ipsec sa identity detail command:
Router# show crypto ipsec sa identity detail
Crypto map tag: Tunnel1-head-0, local addr 10.5.5.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer (none) port 500
DENY, flags={ident_is_root,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local ident (addr/mask/prot/port): (10.5.5.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (10.5.5.1/255.255.255.255/47/0)
current_peer 10.5.5.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 492923510, #pkts encrypt: 492923510, #pkts digest: 492923510
#pkts decaps: 492923408, #pkts decrypt: 492923408, #pkts verify: 492923408
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 55, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
Table 98 describes the significant fields shown in the above displays (show crypto ipsec sa and show crypto ipsec sa detail).
Table 98 show crypto ipsec sa Field Descriptions
Field
|
Description
|
crypto map tag
|
Policy tag for IPsec.
|
protected vrf
|
IVRF name that applies to the IPsec interface.
|
local ident (addr/mask/prot/port)
|
Local selector that is used for encryption and decryption.
|
remote ident (addr/mask/prot/port)
|
Remote selector that is used for encryption and decryption.
|
current peer
|
Current peer with which the IPsec tunnel communicates.
|
PERMIT, flags
|
IPsec SA is triggered by the Access Control List (ACL) permit action.
|
pkts encaps
|
Statistics number of packets that were successfully encapsulated by IPsec.
|
pkts encrypt
|
Statistics number of packets that were successfully encrypted by IPsec.
|
pkts digest
|
Statistics number of packets that were successfully hash digested by IPsec.
|
pkts decaps
|
Statistics number of packets that were successfully decapsulated by IPsec.
|
pkts decrypt
|
Statistics number of packets that were successfully decrypted by IPsec.
|
pkts verify
|
Received packets that passed the hash digest check.
|
pkts compressed
|
Number of packets that were successfully compressed by IPsec.
|
pkts decompressed
|
Number of packets that were successfully decompressed by IPsec.
|
pkts not compressed
|
Number of outbound packets that were not compressed.
|
pkts compr. failed
|
Number of packets that failed compression by IPsec.
|
pkts not decompressed
|
Number of inbound packets that were not compressed.
|
pkts decompress failed
|
Number of packets that failed decompression by IPsec.
|
send errors
|
Number of outbound packets that had errors.
|
recv errors
|
Number of inbound packets that had errors.
|
local crypto endpt.
|
Local endpoint terminated by IPsec.
|
remote crypto endpt.
|
Remote endpoint terminated by IPsec.
|
path mtu
|
Maximum transmission unit (MTU) size that is figured based on the Internet Control Message Protocol (ICMP) unreachable packet. This value also has to consider the IPsec overhead.
|
ip mtu
|
Interface MTU size that considers the IPsec overhead.
|
current outbound spi
|
Current outbound Security Parameters Index (SPI).
|
ip mtu idb
|
Interface description block (IDB) that is used to determine the crypto IP MTU.
|
current outbound spi
|
Current outbound Security Parameter Index (SPI).
|
inbound esp sas
|
Encapsulating Security Payload (ESP) for the SA for the inbound traffic.
|
spi
|
SPI for classifying the inbound packet.
|
transform
|
Security algorithm that is used to provide authentication, integrity, and confidentiality.
|
in use settings
|
Transform that the SA uses (for example: tunnel mode, transport mode, UDP-encapsulated tunnel mode, or UDP-encapsulated transport mode).
|
conn id
|
ID that is stored in the crypto engine to identify the IPsec/Internet Key Exchange (IKE) SA.
|
flow_id
|
SA identity.
|
crypto map
|
Policy for the IPsec.
|
sa timing: remaining key lifetime (k/sec)
|
Seconds or kilobytes remaining before a rekey occurs.
|
IV size
|
Size of the initialization vector that is used for the cryptographic synchronization data used to encrypt the payload.
|
replay detection support
|
A specific SA has enabled the replay detection feature.
|
inbound ah sas
|
Authentication algorithm for the SA for inbound traffic.
|
inbound pcp sas
|
Compression algorithm for the SA for inbound traffic.
|
outbound esp sas
|
Encapsulating security payload for the SA for outbound traffic.
|
outbound ah sas
|
Authentication algorithm for the SA for outbound traffic.
|
outbound pcp sas
|
Compression algorithm for the SA for outbound traffic.
|
DENY, flags
|
IPsec SA is triggered by the ACL deny action.
|
pkts decompress failed
|
Number of packets decompressed by IPsec that failed.
|
pkts no sa (send)
|
Outbound packets cannot find the associated IPsec SA.
|
pkts invalid sa (rcv)
|
Received packets that failed the IPsec format check.
|
pkts invalid prot (recv)
|
Received packets that have the wrong protocol field.
|
pkts verify failed
|
Received packets that failed the hash digest check.
|
pkts invalid identity (recv)
|
Packets after decryption cannot find the associated selector.
|
pkts pkts invalid len (rcv)
|
For the software crypto engine, inbound packets that have an incorrect pad length.
|
pkts replay rollover (send)
|
Sent packets that failed the replay test check.
|
pkts replay rollover (rcv)
|
Received packets that failed the replay test check.
|
pkts internal err (send)
|
Sent packets that failed because of a software or hardware error.
|
pkts internal err (rcv)
|
Received packets that failed because of a software or hardware error.
|
protected vrf
|
IVRF name that applies to the IPsec interface.
|
show crypto ipsec sa vrf Command Output
The following is sample output from the show crypto ipsec sa vrf command:
Router# show crypto ipsec sa vrf vpn2
Crypto map tag: ra, local addr. 172.16.1.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.4.1.4/255.255.255.255/0/0)
current_peer: 10.1.1.1:500
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.16.1.1, remote crypto endpt.: 10.1.1.1
path mtu 1500, media mtu 1500
current outbound spi: 50110CF8
spi: 0xA3E24AFD(2749516541)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5127, flow_id: 7, crypto map: ra
sa timing: remaining key lifetime (k/sec): (4603517/3503)
replay detection support: Y
spi: 0x50110CF8(1343294712)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5128, flow_id: 8, crypto map: ra
sa timing: remaining key lifetime (k/sec): (4603517/3502)
replay detection support: Y
The following configuration was in effect when the preceding show crypto ipsec sa vrf command was issued. The IPsec remote access tunnel was "UP" when this command was issued.
crypto dynamic-map vpn1 1
set isakmp-profile vpn1-ra
crypto dynamic-map vpn2 1
set isakmp-profile vpn2-ra
crypto map ra 1 ipsec-isakmp dynamic vpn1
crypto map ra 2 ipsec-isakmp dynamic vpn2
Table 99 describes the significant fields shown in the preceding show crypto ipsec sa vrf display. Additional fields are self-explanatory or can be found in Table 98.
Table 99 show crypto ipsec sa vrf Field Descriptions
Field
|
Description
|
remote crypto endpt.
|
Remote endpoint terminated by IPsec.
|
media mtu
|
MTU value for media, such as an Ethernet or a serial interface.
|
inbound esp sas
|
Encapsulating security payload for the SA of the inbound traffic.
|
IPsec and IKE Stateful Failover Examples
The following sample output shows the IPsec SA status of only the active device:
Router# show crypto ipsec sa active
Crypto map tag: to-peer-outside, local addr 10.165.201.3
local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/0/0)
current_peer 209.165.200.225 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 209.165.201.3, remote crypto endpt.: 209.165.200.225
path mtu 1500, media mtu 1500
current outbound spi: 0xD42904F0(3559458032)
spi: 0xD3E9ABD0(3555306448)
in use settings ={Tunnel, }
conn id: 2006, flow_id: 6, crypto map: to-peer-outside
sa timing: remaining key lifetime (k/sec): (4586265/3542)
HA last key lifetime sent(k): (4586267)
ike_cookies: 9263635C CA4B4E99 C14E908E 8EE2D79C
replay detection support: Y
Table 100 describes the significant fields shown in the preceding show crypto ipsec sa active display. Additional fields are self-explanatory or can be found in Table 98 or Table 99.
Table 100 show crypto ipsec sa active Field Descriptions.
Field
|
Description
|
HA last key lifetime sent (k)
|
Last stored kilobytes lifetime value for HA.
|
ike_cookies
|
ID that identifies the IKE SAs.
|
The following sample output shows the IPsec SA status of only the standby device. The fields in the display are either self-explanatory or can be found in Table 98, Table 99, or Table 100.
Router# show crypto ipsec sa standby
Crypto map tag: to-peer-outside, local addr 10.165.201.3
local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/0/0)
current_peer 209.165.200.225 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 209.165.201.3, remote crypto endpt.: 209.165.200.225
path mtu 1500, media mtu 1500
current outbound spi: 0xD42904F0(3559458032)
spi: 0xD3E9ABD0(3555306448)
in use settings ={Tunnel, }
conn id: 2012, flow_id: 12, crypto map: to-peer-outside
sa timing: remaining key lifetime (k/sec): (4441561/3486)
HA last key lifetime sent(k): (4441561)
ike_cookies: 00000000 00000000 00000000 00000000
replay detection support: Y
spi: 0xF3EE3620(4092474912)
in use settings ={Tunnel, }
conn id: 2012, flow_id: 12, crypto map: to-peer-outside
sa timing: remaining key lifetime (k/sec): (4441561/3486)
HA last key lifetime sent(k): (4441561)
ike_cookies: 00000000 00000000 00000000 00000000
replay detection support: Y
spi: 0xD42904F0(3559458032)
in use settings ={Tunnel, }
conn id: 2011, flow_id: 11, crypto map: to-peer-outside
sa timing: remaining key lifetime (k/sec): (4441561/3485)
HA last key lifetime sent(k): (4441561)
ike_cookies: 00000000 00000000 00000000 00000000
replay detection support: Y
spi: 0x75251086(1965363334)
in use settings ={Tunnel, }
conn id: 2011, flow_id: 11, crypto map: to-peer-outside
sa timing: remaining key lifetime (k/sec): (4441561/3485)
HA last key lifetime sent(k): (4441561)
ike_cookies: 00000000 00000000 00000000 00000000
replay detection support: Y
Related Commands
Command
|
Description
|
crypto ipsec security-association
|
Configures the IPSec security associations.
|
show crypto ipsec security-association idle-time
To display the security association (SA) idle-time value configured for crypto map entry, use the show crypto ipsec security-association idle-time command in privileged EXEC mode.
show crypto ipsec security-association idle-time
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2(33)SRB
|
This command was introduced in a release earlier than Cisco IOS Release 12.2(33)SRB.
|
12.2SX
|
This command was integrated into Cisco IOS Release 12.2SX.
|
12.4(20)T
|
This command was integrated into Cisco IOS Release 12.4(20)T.
|
Cisco IOS XE 2.3
|
This command was integrated into Cisco IOS XE Release 2.3.
|
Usage Guidelines
Use the show crypto ipsec security-association idle-time command to display the idle time.
When a router running the Cisco IOS software creates an IPsec SA for a peer, resources must be allocated to maintain the SA. The SA requires both memory and several managed timers. For idle peers, these resources are wasted. If enough resources are wasted by idle peers, the router could be prevented from creating new SAs with other peers. The IPsec Security Association Idle Timers feature introduces a configurable idle timer to monitor SAs for activity, allowing SAs for idle peers to be deleted. This increases the availability of the resources and improve scalability of Cisco IOS IPsec deployments.
Examples
The following is a sample output from the show crypto ipsec security-association idle-time command. The output is self-explanatory.
Router# show crypto ipsec security-association idle-time
Security association idletime: 567 seconds
Related CommandsRelated Commands
Command
|
Description
|
show crypto ipsec security-association lifetime
|
Displays the SA lifetime value configured for a particular crypto map entry.
|
show crypto ipsec security-association lifetime
To display the security association (SA) lifetime value configured for a particular crypto map entry, use the show crypto ipsec security-association lifetime command in privileged EXEC mode.
show crypto ipsec security-association lifetime
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.\
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Examples
The following is sample output for the show crypto ipsec security-association lifetime command:
Router# show crypto ipsec security-association lifetime
Security-association lifetime: 4608000 kilobytes/120 seconds
The following configuration was in effect when the previous show crypto ipsec security-association lifetime command was issued:
crypto ipsec security-association lifetime seconds 120
show crypto ipsec transform-set
To display the configured transform sets or active default transform sets, use the show crypto ipsec transform-set command in privileged EXEC mode.
show crypto ipsec transform-set [tag transform-set-name]
Syntax Description
tag transform-set-name
|
(Optional) Only the specified transform sets are displayed.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
12.2(13)T
|
The command output was expanded to include a warning message for users who try to configure an IP Security (IPsec) transform that the hardware does not support.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
12.4(20)T
|
The command output was expanded to include information about active default transform sets.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Usage Guidelines
There are two default transform sets supported in Cisco IOS k9 images only:
•
Esp-aes esp-sha-hmac
•
Esp-3des esp-sha-hmac
The show crypto ipsec transform-set command will display the default transform sets if there are no other transform set configured, you have not disabled the default transform sets by issuing the no crypto ipsec default transform-set command, and the crypto engine supports the encryption algorithm.
Examples
The following is sample output for the show crypto ipsec transform-set command when the default transform sets have been disabled with the no crypto ipsec default transform-set command:
Router# show crypto ipsec transform-set
Transform set combined-des-sha: {esp-des esp-sha-hmac}
will negotiate = { Tunnel, },
Transform set combined-des-md5: {esp-des esp-md5-hmac}
will negotiate = { Tunnel, },
Transform set t1: {esp-des esp-md5-hmac}
will negotiate = {Tunnel,},
Transform set t100: {ah-sha-hmac}
will negotiate = {Transport,},
Transform set t2: {ah-sha-hmac}
will negotiate = {Tunnel,},
will negotiate = {Tunnel,},
The following configuration was in effect when the previous show crypto ipsec transform-set command was issued:
crypto ipsec transform-set combined-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set combined-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set t1 esp-des esp-md5-hmac
crypto ipsec transform-set t100 ah-sha-hmac
crypto ipsec transform-set t2 ah-sha-hmac esp-des
no crypto ipsec default transform-set
The following sample output from the show crypto ipsec transform-set command displays a warning message after a user tries to configure an IPsec transform that the hardware does not support:
Router# show crypto ipsec transform-set
Transform set transform-1:{ esp-256-aes esp-md5-hmac }
will negotiate = { Tunnel, },
WARNING: encryption hardware does not support transform esp-aes 256 within IPSec transform
transform-1
The following is sample output for the show crypto ipsec transform-set command when the default transform sets are active and the crypto engine supports the encryption algorithm:
Router# show crypto ipsec transform-set
Transform set asset: { esp-256-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set aesset: { esp-256-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac }
will negotiate = { Transport, },
Related Commands
Command
|
Description
|
show crypto ipsec default transform-set
|
Displays the default IPsec transform sets.
|
show crypto ipsec transform-set
|
Displays the configured transform sets.
|
show crypto map (IPsec)
|
Displays the crypto map configuration.
|
show crypto isakmp default policy
To display the default Internet Key Exchange (IKE) policies currently in use, use the show crypto isakmp default policy command in privileged EXEC mode.
show crypto isakmp default policy
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Usage Guidelines
If you have neither manually configured IKE policies with the crypto isakmp policy command nor issued the no crypto isakmp default policy command, IPsec will use the default IKE policies to negotiate IKE proposals. There are eight default IKE default policies supported (see Table 101). The default IKE policies define the following policy set parameters:
•
The priority, 65507-65514, where 65507 is the highest priority and 65514 is the lowest priority.
•
The authentication method, Rivest, Shamir, and Adelman (RSA) or preshared keys (PSK).
•
The encryption method, Advanced Encryption Standard (AES) or Triple Data Encryption Standard (3DES).
•
The hash function, Secure Hash Algorithm (SHA-1) or Message-Digest algorithm 5 (MD5).
•
The Diffie-Hellman (DH) group specification DH2 or DH5.
–
DH2 specifies the 768-bit Diffie-Hellman group.
–
DH5 specifies the 1536-bit Diffie-Hellman group.
Table 101
Priority
|
Authentication
|
Encryption
|
Hash
|
Diffie-Hellman
|
65507
|
RSA
|
AES
|
SHA
|
DH5
|
65508
|
PSK
|
AES
|
SHA
|
DH5
|
65509
|
RSA
|
AES
|
MD5
|
DH5
|
65510
|
PSK
|
AES
|
MD5
|
DH5
|
65511
|
RSA
|
3DES
|
SHA
|
DH2
|
65512
|
PSK
|
3DES
|
SHA
|
DH2
|
65513
|
RSA
|
3DES
|
MD5
|
DH2
|
65514
|
PSK
|
3DES
|
MD5
|
DH2
|
Default IKE Policies
If you have manually configured IKE policies and you issue the show crypto isakmp default policy command there is no output, since the default IKE policies are not in use.
Examples
The following example displays the eight default policies with protection suites of priorities 65507-65014. The default policies are displayed since there are no user configured policies, the default policies have not been disabled, and EzVPN is not configured.
Router# show crypto isakmp default policy
Default protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65508
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65509
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65510
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys).
hash algorithm: Message Digest 5
authentication method: pre-shared key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65511
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65512
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65513
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite of priority 65514
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
The following example shows that there is no output from the show crypto isakmp default policy command when the default policies have been disabled.
Router(config)# no crypto isakmp default policy
! The default IKE policies have been disabled.
Router# configure terminal
Router# show crypto isakmp default policy
! There is no output from the show crypto isakmp default policy command.
Related Commands
Command
|
Description
|
crypto isakmp policy
|
Defines an IKE policy.
|
no crypto isakmp default policy
|
Disables IKE default policies.
|
show crypto isakmp policy
|
Displays the parameters for each IKE policy.
|
show crypto isakmp key
To list the keyrings and their preshared keys, use the show crypto isakmp key command in privileged EXEC mode.
show crypto isakmp key
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
12.4(4)T
|
IPv6 address information was added to command output.
|
Cisco IOS XE Release 2.1
|
This command was introduced on Cisco ASR 1000 Series Routers.
|
Examples
The following is sample output for the show crypto isakmp key command:
Router# show crypto isakmp key
Hostname/Address Preshared Key
The following configuration was in effect when the above show crypto isakmp key command was issued:
pre-shared-key address 172.16.1.1 key vpn1
pre-shared-key address 10.1.1.1 key vpn2
Table 102 describes significant fields in the show crypto isakmp key profile.
Table 102 show crypto isakmp key Field Descriptions
Field
|
Description
|
Hostname/Address
|
The preshared key host name or address.
|
Preshared Key
|
The preshared key.
|
keyring
|
Name of the crypto keyring. The global keys are listed in the default keyring.
|
VRF string
|
The Virtual Private Network routing and forwarding (VRF) of the keyring. If the keyring does not have a VRF, an empty string is printed.
|
show crypto isakmp peers
To display the Internet Security Association and Key Management Protocol (ISAKMP) peer descriptions, use the show crypto isakmp peers command in privileged EXEC mode.
show crypto isakmp peers [ipaddress | ipv6address | config [peername]]
Syntax Description
ipaddress
|
(Optional) The IP address of the specific peer.
Note If the optional ipaddress argument is not included with the command, a summarization of all peers is displayed.
|
ipv6address
|
(Optional) The IPv6 address of the specific peer.
|
config
|
(Optional) Displays detailed information about all peers or a specific peer.
|
peername
|
(Optional) The peer name.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
12.2(18)SXD
|
This command was integrated into Cisco IOS Release 12.2(18)SXD.
|
12.4(4)T
|
The config keyword was added.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.(33)SRA.
|
12.4(11)T
|
The show crypto isakmp peer command name was changed to show crypto isakmp peers.
|
Cisco IOS XE Release 2.1
|
This command was integrated into Cisco IOS XE Release 2.1 on the Cisco ASR 1000 Series Routers.
|
Usage Guidelines
Before you can use the config keyword, the following commands must be enabled for the accounting update to work correctly: aaa accounting update with new info keyword and radius-server vsa send with accounting keyword.
Examples
The following output example shows information about the peer named "This-is-another-peer-at-10-1-1-3":
Router# show crypto isakmp peers
Description: This-is-another-peer-at-10-1-1-3
In the following example, the config keyword is used to display all manageability information for an Easy VPN remote device. Cisco Easy VPN is an IP Security (IPsec) virtual private network (VPN) solution supported by Cisco routers and security appliances. It greatly simplifies VPN deployment for remote offices and mobile workers. The fields are self-explanatory.
Router# show crypto isakmp peers config
Client-Public-Addr=192.168.10.2:500; Client-Assigned-Addr=172.16.1.209;
Client-Group=branch; Client-User=branch; Client-Hostname=branch.; Client-Platform=Cisco
1711; Client-Serial=FOC080210E2 (412454448); Client-Config-Version=11;
Client-Flash=33292284; Client-Available-Flash=10202680; Client-Memory=95969280;
Client-Free-Memory=14992140; Client-Image=flash:c1700-advipservicesk9-mz.ef90241;
Client-Public-Addr=192.168.10.3:500; Client-Assigned-Addr=172.16.1.121;
Client-Group=store; Client-User=store; Client-Hostname=831-storerouter.;
Client-Platform=Cisco C831; Client-Serial=FOC08472UXR (1908379618);
Client-Config-Version=2; Client-Flash=24903676; Client-Available-Flash=5875028;
Client-Memory=45298688; Client-Free-Memory=6295596;
Client-Image=flash:c831-k9o3y6-mz.ef90241
Related Commands
Command
|
Description
|
aaa accounting update
|
Enables the periodic interim accounting records to be sent to the accounting server.
|
radius-server vsa send
|
Configures the network access server (NAS) to recognize and use vendor-specific attributes (VSAs).
|
clear crypto session
|
Deletes crypto sessions (IPSec and IKE) SAs.
|
show crypto session
|
Displays status information for active crypto sessions in a router.
|
show crypto isakmp policy
To display the parameters for each Internet Key Exchange (IKE) policy, use the show crypto isakmp policy command in privileged EXEC mode.
show crypto isakmp policy
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
11.3T
|
This command was introduced.
|
12.2(13)T
|
The command output was expanded to include a warning message for users who try to configure an IKE encryption method that the hardware does not support.
|
12.4(4)T
|
Support for IPv6 was added.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
12.4(20)T
|
The command output was expanded to include default IKE policies.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Usage Guidelines
There are eight default IKE default policies supported with protection suites of priorities 65507-65514, where 65507 is the highest priority and 65514 is the lowest priority. If you have neither manually configured IKE policies with the crypto isakmp policy command nor disabled the default IKE policies by issuing the no crypto isakmp default policy command, the default IKE policies will be displayed when the show crypto isakmp policy command is issued.
Examples
The following is sample output from the show crypto isakmp policy command, after two IKE policies have been configured (with priorities 15 and 20, respectively):
Router# show crypto isakmp policy
Protection suite priority 15
encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman Group: #2 (1024 bit)
lifetime: 5000 seconds, no volume limit
Protection suite priority 20
encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: Secure Hash Standard
authentication method: preshared Key
Diffie-Hellman Group: #1 (768 bit)
lifetime: 10000 seconds, no volume limit
encryption algorithm: DES - Data Encryption Standard (56 bit keys)
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman Group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Note
Although the output shows "no volume limit" for the lifetimes, you can currently configure only a time lifetime (such as 86,400 seconds); volume limit lifetimes are not used.
The following sample output from the show crypto isakmp policy command displays a warning message after a user tries to configure an IKE encryption method that the hardware does not support:
Router# show crypto isakmp policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
WARNING:encryption hardware does not support the configured
encryption method for ISAKMP policy 1
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
lifetime: 3600 seconds, no volume limit
The following sample output from the show crypto isakmp policy command displays the default IKE policies. The manually configured IKE policies with priorities 10 and 20 have been removed.
Router(config)# no crypto isakmp policy 10
Router(config)# no crypto isakmp policy 20
R1# show crypto isakmp policy
Protection suite of priority 65507
encryption algorithm: AES - Advanced Encryption Standard (128 bit key.
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65508
encryption algorithm: AES - Advanced Encryption Standard (128 bit key.
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65509
encryption algorithm: AES - Advanced Encryption Standard (128 bit key.
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65510
encryption algorithm: AES - Advanced Encryption Standard (128 bit key.
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #5 (1536 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65511
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65512
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65513
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Protection suite of priority 65514
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
The field descriptions in the display are self-explanatory.
Related Commands
Command
|
Description
|
authentication (IKE policy)
|
Specifies the authentication method within an IKE policy.
|
crypto isakmp policy
|
Defines an IKE policy.
|
encryption (IKE policy)
|
Specifies the encryption algorithm within an IKE policy.
|
group (IKE policy)
|
Specifies the DH group identifier within an IKE policy.
|
hash (IKE policy)
|
Specifies the hash algorithm within an IKE policy.
|
lifetime (IKE policy)
|
Specifies the lifetime of an IKE SA.
|
show crypto isakmp default policy
|
Displays the default IKE policies.
|
show crypto isakmp profile
To list all the Internet Security Association and Key Management Protocol (ISAKMP) profiles that are defined on a router, use the show crypto isakmp profile command in privileged EXEC mode.
show crypto isakmp profile [tag profilename | vrf vrfname]
Syntax Description
tag profilename
|
(Optional) Displays ISAKMP profile details specified by the profile name.
|
vrf vrfname
|
(Optional) Displays ISAKMP profile details specified by the VPN routing/forwarding instance (VRF) name.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
12.4(4)T
|
IPv6 support was added.
|
12.4(11)T
|
The tag profilename and vrf vrfname keywords and arguments were added.
|
Cisco IOS XE Release 2.1
|
This command was introduced on Cisco ASR 1000 Series Routers.
|
Examples
The following is sample output from the show crypto isakmp profile command:
Router# show crypto isakmp profile
Identity presented is: ip-address
The following sample output shows information for an IPv6 router:
Router# show crypto isakmp profile
ipv6-address 2001:0DB8:0:1::1/32
Certificate maps matched are:
Identity presented is: ipv6-address fqdn
Table 103 describes the significant fields shown in the display.
Table 103 show crypto isakmp profile Field Descriptions
Field
|
Description
|
ISAKMP PROFILE
|
Name of the ISAKMP profile.
|
Identities matched are:
|
Lists all identities that the ISAKMP profile will match.
|
Identity presented is:
|
The identity that the ISAKMP profile will present to the remote endpoint.
|
The following configuration was in effect when the preceding show crypto isakmp profile command was issued:
crypto isakmp profile vpn1-ra
match identity group vpn1-ra
client authentication list aaa-list
isakmp authorization list aaa
client configuration address initiate
client configuration address respond
Related Commands
Command
|
Description
|
show crypto isakmp key
|
Lists the keyrings and their preshared keys.
|
show crypto isakmp sa
To display current Internet Key Exchange (IKE) security associations (SAs), use the show crypto isakmp sa command in privileged EXEC mode.
show crypto isakmp sa [active | standby | detail | nat] [vrf vrfname]
Syntax Description
active
|
(Optional) Displays high availability- (HA-) enabled Internet Security Association and Key Management Protocol (ISAKMP) SAs that are in the active state.
|
standby
|
(Optional) Displays HA-enabled ISAKMP SAs that are in the standby state.
|
detail
|
(Optional) Displays all existing IKE SAs, whether in an active or standby state.
|
nat
|
(Optional) Displays IKE SAs that have undergone network address translation (NAT).
|
vrf vrfname
|
(Optional) Displays IKE SA details about the specified VRF.
• The vrfname value is the name of the VRF.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
12.3(11)T
|
The active and standby keywords were added.
|
12.4(4)T
|
IPv6 information was added to the command output. The detail and nat keywords were added.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.(33)SRA.
|
12.4(11)T
|
The vrf vrfname keyword and argument were added.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
If neither the active keyword nor the standby keyword is specified, current SAs for all configured routers will be shown. Use the nat keyword to display the IP address and port address of a remote peer when NAT is used.
Examples
The following sample output shows the SAs of both the active and standby devices:
Router# show crypto isakmp sa
dst src state conn-id slot status
10.165.201.3 10.165.200.225 QM_IDLE 2 0 STDBY
10.0.0.1 10.0.0.2 QM_IDLE 1 0 ACTIVE
The following sample output shows the SAs of only the active device:
Router# show crypto isakmp sa active
dst src state conn-id slot status
10.165.201.3 10.165.200.225 QM_IDLE 5 0 ACTIVE
The following sample output shows the SAs of only the standby device:
Router# show crypto isakmp sa standby
dst src state conn-id slot status
10.165.201.3 10.165.200.225 QM_IDLE 5 0 STDBY
10.165.201.3 10.165.200.225 QM_IDLE 1 0 STDBY
The following sample output shows the SAs of an active IPv6 device. The IPv4 device is inactive.
Router# show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH
Lifetime Cap.
IPv6 Crypto ISAKMP SA
dst: 3FFE:2002::A8BB:CCFF:FE01:2C02
src: 3FFE:2002::A8BB:CCFF:FE01:9002
conn-id: 1001 I-VRF: Status: ACTIVE Encr: des Hash: sha Auth:
psk
DH: 1 Lifetime: 23:45:00 Cap: D Engine-id:Conn-id = SW:1
dst: 3FFE:2002::A8BB:CCFF:FE01:2C02
src: 3FFE:2002::A8BB:CCFF:FE01:9002
conn-id: 1002 I-VRF: Status: ACTIVE Encr: des Hash: sha Auth:
psk
DH: 1 Lifetime: 23:45:01 Cap: D Engine-id:Conn-id = SW:2
Table 104 through Table 107 show the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it will most likely be in its quiescent state (QM_IDLE). For long exchanges, some of the main mode (MM_xxx) states may be observed.
Table 104 States in Main Mode Exchange
State
|
Explanation
|
MM_NO_STATE
|
The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage—there is no state.
|
MM_SA_SETUP
|
The peers have agreed on parameters for the ISAKMP SA.
|
MM_KEY_EXCH
|
The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated.
|
MM_KEY_AUTH
|
The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a Quick Mode exchange begins.
|
Table 105 States in Aggressive Mode Exchange
State
|
Explanation
|
AG_NO_STATE
|
The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage—there is no state.
|
AG_INIT_EXCH
|
The peers have done the first exchange in aggressive mode, but the SA is not authenticated.
|
AG_AUTH
|
The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a quick mode exchange begins.
|
Table 106 States in Quick Mode Exchange
State
|
Explanation
|
QM_IDLE
|
The ISAKMP SA is idle. It remains authenticated with its peer and may be used for subsequent quick mode exchanges. It is in a quiescent state.
|
Table 107 show crypto isakmp sa Field Descriptions
Field
|
Description
|
f_vrf/i_vrf (not shown)
|
The front door virtual routing and forwarding (FVRF) and the inside VRF (IVRF) of the IKE SA. If the FVRF is global, the output shows f_vrf as an empty field.
|
Related Commands
Command
|
Description
|
crypto isakmp policy
|
Defines an IKE policy.
|
lifetime (IKE policy)
|
Specifies the lifetime of an IKE SA.
|
show crypto key mypubkey rsa
To display the RSA public keys of your router, use the show crypto key mypubkey rsa command in privileged EXEC mode.
show crypto key mypubkey rsa
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
12.3(7)T
|
The show output was modified to display whether an RSA key is protected (encrypted) and locked or unlocked.
|
12.2(18)SXE
|
This command was integrated into Cisco IOS Release 12.2(18)SXE.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
15.0(1)M
|
This command was modified to display whether redundancy is specified in the crypto_key_generate_rsa command.
|
Usage Guidelines
This command displays the RSA public keys of your router.
Note
Secure Shell (SSH) may generate an additional RSA keypair if you generate a keypair on a router having no RSA keys. The additional keypair is used only by SSH and will have a name such as {router_FQDN}.server. For example, if a router name is "router1.cisco.com," the keyname is "router1.cisco.com.server."
Examples
The following is sample output from the show crypto key mypubkey rsa command. Special usage RSA keys were previously generated for this router using the crypto key generate rsa command.
% Key pair was generated at: 06:07:49 UTC Jan 13 1996
Key name: myrouter.example.com
005C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22
04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2
BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001
% Key pair was generated at: 06:07:50 UTC Jan 13 1996
Key name: myrouter.example.com
00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5
18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB
07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21
The following example shows how to encrypt the RSA key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the RSA key is encrypted (protected) and unlocked.
Router(config)# crypto key encrypt rsa name pki1-72a.cisco.com passphrase cisco1234
Router# show crypto key mypubkey rsa
% Key pair was generated at:00:15:32 GMT Jun 25 2003
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and UNLOCKED. ***
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E0CC9A 1D23B52C
CD00910C ABD392AE BA6D0E3F FC47A0EF 8AFEE340 0EC1E62B D40E7DCC
23C4D09E
03018B98 E0C07B42 3CFD1A32 2A3A13C0 1FF919C5 8DE9565F 1F020301 0001
% Key pair was generated at:00:15:33 GMT Jun 25 2003
Key name:pki1-72a.cisco.com.server
Usage:Encryption Key
Key is exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D3491E 2A21D383
854D7DA8 58AFBDAC 4E11A7DD E6C40AC6 66473A9F 0C845120 7C0C6EC8 1FFF5757
3A41CE04 FDCB40A4 B9C68B4F BC7D624B 470339A3 DE739D3E F7DDB549 91CD4DA4
DF190D26 7033958C 8A61787B D40D28B8 29BCD0ED 4E6275C0 6D020301 0001
The following example shows how to lock the key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the key is protected (encrypted) and locked.
Router# crypto key lock rsa name pki1-72a.cisco.com passphrase cisco1234
Router# show crypto key mypubkey rsa
% Key pair was generated at:20:29:41 GMT Jun 20 2003
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and LOCKED. ***
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC
0D2B55AC 5D199F2F 7CB4B355 C555E07B 6D0DECBE 4519B1F0 75B12D6F 902D6E9F
B6FDAD8D 654EF851 5701D5D7 EDA047ED 9A2A619D 5639DF18 EB020301 0001
The string "Redundancy enabled" in the following example indicates that the redundancy keyword
was specified when the key was generated by the crypto_key_generate_rsa command.
Router#show crypto key mypubkey rsa MYKEYS
% Key pair was generated at: 07:38:04 GMT Oct 02 2009
Storage Device: not specified
Usage: General Purpose Key
Key is not exportable. Redundancy enabled.
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00A63726 28C9EE7D
A89AF6E1 5B42A854 A76EDF9F 35681024 A7868113 B93E2384 EF15CD78 8467A797
F946268F 067FF15E A1734BE6 3E3444C2 BAE00618 BCAED5A3 BB020301 0001
Related Commands
Command
|
Description
|
crypto key encrypt rsa
|
Encrypts the RSA private key.
|
crypto key generate rsa
|
Generates RSA key pairs.
|
crypto key lock rsa
|
Locks the RSA private key in a router.
|
show crypto key pubkey-chain rsa
To display the RSA public keys of the peer that are stored on the router, use the show crypto key pubkey-chain rsa command in user EXEC mode or privileged EXEC mode.
show crypto key pubkey-chain rsa [address key-address | name key-name | vrf vrf-name [address
ip-address]]
Syntax Description
address key-address
|
(Optional) Address of a specific key to view.
|
name key-name
|
(Optional) Name of a specific key to view.
|
vrf vrf-name
|
(Optional) Name of a specific Virtual Private Network (VPN) Routing and Forwarding (VRF) instance for which to display keys.
|
address ip-address
|
(Optional) IP address belonging to a VRF instance.
|
Command Default
Information is displayed for all RSA public keys stored on the router.
Command Modes
User EXEC (>)
Privileged EXEC (#)
Command History
Release
|
Modification
|
11.3T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Cisco IOS XE Release 2.1
|
This command was integrated into Cisco IOS XE Release 2.1.
|
Usage Guidelines
The keys that are displayed include peers' RSA public keys that are manually configured at the router and keys that are received by the router via other means (such as by a certificate, if certification authority support is configured).
If a router reboots, any keys derived by certificates are lost. This is because the router requests certificates again (then the keys are derived again).
Examples
The following example shows how to display information for all RSA public keys stored on the router:
Router# show crypto key pubkey-chain rsa
Codes: M - Manually Configured, C - Extracted from certificate
Code Usage IP-address Keyring Name
M Signature 209.165.200.225 default myrouter.example.com
M Encryption 209.165.202.129 default myrouter.example.com
C Signature 209.165.200.225 default routerA.example.com
C Encryption 209.165.202.129 default routerA.example.com
C General 209.165.200.225 default routerB.domain1.com
The example above shows manually configured special usage RSA public keys for the peer myrouter.example.com. This sample also indicates certificate support and therefore shows three keys obtained from peers' certificates: special usage keys for peer routerA.example.com and a general purpose key for peer routerB.domain1.com.
The following example shows how to display keys for a specific VRF instance.
Router# show crypto key pubkey-chain rsa vrf
Code Usage IP-Address/VRF Keyring Name
M General 209.165.200.225 default Key_1
M General 209.165.202.129 default Key_2
The following example shows how to display details for a key named somerouter.example.com:
Router# show crypto key pubkey-chain rsa name somerouter.example.com
Key name: somerouter.example.com
Key address: 209.165.200.225
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22
04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2
BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001
Key name: somerouter.example.com
Key address: 209.165.200.225
00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5
18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB
07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21
Note
The Source field in the above example displays "Manual," which means that the keys were manually configured on the router (and not received in the peer's certificate).
The following example shows how to display details for a key with address 209.165.202.129:
Router# show crypto key pubkey-chain rsa address 209.165.202.129
Key name: routerB.example.com
Key address: 209.165.202.129
Usage: General Purpose Key
0738BC7A 2BC3E9F0 679B00FE 53987BCC 01030201 42DD06AF E228D24C 458AD228
58BB5DDD F4836401 2A2D7163 219F882E 64CE69D4 B583748A 241BED0F 6E7F2F16
0DE0986E DF02031F 4B0B0912 F68200C4 C625C389 0BFF3321 A2598935 C1B1
Note
The Source field in the above example displays "Certificate," which means that the keys were received by the router from the certificate authority.
Table 108 describes the significant fields shown in the displays.
Table 108 show crypto key pubkey-chain rsa Field Descriptions
Field
|
Description
|
Code
|
Source of the key: M (manually configured at the router) or C (received by the router via a certificate).
|
Usage
|
Purpose of the key: general purpose, signature, or encryption).
|
IP-Address/VRF
|
IP address or VRF of the key.
|
Keyring
|
Name of the keyring that stores the key. The possible values are either the name of a user-defined keyring or default (the default keyring).
|
Name
|
Name of the key. For manually inserted keys (code M), this name is manually configured. For keys that are extracted from the certificate (code C) the name is the subject name in the certificate itself.
|
Data
|
The contents of the key itself.
|
Related Commands
Command
|
Description
|
crypto key pubkey-chain rsa
|
Enters public key configuration mode (so you can manually specify other devices' RSA public keys).
|
rsa-pubkey
|
Defines the RSA manual key to be used for encryption or signature during IKE authentication.
|
show crypto map (IPsec)
To display the crypto map configuration, use the show crypto map command in user EXEC or privileged EXEC mode.
show crypto map [gdoi fail-close map-name | interface interface | tag map-name]
Syntax Description
gdoi
|
(Optional) Displays information about the status of the Group Domain of Interpretation (GDOI) fail-close mode.
|
fail-close
|
Specifies the list of crypto maps configured with the fail-close mode.
|
map-name
|
Name of the specified crypto map.
|
interface interface
|
(Optional) Displays only the crypto map set that is applied to the specified interface.
|
tag
|
(Optional) Displays only the crypto map set that is specified.
|
Command Default
No crypto maps are displayed.
Command Modes
User EXEC (>)
Privileged EXEC (#)
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
12.3(8)T
|
This command was integrated into Cisco IOS Release 12.3(8)T. The output was modified to display the crypto input and output Access Control Lists (ACLs) that have been configured.
|
12.4(4)T
|
This command was integrated into Cisco IOS Release 12.4(4)T. IPv6 address information was added to command output.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.(33)SRA.
|
12.2SX
|
This command was integrated into Cisco IOS Release 12.2SX. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
12.4(20)T
|
This command was integrated into Cisco IOS Release 12.4(20)T. The default transform set information was added to command output.
|
12.4(22)T
|
This command was integrated into Cisco IOS Release 12.4(22)T. The gdoi fail-close keywords and the map-tag arguments were added.
|
Cisco IOS XE Release 2.3
|
This command was modified. It was integrated into Cisco IOS XE Release 2.3.
|
Usage Guidelines
The show crypto map command allows you to specify a particular crypto map. The crypto maps shown in the command output are dynamically generated; you need not configure crypto maps in order for them to appear in this command output.
Two default transform sets are supported in Cisco IOS K9 images only:
•
Esp-aes esp-sha-hmac
•
Esp-3des esp-sha-hmac
The show crypto map command displays the default transform sets if no other transform sets are configured for the crypto map, if you have not disabled the default transform sets by issuing the no crypto ipsec default transform-set command, and if the crypto engine supports the encryption algorithm.
Examples
The following example shows that crypto input and output ACLs have been configured:
Crypto Map "test" 10 ipsec-isakmp
Extended IP access list ipsec_acl
access-list ipsec_acl permit ip 192.168.2.0 0.0.0.255 192.168.102.0 0.0.0.255
Extended IP access check IN list 110
access-list 110 permit ip host 192.168.102.47 192.168.2.0 10.0.0.15
access-list 110 permit ip host 192.168.102.47 192.168.2.32 10.0.0.15
access-list 110 permit ip host 192.168.102.47 192.168.2.64 10.0.0.15
access-list 110 permit ip host 192.168.102.57 192.168.2.0 10.0.0.15
access-list 110 permit ip host 192.168.102.57 192.168.2.32 10.0.0.15
access-list 110 permit ip host 192.168.102.57 192.168.2.64 10.0.0.15
Extended IP access check OUT list 120
access-list 120 permit ip 192.168.2.0 10.0.0.15 host 192.168.102.47
access-list 120 permit ip 192.168.2.32 10.0.0.15 host 192.168.102.47
access-list 120 permit ip 192.168.2.64 10.0.0.15 host 192.168.102.47
access-list 120 permit ip 192.168.2.0 10.0.0.15 host 192.168.102.57
access-list 120 permit ip 192.168.2.32 10.0.0.15 host 192.168.102.57
access-list 120 permit ip 192.168.2.64 10.0.0.15 host 192.168.102.57
Security association lifetime: 4608000 kilobytes/3600 seconds
Interfaces using crypto map test:
Table 109 describes the significant fields shown in the display.
Table 109 show crypto map Field Descriptions
Field
|
Description
|
Peer
|
Possible peers that are configured for this crypto map entry.
|
Extended IP access list
|
Access list that is used to define the data packets that need to be encrypted. Packets that are denied by this access list are forwarded but not encrypted. The "reverse" of this access list is used to check the inbound return packets, which are also encrypted. Packets that are denied by the "reverse" access list are dropped because they should have been encrypted but were not.
|
Extended IP access check
|
Access lists that are used to more finely control which data packets are allowed into or out of the IPsec tunnel. Packets that are allowed by the "Extended IP access list" ACL but denied by the "Extended IP access list check" ACL are dropped.
|
Current peer
|
Current peer that is being used for this crypto map entry.
|
Security association lifetime
|
Number of bytes that are allowed to be encrypted or decrypted or the age of the security association before new encryption keys must be negotiated.
|
PFS
|
(Perfect Forward Secrecy) If the field is marked as `Yes', the Internet Security Association and Key Management Protocol (ISAKMP) SKEYID-d key is renegotiated each time security association (SA) encryption keys are renegotiated (requires another Diffie-Hillman calculation). If the field is marked as `No', the same ISAKMP SKEYID-d key is used when renegotiating SA encryption keys. ISAKMP keys are renegotiated on a separate schedule, with a default time of 24 hours.
|
Transform sets
|
List of transform sets (encryption, authentication, and compression algorithms) that can be used with this crypto map.
|
Interfaces using crypto map test
|
Interfaces to which this crypto map is applied. Packets that are leaving from this interface are subject to the rules of this crypto map for encryption. Encrypted packets may enter the router on any interface, and they are decrypted. Nonencrypted packets that are entering the router through this interface are subject to the "reverse" crypto access list check.
|
The following example displays output from the show crypto map command. No transform sets are configured for the crypto map "mymap," the default transform sets are enabled, and the crypto engine supports the encryption algorithm.
Crypto Map "mymap" 1 ipsec-isakmp
Extended IP access list 102
access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255
Security association lifetime: 4608000 kilobytes/3600 seconds
#$!default_transform_set_1: { esp-aes esp-sha-hmac } ,
#$!default_transform_set_0: { esp-3des esp-sha-hmac } ,
Reverse Route Injection Enabled
Interfaces using crypto map mymap:
The following example displays output of the show crypto map command. No transform sets configured for the crypto map "mymap" and the default transform sets have been disabled.
Router(config)# no crypto ipsec default transform-set
Router# configure terminal
Crypto Map "mymap" 1 ipsec-isakmp
Extended IP access list 102
access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255
Security association lifetime: 4608000 kilobytes/3600 seconds
! There are no transform sets for the crypto map "mymap."
Reverse Route Injection Enabled
Interfaces using crypto map mymap:
The following example displays output for the show crypto map command and gdoi fail-close keywords (show crypto map gdoi fail-close). Fail-close has been activated. In addition, an implicit "permit ip any any" entry is configured, causing any traffic other than Telnet and Open Shortest Path First (OSPF) to be dropped:
Router# show crypto map gdoi fail-close 23
Fail-Close Access-List: (Deny = Forward In Clear, Permit = Drop)
access-list 105 deny tcp any port = 23 any
access-list 105 deny ospf any any
Related Commands
Command
|
Description
|
show crypto ipsec default transform-set
|
Displays the default IPsec transform sets.
|
show crypto ipsec transform-set
|
Displays the configured transform sets.
|
show crypto mib ipsec flowmib endpoint
To display the IP Security (IPsec) phase-2 tunnel endpoint table, use the show crypto mib ipsec flowmib endpoint command in privileged EXEC mode.
show crypto mib ipsec flowmib endpoint [vrf vrf-name]
Syntax Description
vrf vrf-name
|
(Optional) Displays the parameters for the specified Virtual Private Network (VPN) routing and forwarding (VRF) instance.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Usage Guidelines
The IPsec phase-2 tunnel endpoint table contains an entry for each active endpoint associated with an IPsec phase-2 tunnel.
Examples
The following example displays the IPsec phase 2 tunnel endpoint table for all VRFs:
Router# show crypto mib ipsec flowmib endpoint
Local type: Single IP address
Remote type: Single IP address
Remote address: 192.1.2.2
Local address: 192.1.3.0 255.255.255.0
Remote address: 192.1.3.0 255.255.255.0
Table 110 describes the significant fields shown in the display.
Table 110 show crypto mib ipsec flowmib endpoint Field Descriptions
Field
|
Description
|
Index
|
The number of the endpoint associated with the IPsec phase-2 tunnel table. The value of this index is a number which begins at one and is incremented with each endpoint associated with an IPsec phase-2 tunnel. The index value will wrap at 2,147,483,647.
|
Local type
|
The local endpoint identity type. The three possible values are a single IP address, an IP address range, or an IP subnet.
|
Local address
|
The first IP address of the local endpoint. If the local endpoint type is a single IP address, then the local address is the value of the IP address. If the local endpoint type is an IP address range, then the local address is the value of beginning IP address of the range. If the local endpoint type is an IP subnet, then the local address is the value of the subnet.
|
Protocol
|
The local endpoint traffic protocol number.
|
Local port
|
The local endpoint traffic port number.
|
Remote type
|
The remote endpoint identity type. The three possible values are a single IP address, an IP address range, or an IP subnet.
|
Remote address
|
The first IP address of the remote endpoint. If the remote endpoint type is a single IP address, then the remote address is the value of the IP address. If the remote endpoint type is an IP address range, then the remote address is the value of beginning IP address of the range. If the remote endpoint type is an IP subnet, then the remote address is the value of the subnet.
|
Remote port
|
The remote endpoint traffic port number.
|
Related Commands
Command
|
Description
|
show crypto mib ipsec flowmib failure
|
Displays statistics associated with IPsec phase-2 failure.
|
show crypto mib ipsec flowmib global
|
Displays IPsec phase-2 global statistics.
|
show crypto mib ipsec flowmib history
|
Displays statistics associated with previously active IPsec phase-2 tunnels.
|
show crypto mib ipsec flowmib spi
|
Displays the IPsec phase-2 security protection index (SPI) table.
|
show crypto mib ipsec flowmib tunnel
|
Displays statistics for all active IPsec phase-2 tunnels.
|
show crypto mib ipsec flowmib failure
To display statistics associated with IP Security (IPsec) phase-2 failure, use the show crypto mib ipsec flowmib failure command in privileged EXEC mode.
show crypto mib ipsec flowmib failure [vrf vrf-name]
Syntax Description
vrf vrf-name
|
(Optional) Displays the parameters for the specified Virtual Private Network (VPN) routing and forwarding (VRF) instance.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Examples
The following example displays the IPsec phase 2 MIB failure table for all indexes and VRFs:
Router# show crypto mib ipsec flowmib failure
Reason: Operation request
Failure time since reset: 00:25:18
Destination address: 192.1.2.2
Table 111 describes the significant fields shown in the display.
Table 111 show crypto mib ipsec flowmib failure Field Descriptions
Field
|
Description
|
Index
|
The IPsec phase-2 failure table index. The value of the index is a number that begins at one and is incremented with each IPsec phase-1 failure. The index value will wrap at 2,147,483,647.
|
Reason
|
The reason for the failure, which are:
• 1—All other reasons.
• 2—An internal error occurred.
• 3—A peer encoding error occurred.
• 4—A proposal failure occurred.
• 5—A protocol use failure occurred.
• 6—The SA did not exist.
• 7—A decryption failure occurred.
• 8—An encryption failure occurred.
• 9—An inbound authentication failure occurred.
• 10—An outbound authentication failure occurred.
• 11—A compression failure occurred.
• 12—A system capacity failure occurred.
• 13—A peer delete request was received.
• 14—The contact with the peer was lost.
• 15—The sequence rolled over.
• 16—The operator requested tunnel termination.
|
Failure time since reset
|
The value of sysUpTime in hundredths of seconds at the time of the failure
|
Related Commands
Command
|
Description
|
show crypto mib ipsec flowmib endpoint
|
Displays IPsec phase-2 tunnel endpoint table.
|
show crypto mib ipsec flowmib global
|
Displays IPsec phase-2 global statistics.
|
show crypto mib ipsec flowmib history
|
Displays statistics associated with previously active IPsec phase-2 tunnels.
|
show crypto mib ipsec flowmib spi
|
Displays the IPsec phase-2 SPI table.
|
show crypto mib ipsec flowmib tunnel
|
Displays statistics for all active IPsec phase-2 tunnels.
|
show crypto mib ipsec flowmib global
To display IP Security (IPsec) phase-2 global statistics, use the show crypto mib ipsec flowmib global command in privileged EXEC mode.
show crypto mib ipsec flowmib global [vrf vrf-name]
Syntax Description
vrf vrf-name
|
(Optional) Displays the parameters for the specified Virtual Private Network (VPN) routing and forwarding (VRF) instance.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Examples
The following example displays IPsec phase 2 global statistics for all VRFs:
Router# show crypto mib ipsec flowmib global
Uncompressed encrypted bytes: 1408
Out uncompressed bytes: 0
System capacity failures: 0
In authentication failures: 0
Out authentication failures: 0
Table 112 describes the significant fields shown in the display.
Table 112 show crypto mib ipsec flowmib global Field Descriptions
Field
|
Description
|
Active Tunnels
|
The total number of currently active IPsec phase-2 tunnels.
|
Previous Tunnels
|
The total number of previously active IPsec phase-2 tunnels.
|
In octets
|
The total number of octets received by all current and previous IPsec phase-2 tunnels. The total number is accumulated before determining whether or not the packet should be decompressed.
|
Out octets
|
The total number of octets sent by all current and previous IPsec phase-2 Tunnels. The total number is accumulated after determining whether or not the packet should be compressed.
|
In packets drops
|
The total number of packets dropped during receive processing by all current and previous IPsec phase-2 tunnels. The total number does not include packets dropped due to anti-replay processing.
|
Out packets drops
|
The total number of packets dropped during send processing by all current and previous IPsec phase-2 tunnels.
|
In replay drops
|
The total number of packets dropped during receive processing due to anti-replay processing by all current and previous IPsec phase-2 tunnels.
|
No SA failures
|
The total number of non-existent SA inbound failures that occurred during processing of all current and previous IPsec phase-2 tunnels.
|
Related Commands
Command
|
Description
|
show crypto mib ipsec flowmib endpoint
|
Displays IPsec phase-2 tunnel endpoint table.
|
show crypto mib ipsec flowmib failure
|
Displays statistics associated with IPsec phase-2 failure.
|
show crypto mib ipsec flowmib history
|
Displays statistics associated with previously active IPsec phase-2 tunnels.
|
show crypto mib ipsec flowmib spi
|
Displays the IPsec phase-2 SPI table.
|
show crypto mib ipsec flowmib tunnel
|
Displays statistics for all active IPsec phase-2 tunnels.
|
show crypto mib ipsec flowmib history
To display statistics associated with previously active IP Security (IPsec) phase-2 tunnels, use the show crypto mib ipsec flowmib history command in privileged EXEC mode.
show crypto mib ipsec flowmib history [vrf vrf-name]
Syntax Description
vrf vrf-name
|
(Optional) Displays the parameters for the specified Virtual Private Network (VPN) routing and forwarding (VRF) instance.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Examples
The following example displays the IPsec phase 2 history statistics for all VRFs:
Router# show crypto mib ipsec flowmib history
Reason: Operation request
Remote address: 192.1.2.2
Lifetime threshold (KB): 423559168
Lifetime threshold (Sec): 3590000
Total number of refreshes: 0
In sa encrypt algorithm des
In SA auth algorithm: rsig
In SA ESP auth algo: ESP_HMAC_SHA
In SA uncompress algorithm: None
Out SA encryption algorithm: des
Out SA auth algorithm: ESP_HMAC_SHA
Out SA ESP auth algorithm: ESP_HMAC_SHA
Out SA uncompress algorithm: None
In authentication failures: 0
Out uncompressed octets: 704
Out authentication failures: 0
Out encryption failures: 0
Out uncompressed octets: 704
Table 113 describes the significant fields shown in the display.
Table 113 show crypto mib ipsec flowmib history Field Descriptions
Field
|
Description
|
Reason
|
The reason the IPsec phase-2 tunnel was terminated, which are:
• 1—All other reasons.
• 2—The tunnel terminated normally.
• 3—The operator requested the tunnel termination.
• 4—A peer delete request was received.
• 5—The contact with peer was lost.
• 6—A local failure occurred.
• 7—The operator initiated a check point request.
|
Index
|
The index of the IPsec phase-2 tunnel history table. The value of the index is an integer that begins at one and is incremented with each tunnel that ends. The index value will wrap at 2,147,483,647.
|
IPSEC keying
|
The type of key used by the IPsec phase-2 tunnel.
|
Total number of refreshes
|
The total number of SA refreshes performed.
|
In octets
|
The total number of octets received by the IPsec phase-2 tunnel. The value is accumulated before determining whether or not the packet should be decompressed.
|
In drops
|
The total number of packets dropped during receive processing by this IPsec phase-2 tunnel. The number of drops does not include packets dropped due to anti-replay processing.
|
In replay drops
|
The total number of packets dropped during receive processing due to anti-replay processing by the IPsec phase-2 tunnel.
|
Related Commands
Command
|
Description
|
show crypto mib ipsec flowmib endpoint
|
Displays IPsec phase-2 tunnel endpoint table.
|
show crypto mib ipsec flowmib failure
|
Displays statistics associated with IPsec phase-2 failure.
|
show crypto mib ipsec flowmib global
|
Displays IPsec phase-2 global statistics.
|
show crypto mib ipsec flowmib spi
|
Displays the IPsec phase-2 SPI table.
|
show crypto mib ipsec flowmib tunnel
|
Displays statistics for all active IPsec phase-2 tunnels.
|
show crypto mib ipsec flowmib history failure size
To display the size of the IP Security (IPSec) failure history table, use the show crypto mib ipsec flowmib history failure size command in privileged EXEC mode.
show crypto mib ipsec flowmib history failure size
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.1(4)E
|
This command was introduced.
|
12.2(4)T
|
This command was integrated into Cisco IOS Release 12.2(4)T.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use the show crypto mib ipsec flowmib history failure size command to display the size of the failure history table.
Examples
The following is sample output from the show crypto mib ipsec flowmib history failure size command:
Router# show crypto mib ipsec flowmib history failure size
IPSec Failure Window size: 140
Related Commands
Command
|
Description
|
crypto mib ipsec flowmib history failure size
|
Changes the size of the IPSec failure history table.
|
show crypto mib ipsec flowmib version
|
Displays the IPSec Flow MIB version used by the router.
|
show crypto mib ipsec flowmib history tunnel size
To display the size of the IP Security (IPSec) tunnel history table, use the show crypto mib ipsec flowmib history tunnel size command in privileged EXEC mode.
show crypto mib ipsec flowmib history tunnel size
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.1(4)E
|
This command was introduced.
|
12.2(4)T
|
This command was integrated into Cisco IOS Release 12.2(4)T.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use the show crypto mib ipsec flowmib history tunnel size command to display the size of the tunnel history table.
Examples
The following is sample output from the show crypto mib ipsec flowmib history tunnel size command:
Router# show crypto mib ipsec flowmib history tunnel size
IPSec History Window Size: 130
Related Commands
Command
|
Description
|
crypto mib ipsec flowmib history tunnel size
|
Changes the size of the IPSec tunnel history table.
|
show crypto mib ipsec flowmib version
|
Displays the IPSec Flow MIB version used by the router.
|
show crypto mib ipsec flowmib spi
To display the IP Security (IPsec) phase-2 security protection index (SPI) table, use the show crypto mib ipsec flowmib spi command in privileged EXEC mode.
show crypto mib ipsec flowmib spi [vrf vrf-name]
Syntax Description
vrf vrf-name
|
(Optional) Displays the parameters for the specified Virtual Private Network (VPN) routing and forwarding (VRF) instance.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Usage Guidelines
The IPsec phase-2 SPI table contains an entry for each active and expiring security association (SA).
Examples
The following example displays the IPsec phase-2 SPI table for all VRFs:
Router# show crypto mib ipsec flowmib spi
The field descriptions in the display are self-explanatory.
Related Commands
Command
|
Description
|
show crypto mib ipsec flowmib endpoint
|
Displays IPsec phase-2 tunnel endpoint table.
|
show crypto mib ipsec flowmib failure
|
Displays statistics associated with IPsec phase-2 failure.
|
show crypto mib ipsec flowmib global
|
Displays IPsec phase-2 global statistics.
|
show crypto mib ipsec flowmib history
|
Displays statistics associated with previously active IPsec phase-2 tunnels.
|
show crypto mib ipsec flowmib tunnel
|
Displays statistics for all active IPsec phase-2 tunnels.
|
show crypto mib ipsec flowmib tunnel
To display statistics for all active IP Security (IPsec) phase-2 tunnels, use the show crypto mib ipsec flowmib tunnel command in privileged EXEC mode.
show crypto mib ipsec flowmib tunnel [index tunnel-mib-index] [vrf vrf-name]
Syntax Description
vrf vrf-name
|
(Optional) Displays the parameters for the specified Virtual Private Network (VPN) routing and forwarding (VRF) instance.
|
index tunnel-mib-index
|
(Optional) Displays tunnel MIB information for the specified active tunnel.
The tunnel MIB index is an integer, 0-65535.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Examples
The following example displays statistics for all active IPsec phase-2 tunnels for all tunnel indexes and VRFs:
Router# show crypto mib ipsec flowmib tunnel
Remote address: 192.0.2.2
Lifetime threshold (KB): 64
Lifetime threshold (Sec): 10
Total number of refreshes: 0
In sa encrypt algorithm: des
In SA auth algorithm: rsig
In SA ESP auth algo: ESP_HMAC_SHA
In SA uncompress algorithm: None
Out SA encryption algorithm: des
Out SA auth algorithm: ESP_HMAC_SHA
Out SA ESP auth algorithm: ESP_HMAC_SHA
Out SA uncompress algorithm: None
In authentication failures: 0
Out uncompressed octets: 704
Out authentication failures: 0
Out encryption failures: 0
Out uncompressed octets: 704
Table 114 describes the significant fields shown in the display.
Table 114 show crypto mib ipsec flowmib tunnel Field Descriptions
Field
|
Description
|
Index
|
The index of the IPsec phase-2 tunnel table. The index value is an integer that begins at one and is incremented with each tunnel that is created. The index value will wrap at 2,147,483,647.
|
Total number of refreshes
|
The total number of SA refreshes performed.
|
Current SA instances
|
The number of SA instances that are currently active or expiring.
|
In octets
|
The total number of octets received by the IPsec phase-2 tunnel. This total number is accumulated before determining whether or not the packet should be decompressed.
|
Decompressed octets
|
The total number of decompressed octets received by the IPsec phase-2 tunnel. The total number is accumulated after the packet is decompressed. If compression is not being used, the total number will match the value of cipSecTunInOctets.
|
In drops
|
The total number of packets dropped during receive processing by the IPsec phase-2 tunnel. This count does not include packets dropped due to anti-replay processing.
|
In replay drops
|
The total number of packets dropped during receive processing due to anti-replay processing by the IPsec phase-2 tunnel.
|
Out octets
|
The total number of octets sent by the IPsec phase-2 tunnel. This value is accumulated after determining whether or not the packet should be compressed.
|
Related Commands
Command
|
Description
|
show crypto mib ipsec flowmib endpoint
|
Displays IPsec phase-2 tunnel endpoint table.
|
show crypto mib ipsec flowmib failure
|
Displays statistics associated with IPsec phase-2 failure.
|
show crypto mib ipsec flowmib global
|
Displays IPsec phase-2 global statistics.
|
show crypto mib ipsec flowmib history
|
Displays statistics associated with previously active IPsec phase-2 tunnels.
|
show crypto mib ipsec flowmib spi
|
Displays the IPsec phase-2 SPI table.
|
show crypto mib ipsec flowmib version
To display the IP Security (IPSec) MIB version used by the router, use the show crypto mib ipsec flowmib version command in privileged EXEC mode.
show crypto mib ipsec flowmib version
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.1(4)E
|
This command was introduced.
|
12.2(4)T
|
This command was integrated into Cisco IOS Release 12.2(4)T.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use the show crypto mib ipsec flowmib version command to display the MIB version used by the management applications to identify the feature set.
Note
The MIB version can also be obtained by querying the MIB element cipSecMibLevel using Simple Network Management Protocol (SNMP).
Examples
The following is sample output from the show crypto mib ipsec flowmib version command:
Router# show crypto mib ipsec flowmib version
IPSec Flow MIB version: 1
Related Commands
Command
|
Description
|
show crypto mib ipsec flowmib history failure size
|
Displays the size of the IPSec failure history table.
|
show crypto mib ipsec flowmib history tunnel size
|
Displays the size of the IPSec tunnel history table.
|
show crypto mib isakmp flowmib failure
To display the statistics associated with an Internet Security Association and Key Management Protocol (ISAKMP) phase-1 failure, use the show crypto mib isakmp flowmib failure command in privileged EXEC mode.
show crypto mib isakmp flowmib failure [vrf vrf-name]
Syntax Description
vrf vrf-name
|
(Optional) Displays the parameters for a specific Virtual Private Network (VPN) routing and forwarding (VRF) instance.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Examples
The following is sample output from the show crypto mib isakmp flowmib failure command:
Failure time since reset: 00:07:27
Remote type: ID_IPV4_ADDR
Remote Address: 192.0.2.2
Failure time since reset: 00:07:27
Remote type: ID_IPV4_ADDR
Remote Address: 192.0.3.2
Failure time since reset: 00:07:32
Remote type: ID_IPV4_ADDR
Remote Address: 192.0.2.2
Table 115 describes the significant fields shown in the display.
Table 115 show crypto mib isakmp flowmib failure Field Descriptions
Field
|
Description
|
Index
|
The IPsec phase-1 failure table index. The value of the index is a number that begins at one and is incremented with each IPsec phase-1 failure. The index value will wrap at 2,147,483,647.
|
Reason
|
The reason for the failure, which include:
• 1—All other reasons.
• 2—A peer delete request was received.
• 3—The contact with peer was lost.
• 4—A local failure occurred.
• 5—An authentication failure occurred.
• 6—A hash validation failure occurred.
• 7—An encryption failure occurred.
• 8—An internal error occurred.
• 9—A system capacity failure occurred.
• 10—A proposal failure occurred.
• 11—The peer certificate was unavailable.
• 12—The peer certificate was invalid.
• 13—The local certificate expired.
• 14—A certificate revoke list (CRL) failure occurred.
• 15—A peer encoding error occurred.
• 16—The SA did not exist.
• 17—The operator requested tunnel termination.
|
Failure time since reset
|
The value of sysUpTime in hundredths of seconds at the time of the failure.
|
Local type
|
The type of local peer identity.
• 1—Indicates an IP address identity type.
• 2—Indicates a hostname identity type.
|
Local value
|
The value of the local peer identity. If the local peer type is an IP address, then the value is the IP address used to identify the local peer. If the local peer type is a hostname, then the value is the hostname used to identify the local peer.
|
Remote type
|
The type of remote peer identity.
• 1—Indicates an IP address identity type.
• 2—Indicates a hostname identity type.
|
Remote Value
|
The value of the remote peer identity. If the remote peer type is an IP address, then the value is the IP address used to identify the remote peer. If the remote peer type is a hostname, then the value is the hostname used to identify the remote peer.
|
Local Address
|
The IP address of the local peer.
|
Remote Address
|
The IP address of the remote peer.
|
Related Commands
Command
|
Description
|
show crypto ipsec transform-set
|
Displays configured IPsec transform sets.
|
show crypto map
|
Displays IPsec crypto map configurations.
|
show crypto mib isakmp flowmib global
|
Displays global ISAKMP statistics.
|
show crypto mib isakmp flowmib history
|
Displays statistics associated with previously active ISAKMP tunnels.
|
show crypto mib isakmp flowmib peer
|
Displays attributes for an ISKMP peer association.
|
show crypto mib isakmp flowmib tunnel
|
Displays statistics associated with active ISAKMP tunnels.
|
show crypto mib isakmp flowmib global
To display the global Internet Security Association and Key Management Protocol (ISAKMP) phase-1 statistics, use the show crypto mib isakmp flowmib global command in privileged EXEC mode.
show crypto mib isakmp flowmib global [vrf vrf-name]
Syntax Description
vrf vrf-name
|
(Optional) Displays the parameters for a specific Virtual Private Network (VPN) routing and forwarding (VRF) instance.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Examples
The following example displays global ISAKMP statistics:
Router# show crypto mib isakmp flowmib global
SAs locally initiated failed: 0
SAs remotely initiated failed: 0
System capacity failures: 0
Authentication failures: 0
Table 116 describes the fields shown in the display.
Table 116 show crypto mib isakmp flowmib global Field Descriptions
Field
|
Description
|
Active Tunnels
|
The number of currently active IPsec phase-1 IKE tunnels.
|
Previous Tunnels
|
The total number of previously active IPsec phase-1 IKE tunnels.
|
In octets
|
The total number of octets received by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out octets
|
The total number of octets sent by all currently and previously active and IPsec phase-1 IKE tunnels.
|
In packets
|
The total number of packets received by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out packets
|
The total number of packets sent by all currently and previously active and IPsec phase-1 tunnels.
|
In packets drop
|
The total number of packets that were dropped during receive processing by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out packets drop
|
The total number of packets that were dropped during send processing by all currently and previously active IPsec phase-1 IKE tunnels.
|
In notifys
|
The total number of notifications received by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out notifys
|
The total number of notifications sent by all currently and previously active IPsec phase-1 IKE tunnels.
|
In P2 exchg
|
The total number of IPsec phase-2 exchanges received by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out P2 exchg
|
The total number of IPsec phase-2 exchanges that were sent by all currently and previously active IPsec phase-1 IKE tunnels.
|
In P2 exchg invalids
|
The total number of IPsec phase-2 exchanges that were received and found to be invalid by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out P2 exchg invalids
|
The total number of IPsec phase-2 exchanges that were sent and found to be invalid by all currently and previously active IPsec phase-1 tunnels.
|
In P2 exchg rejects
|
The total number of IPsec phase-2 exchanges that were received and rejected by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out P2 exchg rejects
|
The total number of IPsec phase-2 exchanges that were sent and rejected by all currently and previously active IPsec phase-1 IKE tunnels.
|
In IPSEC delete
|
The total number of IPsec phase-2 SA delete requests received by all currently and previously active and IPsec phase-1 IKE tunnels.
|
Out IPSEC delete
|
The total number of IPsec phase-2 SA delete requests sent by all currently and previously active IPsec phase-1 IKE tunnels.
|
SAs locally initiated
|
The total number of IPsec phase-1 IKE tunnels that were locally initiated.
|
SAs locally initiated failed
|
The total number of IPsec phase-1 IKE tunnels that were locally initiated and failed to activate.
|
SAs remotely initiated failed
|
The total number of IPsec phase-1 IKE tunnels that were remotely initiated and failed to activate.
|
System capacity failures
|
The total number of system capacity failures that occurred during processing of all current and previously active IPsec phase-1 IKE tunnels.
|
Authentication failures
|
The total number of authentications that ended in failure by all current and previous IPsec phase-1 IKE tunnels.
|
Decrypt failures
|
The total number of decryptions that ended in failure by all current and previous IPsec phase-1 IKE tunnels.
|
Hash failures
|
The total number of hash validations that ended in failure by all current and previous IPsec phase-1 IKE tunnels.
|
Invalid SPI
|
The total number of non-existent SAs in failures which occurred during processing of all current and previous IPsec phase-1 IKE tunnels.
|
Related Commands
Command
|
Description
|
show crypto mib isakmp flowmib failure
|
Displays statistics associated with an ISAKMP failure.
|
show crypto mib isakmp flowmib history
|
Displays statistics associated with previously active ISAKMP tunnels.
|
show crypto mib isakmp flowmib peer
|
Displays attributes for an ISKMP peer association.
|
show crypto mib isakmp flowmib tunnel
|
Displays statistics associated with active ISAKMP tunnels.
|
show crypto mib isakmp flowmib history
To display the statistics associated with previously active Internet Security Association and Key Management Protocol (ISAKMP) phase-1 tunnels, use the show crypto mib isakmp flowmib history command in privileged EXEC mode.
show crypto mib isakmp flowmib history [vrf vrf-name]
Syntax Description
vrf vrf-name
|
(Optional) Displays the parameters for a specific Virtual Private Network (VPN) routing and forwarding (VRF) instance.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Examples
The following example displays previous ISAKMP phase-1 tunnel information for all VRFs:
Router# show crypto mib isakmp flowmib history
Remote type: ID_IPV4_ADDR
Remote address: 192.0.2.2
Negotiation mode: Main Mode
Out P2 Sa delete requests: 0
Remote type: ID_IPV4_ADDR
Remote address: 192.0.3.2
Negotiation mode: Main Mode
Out P2 Sa delete requests: 0
Table 117 describes the significant fields shown in the display.
Table 117 show crypto mib isakmp flowmib history Field Descriptions
Field
|
Description
|
Reason
|
The reason the IPsec phase-1 IKE tunnel was terminated, which include:
• 1—All other reasons.
• 2—The tunnel terminated normally.
• 3—The operator requested tunnel termination.
• 4—A peer delete request was received.
• 5—The contact with peer was lost.
• 6—A local failure occurred.
• 7—The operator initiated a check point request.
|
Index
|
The index of the IPsec phase-1 IKE tunnel history table. The value of the index is a number that begins at one and is incremented with each tunnel that ends. The value of this object will wrap at 2,147,483,647.
|
Local type
|
The type of local peer identity.
• 1—Indicates an IP address identity type.
• 2—Indicates a hostname identity type.
|
Local address
|
The value of the local peer identity. If the local peer type is an IP address, then the value is the IP address used to identify the local peer. If the local peer type is a hostname, then the value is the hostname used to identify the local peer.
|
Remote type
|
The type of remote peer identity.
• 1—Indicates an IP address identity type.
• 2—Indicates a hostname identity type.
|
Remote address
|
The value of the remote peer identity. If the remote peer type is an IP address, then the value is the IP address used to identify the remote peer. If the remote peer type is a hostname, then the value is the hostname used to identify the remote peer.
|
Lifetime
|
The negotiated lifetime of the IPsec phase-1 IKE tunnel in seconds.
|
Active time
|
The length of time the IPsec phase-1 IKE tunnel has been active in hundredths of seconds.
|
In octets
|
The total number of octets received by all currently and previously active IPsec phase-1 IKE tunnels.
|
In packets
|
The total number of packets received by all currently and previously active IPsec phase-1 IKE tunnels.
|
In drops
|
The total number of packets that were dropped during receive processing by all currently and previously active IPsec phase-1 IKE tunnels.
|
In notifys
|
The total number of notifications received by all currently and previously active IPsec phase-1 IKE tunnels.
|
In P2 exchanges
|
The total number of IPsec phase-2 exchanges received by all currently and previously active IPsec phase-1 IKE tunnels.
|
In P2 exchg invalids
|
The total number of IPsec phase-2 exchanges that were received and found to be invalid by all currently and previously active IPsec phase-1 IKE tunnels.
|
In P2 exchg rejected
|
The total number of IPsec phase-2 exchanges that were received and rejected by all currently and previously active IPsec phase-1 IKE tunnels.
|
In P2 SA delete reqs
|
The total number of IPsec phase-2 SA delete requests received by all currently and previously active and IPsec phase-1 IKE tunnels.
|
Out octets
|
The total number of octets sent by all currently and previously active and IPsec phase-1 IKE tunnels.
|
Out packets
|
The total number of packets sent by all currently and previously active and IPsec phase-1 tunnels.
|
Out drops
|
The total number of packets that were dropped during send processing by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out notifys
|
The total number of notifications sent by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out P2 exchgs
|
The total number of IPsec phase-2 exchanges that were sent by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out P2 exchg invalids
|
The total number of IPsec phase-2 exchanges that were sent and found to be invalid by all currently and previously active IPsec phase-1 tunnels.
|
Out P2 exchg rejects
|
The total number of IPsec phase-2 exchanges that were sent and rejected by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out P2 Sa delete requests
|
The total number of IPsec phase-2 SA delete requests sent by all currently and previously active IPsec phase-1 IKE tunnels.
|
Related Commands
Command
|
Description
|
show crypto mib isakmp flowmib failure
|
Displays statistics associated with an ISAKMP failure.
|
show crypto mib isakmp flowmib global
|
Displays global ISAKMP statistics.
|
show crypto mib isakmp flowmib peer
|
Displays attributes for an ISKMP peer association.
|
show crypto mib isakmp flowmib tunnel
|
Displays statistics associated with active ISAKMP tunnels.
|
show crypto mib isakmp flowmib peer
To display attributes for an active Internet Security Association and Key Management Protocol (ISAKMP) phase-1 peer association, use the show crypto mib isakmp flowmib peer command in privileged EXEC mode.
show crypto mib isakmp flowmib peer [index peer-mib-index] [vrf vrf-name]
Syntax Description
index peer-mib-index
|
(Optional) Displays MIB information for the specified peer.
The peer MIB index is an integer, 0-65535.
|
vrf vrf-name
|
(Optional) Displays the parameters for the specified Virtual Private Network (VPN) routing and forwarding (VRF) instance.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Examples
The following example displays ISAKMP peer information for all indexes and VRFs:
Router# show crypto mib isakmp flowmib peer
Remote type: ID_IPV4_ADDR
Remote address: 192.0.2.2
Remote type: ID_IPV4_ADDR
Remote address: 192.0.3.1
Remote type: ID_IPV4_ADDR
Remote address: 192.0.4.1
Table 118 describes the significant fields shown in the display.
Table 118 show crypto mib isakmp flowmib peer Field Descriptions
Field
|
Description
|
Index
|
The index of the active IPsec phase-1 IKE tunnel for this peer association. If an IPsec phase-1 IKE tunnel is not currently active, then the value of this object will be zero.
|
Local type
|
The type of local peer identity.
• 1—Indicates an IP address identity type.
• 2—Indicates a hostname identity type.
|
Local address
|
The IP address of the local peer.
|
Remote type
|
The type of remote peer identity.
• 1—Indicates an IP address identity type.
• 2—Indicates a hostname identity type.
|
Remote address
|
The IP address of the remote peer.
|
Related Commands
Command
|
Description
|
show crypto mib isakmp flowmib failure
|
Displays statistics associated with an ISAKMP failure.
|
show crypto mib isakmp flowmib global
|
Displays global ISAKMP statistics.
|
show crypto mib isakmp flowmib history
|
Displays statistics associated with previously active ISAKMP tunnels.
|
show crypto mib isakmp flowmib tunnel
|
Displays statistics associated with active ISAKMP tunnels.
|
show crypto mib isakmp flowmib tunnel
To display statistics associated with active Internet Security Association and Key Management Protocol (ISAKMP) phase-1 tunnels, use the show crypto mib isakmp flowmib tunnel command in privileged EXEC mode.
show crypto mib isakmp flowmib tunnel [index tunnel-mib-index] [vrf vrf-name]
Syntax Description
index tunnel-mib-index
|
(Optional) Displays tunnel MIB information for the specified tunnel.
The tunnel MIB index is an integer, 0-65535.
|
vrf vrf-name
|
(Optional) Displays the parameters for the specified Virtual Private Network (VPN) routing and forwarding (VRF) instance.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Examples
The following example displays ISAKMP tunnel information for all indexes and VRFs:
Router# show crypto mib isakmp flowmib tunnel
Remote type: ID_IPV4_ADDR
Remote address: 192.0.2.2
Negotiation mode: Main Mode
Out P2 Sa delete requests: 0
Table 119 describes the significant fields shown in the display.
Table 119 show crypto mib isakmp flowmib tunnel Field Descriptions
Field
|
Description
|
Index
|
The index of the IPsec phase-1 IKE tunnel table. The value of the index is a number that begins at one and is incremented with each tunnel that is created. The value of this object will wrap at 2,147,483,647.
|
Local type
|
The type of local peer identity.
• 1—Indicates an IP address identity type.
• 2—Indicates a hostname identity type.
|
Local address
|
The value of the local peer identity. If the local peer type is an IP address, then the local address is the IP address used to identify the local peer. If the local peer type is a hostname, then the local address is the hostname used to identify the local peer.
|
Remote type
|
The type of remote peer identity.
• 1—Indicates an IP address identity type.
• 2—Indicates a hostname identity type.
|
Remote address
|
The value of the remote peer identity. If the remote peer type is an IP address, then the remote address is the IP address used to identify the remote peer. If the remote peer type is a hostname, then the remote address is the hostname used to identify the remote peer.
|
Negotiation mode
|
The negotiation mode of the IPsec phase-1 IKE tunnel.
|
Diffie Hellman Grp
|
The Diffie Hellman group used in IPsec phase-1 IKE negotiations.
|
Encryption algo
|
The encryption algorithm used in IPsec phase-1 IKE negotiations.
|
Hash algo
|
The hash algorithm used in IPsec phase-1 IKE negotiations.
|
Auth method
|
The authentication method used in IPsec phase-1 IKE negotiations.
|
Lifetime
|
The negotiated lifetime of the IPsec phase-1 IKE tunnel in seconds
|
Active time
|
The length of time the IPsec phase-1 IKE tunnel has been active in hundredths of seconds.
|
In octets
|
The total number of octets received by all currently and previously active IPsec phase-1 IKE tunnels.
|
In packets
|
The total number of packets received by all currently and previously active IPsec phase-1 IKE tunnels.
|
In drops
|
The total number of packets that were dropped during receive processing by all currently and previously active IPsec phase-1 IKE tunnels.
|
In notifys
|
The total number of notifications received by all currently and previously active IPsec phase-1 IKE tunnels.
|
In P2 exchanges
|
The total number of IPsec phase-2 exchanges received by all currently and previously active IPsec phase-1 IKE tunnels.
|
In P2 exchg invalids
|
The total number of IPsec phase-2 exchanges that were received and found to be invalid by all currently and previously active IPsec phase-1 IKE tunnels.
|
In P2 exchg rejected
|
The total number of IPsec phase-2 exchanges that were received and rejected by all currently and previously active IPsec phase-1 IKE tunnels.
|
In P2 SA delete reqs
|
The total number of IPsec phase-2 SA delete requests received by all currently and previously active and IPsec phase-1 IKE tunnels.
|
Out octets
|
The total number of octets sent by all currently and previously active and IPsec phase-1 IKE tunnels.
|
Out packets
|
The total number of packets sent by all currently and previously active and IPsec phase-1 tunnels.
|
Out drops
|
The total number of packets that were dropped during send processing by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out notifys
|
The total number of notifications sent by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out P2 exchgs
|
The total number of IPsec phase-2 exchanges that were sent by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out P2 exchg invalids
|
The total number of IPsec phase-2 exchanges that were sent and found to be invalid by all currently and previously active IPsec phase-1 tunnels.
|
Out P2 exchg rejects
|
The total number of IPsec phase-2 exchanges that were sent and rejected by all currently and previously active IPsec phase-1 IKE tunnels.
|
Out P2 Sa delete requests
|
The total number of IPsec phase-2 SA delete requests sent by all currently and previously active IPsec phase-1 IKE tunnels.
|
Related Commands
Command
|
Description
|
show crypto mib isakmp flowmib failure
|
Displays statistics associated with an ISAKMP failure.
|
show crypto mib isakmp flowmib global
|
Displays global ISAKMP statistics.
|
show crypto mib isakmp flowmib history
|
Displays statistics associated with previously active ISAKMP tunnels.
|
show crypto mib isakmp flowmib peer
|
Displays attributes for an ISKMP peer association.
|
show crypto pki benchmarks
To display benchmarking data for Public Key Infrastructure (PKI) performance monitoring and optimization that was collected, use the show crypto pki benchmarks command in privileged EXEC mode.
show crypto pki benchmarks [failures]
Syntax Description
failures
|
(Optional) Includes validation failures only.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
15.1(3)T
|
This command was introduced.
|
Usage Guidelines
Use the show crypto pki benchmarks command to display benchmarking data for PKI performance monitoring and optimization that was collected.
The IOS PKI Performance Monitoring and Optimization feature enables you to collect the following types of PKI performance data:
•
Time to validate entire certificate chain.
•
Time to verify each certificate.
•
Time to check revocation status for each certificate.
•
Time to fetch certificate revocation list (CRL) database for each fetch location.
•
Time to fetch Simple Certificate Enrollment Protocol (SCEP) method capabilities to retrieve the CRL.
•
Time to process each CRL.
•
Time to process the Online Certificate Status Protocol (OCSP) response. OCSP is a certificate revocation mechanism.
•
Time to fetch Authentication, Authorization, and Accounting (AAA).
•
CRL size.
•
Validation result.
•
Validation Bypass (pubkey cached).
•
Method used to fetch a CRL.
•
PKI session identifier.
•
Crypto engine used (hardware, software, etoken).
Examples
The following example displays show crypto pki benchmark command output of all PKI benchmarking data:
Router# show crypto pki benchmark
Display Validation Benchmark Table
Start: 20:47:29.021 GMT Wed Oct 27 2010
Peer Certificate Serial Number (hex): 296ED1EB0000000052FA
Size of Chain to Validate: 1
Revocation Check for Certificate 1 of 1
Start: 20:47:29.063 GMT Wed Oct 27 2010
CRL Fetch - http://msca-root/CertEnroll/msca-root.crl
Start: 20:47:29.067 GMT Wed Oct 27 2010
Start: 20:47:29.731 GMT Wed Oct 27 2010
Start: 20:48:15.897 GMT Wed Oct 27 2010
Result: Failed CRYPTO_CERT_EXPIRED
Size of Chain to Validate: 1
Start: 20:49:08.916 GMT Wed Oct 27 2010
Result: Failed CRYPTO_CERT_EXPIRED
Size of Chain to Validate: 1
Start: 20:49:15.051 GMT Wed Oct 27 2010
Peer Certificate Serial Number (hex): 296ED1EB0000000052FA
Size of Chain to Validate: 1
Revocation Check for Certificate 1 of 1
Start: 20:49:15.076 GMT Wed Oct 27 2010
The following example displays show crypto pki benchmark command output of a section filter in
PKI benchmarking data:
Router# show crypto pki benchmark | section Revocation
Revocation Check for Certificate 1 of 1
Start: 20:47:29.063 GMT Wed Oct 27 2010
Revocation Check for Certificate 1 of 1
Start: 20:49:15.076 GMT Wed Oct 27 2010
Related Commands
Command
|
Description
|
clear crypto pki benchmark
|
Clears PKI benchmarking performance monitoring and optimization data and releases all memory associated with this data.
|
crypto pki benchmark
|
Starts or stops benchmarking data for PKI performance monitoring and optimization.
|
show crypto pki certificates
To display information about your certificate, the certification authority certificate (CA), and any registration authority (RA) certificates, use the show crypto pki certificates command in privileged EXEC mode.
show crypto pki certificates [trustpoint-name [verbose]]
Syntax Description
trustpoint-name
|
(Optional) Name of the trustpoint. Using this argument indicates that only certificates that are related to the trustpoint are to be displayed.
|
verbose
|
(Optional) More detailed information is to be displayed.
Note The verbose keyword can be used only if a trustpoint name is entered.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
11.3 T
|
The show crypto ca certificates command was introduced.
|
12.2(13)T
|
The trustpoint-name argument was added.
|
12.3(7)T
|
This command replaced the show crypto ca certificates command.
|
12.3(8)T
|
The verbose keyword was added.
|
12.3(14)T
|
The command output was modified to include persistent self-signed certificate parameters.
|
12.4(2)T
|
The command output was modified to include shadow public key infrastructure (PKI), or rollover, certificate details.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2(33)SXH
|
This command was integrated into Cisco IOS Release 12.2(33)SXH.
|
12.4(22)T
|
The command output was modified to include X.509 certificate IP address extension information.
|
Usage Guidelines
This command shows information about the following certificates:
•
Your certificate, if you have requested one from the CA (see the crypto pki enroll command)
•
The certificate of the CA, if you have received the certificate of the CA (see the crypto pki authenticate command)
•
RA certificates, if you have received RA certificates (see the crypto pki authenticate command)
•
A self-signed certificate, if one has been requested
•
Shadow PKI, or rollover, certificate details, if one or more shadow PKI certificates exist
Examples
The following is sample output from the show crypto pki certificates command after you authenticated the CA by requesting the certificate of the CA and public key with the crypto pki authenticate command:
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
The CA certificate might show Key Usage as "Not Set."
The following is sample output from the show crypto pki certificates command, and it shows the certificate of the router and the certificate of the CA. In this example, a single, general-purpose Rivest, Shamir, and Adelman (RSA) key pair was previously generated, and a certificate was requested but not received for that key pair.
Name: myrouter.example.com
Key Usage: General Purpose
Fingerprint: 428125BD A3419600 3F6C7831 6CD8FA95 00000000
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
Note that in the previous sample, the certificate status of the router shows "Pending." After the router receives its certificate from the CA, the Status field changes to "Available" in the show output.
The following is sample output from the show crypto pki certificates command, and it shows the certificates of two routers and the certificate of the CA. In this example, special-usage RSA key pairs were previously generated, and a certificate was requested and received for each key pair.
Name: myrouter.example.com
Certificate Serial Number: 428125BDA34196003F6C78316CD8FA95
Name: myrouter.example.com
Certificate Serial Number: AB352356AFCD0395E333CCFD7CD33897
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
The following is sample output from the show crypto pki certificates command when the CA supports an RA. In this example, the CA and RA certificates were previously requested with the crypto pki authenticate command.
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
Certificate Serial Number: 34BCF8A0
RA KeyEncipher Certificate
Certificate Serial Number: 34BCF89F
The following is sample output from the show crypto pki certificates command using the optional trustpoint-name argument and verbose keyword. The output shows the certificate of a router and the certificate of the CA. In this example, general-purpose RSA key pairs were previously generated, and a certificate was requested and received for the key pair.
Certificate Serial Number: 18C1EE03000000004CBD
Certificate Usage: General Purpose
Name: myrouter.example.com
hostname=myrouter.example.com
http://msca-root/CertEnroll/msca-root.crl
start date: 19:50:40 GMT Oct 5 2004
end date: 20:00:40 GMT Oct 12 2004
Public Key Algorithm: rsaEncryption
RSA Public Key: (360 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 2B5F53E6 E3E892E6 3A9D3706 01261F10
Fingerprint SHA1: 315D127C 3AD34010 40CE7F3A 988BBDA5 CD528824
X509v3 Key Usage: A0000000
X509v3 Subject Key ID: D156E92F 46739CBA DFE66D2D 3559483E B41ECCF4
X509v3 Authority Key ID: 37F3CC61 AF5E7C0B 434AB364 CF9FA0C1 B17C50D9
Associated Trustpoints: msca-root
Key Label: myrouter.example.com
Certificate Serial Number: 1244325DE0369880465F977A18F61CA8
Certificate Usage: Signature
http://msca-root.example.com/CertEnroll/msca-root.crl
start date: 22:19:29 GMT Oct 31 2002
end date: 22:27:27 GMT Oct 31 2017
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 84E470A2 38176CB1 AA0476B9 C0B4F478
Fingerprint SHA1: 0F57170C 654A5D7D 10973553 EFB0F94F 2FAF9837
X509v3 Key Usage: C6000000
X509v3 Subject Key ID: 37F3CC61 AF5E7C0B 434AB364 CF9FA0C1 B17C50D9
X509v3 Basic Constraints:
Associated Trustpoints: msca-root
The following example shows that a self-signed certificate has been created using a user-defined trustpoint:
Router Self-Signed Certificate
Certificate Serial Number: 01
Certificate Usage: General Purpose
serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.company.com
serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.company.com
start date: 20:51:40 GMT Nov 29 2004
end date: 00:00:00 GMT Jan 1 2020
Associated Trustpoints: local
The following example shows that a shadow CA certificate, or rollover certificate, is available and shows its status:
Router# show crypto ca certificates
Status: Waiting for rollover
Certificate Serial Number: 3C
Certificate Usage: General Purpose
serialNumber=3A9BEC55+hostname=Router.company.com
start date: 21:22:08 UTC Mar 17 2004
end date: 21:22:08 UTC Mar 17 2005
renew date: 00:00:00 UTC Jan 1 1970
Associated Trustpoints: tti
Related Commands
Command
|
Description
|
crypto pki authenticate
|
Authenticates the CA (by obtaining the certificate of the CA).
|
crypto pki enroll
|
Obtains the certificates of your router from the CA.
|
debug crypto pki messages
|
Displays debug messages for the details of the interaction (message dump) between the CA and the route.
|
debug crypto pki transactions
|
Displays debug messages for the trace of interaction (message type) between the CA and the router.
|
show crypto pki certificates storage
To display the current public key infrastructure (PKI) certificate storage location, use the show crypto pki certificates storage command in privileged EXEC mode.
show crypto pki certificates storage
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(2)T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2(33)SXH
|
This command was integrated into Cisco IOS Release 12.2(33)SXH.
|
Usage Guidelines
Use the show crypto pki certificates storage command to display the current PKI certificate storage location.
Examples
The following is sample output for the show crypto pki certificates storage command where the certificates are stored in the certs subdirectory of disk0:
Router# show crypto pki certificates storage
Certificates will be stored in disk0:/certs/
Related Commands
Command
|
Description
|
crypto pki certificate storage
|
Specifies local storage device for PKI certificates.
|
show crypto pki counters
To display the public key infrastructure (PKI) counters that are configured on the router, use the show crypto pki counters command in privileged EXEC mode.
show crypto pki counters
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(13)T
|
This command was introduced.
|
Examples
Router# show crypto pki counters
Successful Validations: 1
Table 120 describes the significant fields shown in the display.
Table 120 show crypto pki counters Field Descriptions
Field
|
Description
|
PKI Sessions Started
|
Number of PKI sessions that are started in a router.
|
PKI Sessions Ended
|
Number of PKI sessions that are ended in a router.
|
PKI Sessions Active
|
Number of PKI sessions that are actively running in a router.
|
Successful Validations
|
Number of successful PKI counter validations in a router.
|
Failed Validations
|
Number of failed PKI counter validations in a router.
|
Bypassed Validations
|
Number of validations that were bypassed during a PKI counter validation in a router.
|
Pending Validations
|
Number of pending PKI counter validations in a router.
|
CRLs checked
|
Number of certificate revocation lists (CRLs) that are checked in a PKI session.
|
CRL - fetch attempts
|
Number of times a CRL is queried and fetched.
|
CRL - failed attempts
|
Number of times failed in querying and fetching a CRL.
|
AAA authorizations
|
Number of authentication, authorization, and accounting (AAA) authorizations that were used to create named methods lists in a PKI session.
|
Related Commands
Command
|
Description
|
show crypto pki certificates
|
Displays information about the certification authority certificate and any RA certificates.
|
show crypto pki crls
|
Displays the current CRL on the router.
|
show crypto pki server
|
Displays the current state and configuration of the certificate server.
|
show crypto pki timers
|
Displays the status of the managed timers that are maintained by Cisco IOS for PKI.
|
show crypto pki token
|
Displays the Cisco IOS PKI tokens that are configured on the router.
|
show crypto pki trustpoints
|
Displays the Cisco IOS PKI trustpoints that are configured in the router.
|
show crypto pki crls
To display the current certificate revocation list (CRL) on the router, use the show crypto pki crls command in privileged EXEC mode.
show crypto pki crls
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.1
|
The show crypto ca crls command was introduced.
|
12.3(7)T
|
This command replaced the show crypto ca crls command.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2(33)SXH
|
This command was integrated into Cisco IOS Release 12.(33)SXH.
|
12.4(20)T
|
The output of this command was updated to include information on the CRL cache size if set by the crypto pki crl cache command.
|
Cisco IOS XE Release 2.4
|
This command was implemented on the Cisco ASR 1000 series routers.
|
Examples
The following is sample output of the show crypto pki crls command:
Router# show crypto pki crls
OU = vpn, O = company, C = us
LastUpdate: 16:17:34 PST Jan 10 2002
NextUpdate: 17:17:34 PST Jan 11 2002
Retrieved from CRL Distribution Point:
LDAP: CN = CRL1, OU = vpn, O = company, C = us
The following is sample output of the show crypto pki crls command with the maximum CRL cache size set to 2048 bytes:
Router# show crypto pki crls
LastUpdate: 02:53:41 GMT Mar 6 2007
NextUpdate: 02:53:41 GMT Mar 13 2007
Retrieved from CRL Distribution Point:
** CDP Not Published - Retrieved via SCEP
CRL is stored in parsed CRL cache
Parsed CRL cache current size is 1705 bytes
Parsed CRL cache maximum size is 2048 bytes
Related Commands
Command
|
Description
|
crypto pki crl cache
|
Sets the maximum amount of volatile memory used to cache CRLs.
|
crypto pki crl request
|
Requests that a new CRL be obtained immediately from the CA.
|
show crypto pki server
To display the current state and configuration of the certificate server, use the show crypto pki server command in privileged EXEC mode.
show crypto pki server [cs-label]
Syntax Description
cs-label
|
(Optional) Name of the certificate server. The name must match the name specified through the crypto pki server command.
|
Command Modes
User EXEC (>)
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
12.4(2)T
|
The command output was modified to include shadow, or rollover, public key infrastructure (PKI) certificate information.
|
15.0(1)M
|
The command output was modified.
• To include whether the server is configured for redundancy and whether its state is active or standby or simplex (active, but standby is not up).
• To show the high availability (HA) status while the Hot Standby Router Protocol (HSRP) is coming up.
|
Usage Guidelines
At startup, the certificate server must check the current configuration before issuing any certificates. As it starts up, the certificate server transitions through the states defined in Table 121. Use the show crypto pki server command to display the state of the certificate server.
Table 121 Certificate Server Startup State Descriptions
Certificate Server State
|
Description
|
configured
|
The server is available and has generated the certificate server certificates.
|
storage configuration incomplete
|
The server is verifying that the configured storage location is available.
|
waiting for HTTP server
|
The server is verifying that the HTTP server is running.
|
waiting for time setting
|
The server is verifying that the time has been set.
|
Examples
The following is sample output from the show crypto pki server command:
Router# show crypto pki server
Certificate Server status: disabled, storage configuration incomplete
Last certificate issued serial number: 0
CA certificate expiration timer: 21:29:38 GMT Jun 5 2006
CRL NextUpdate timer: 21:31:39 GMT Jun 6 2003
Current storage dir: ftp://myftpserver
Database Level: Minimum - no cert data written to storage
Table 122 describes the significant fields shown in the display.
Table 122 show crypto pki server Field Descriptions
Field
|
Description
|
Granting mode is
|
Specifies whether certificate enrollment requests should be granted manually (which is the default) or automatic (through the grant automatic command).
Note The grant automatic command should be used only when testing and building simple networks. This command must be disabled before the network is accessible by the Internet.
|
Last certificate issued serial number
|
The serial number of the latest certificate. (To specify the distinguished name (DN) as the certification authority (CA) issuer name, use the issuer-name command.)
|
CA certificate expiration timer
|
The expiration date for the CA certificate. (To specify the expiration date, use the lifetime command.)
|
CRL NextUpdate timer
|
The next time the certificate revocation list (CRL) will be updated. (To specify the CRL lifetime, in hours, use the lifetime crl command.)
|
Current storage dir
|
The location where all database entries for the certificate server will be written out. (To specify a location, use the database url command.)
|
Database Level
|
The type of data that is stored in the certificate enrollment database—Minumum, names, or complete. (To specify the data type to be stored, use database level command.)
|
The following is sample output from the show crypto pki server command when redundancy is configured and its state is simplex:
Router# show crypto pki server cert1
Certificate Server cert1:
Server's configuration is unlocked (enter "no shut" to lock it)
CA cert fingerprint: -Not found-
Last certificate issued serial number (hex): 0
CA certificate expiration timer: 00:00:00 UTC Jan 1 1970
Current primary storage dir: nvram:
Database Level: Minimum - no cert data written to storage
Redundancy configured. Simplex mode.
The following is sample output from the show crypto pki server command when redundancy is
configured and its state is active:
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=ioscs,L=Santa Cruz,C=US
CA cert fingerprint: 42308002 188180FC 9265946F FDC68A52
Last certificate issued serial number (hex): 2
CA certificate expiration timer: 20:22:55 PST Apr 26 2013
CRL NextUpdate timer: 20:27:46 PST May 11 2010
Current primary storage dir: nvram:
Database Level: Complete - all issued certs written as <serialnum>.cer
Redundancy configured. This is active.
The following is sample output from the show crypto pki server command when redundancy is
configured and its state is standby:
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=ioscs,L=Santa Cruz,C=US
CA cert fingerprint: 42308002 188180FC 9265946F FDC68A52
Last certificate issued serial number (hex): 2
CA certificate expiration timer: 20:22:55 PST Apr 26 2013
CRL NextUpdate timer: 20:27:46 PST May 11 2010
Current primary storage dir: nvram:
Database Level: Complete - all issued certs written as <serialnum>.cer
Redundancy configured. This is standby.
The following example shows that the certificate server MyCS has rollover configured. Rollover has not yet occurred. The rollover status "pending" and rollover CA certificate timer show when the rollover timer will be triggered. When this timer is triggered, the shadow certificate will become the active certificate and the previously active certificate will be deleted.
Router# show crypto pki server
Certificate Server routercs:
Status: enabled, configured
CA cert fingerprint: 800F5944 74337E5B C2DF6C52 9A7B1BDB
Last certificate issued serial number: 0x6
CA certificate expiration timer: 22:10:29 GMT Jan 29 2007
CRL NextUpdate timer: 21:50:56 GMT Mar 5 2004
Current storage dir: nvram:
Database Level: Minimum - no cert data written to storage
Rollover CA certificate timer: 20:34:23 GMT Jan 8 2005
The following example shows that the certificate server MyCS has rollover configured. The rollover time has occurred and the rollover certificate is available. The status shows the rollover certificate fingerprint and rollover CA certificate expiration timer information.
Router# show crypto pki server
Certificate Server routercs:
Status: enabled, configured
CA cert fingerprint: 800F5944 74337E5B C2DF6C52 9A7B1BDB
Last certificate issued serial number: 0x7
CA certificate expiration timer: 22:10:29 GMT Jan 29 2007
CRL NextUpdate timer: 21:50:56 GMT Mar 5 2004
Current storage dir: nvram:
Database Level: Minimum - no cert data written to storage
Rollover status: available for rollover
Rollover CA cert fingerprint: 6AAF5944 74227A5B 23DF3E52 9A7F1FEF
Rollover CA certificate expiration timer: 22:10:29 GMT Jan 29 2017
The following example shows a certificate server (CS) that has been prevented from entering rollover state because the Cisco IOS configuration cannot be saved.
Router# show crypto pki server
Certificate Server routercs:
Status: enabled, configured
CA cert fingerprint: 800F5944 74337E5B C2DF6C52 9A7B1BDB
Last certificate issued serial number: 0x7
CA certificate expiration timer: 22:10:29 GMT Jan 29 2007
CRL NextUpdate timer: 21:50:56 GMT Mar 5 2004
Current storage dir: nvram:
Database Level: Minimum - no cert data written to storage
Rollover status: disabled, unable to save configuration
Rollover CA cert fingerprint: 6AAF5944 74227A5B 23DF3E52 9A7F1FEF
Rollover CA certificate expiration timer: 22:10:29 GMT Jan 29 2017
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enter certificate server configuration mode.
|
show crypto pki server certificates
To display certificate information for all certificates of the specified certificate server, use the show crypto pki server certificates command in privileged EXEC mode.
show crypto pki server cs-label certificates [start-number [end-number]] [expired]
Syntax Description
cs-label
|
Name of the certificate server. The name must match the name specified via the crypto pki server command.
|
start-number
|
(Optional) The beginning of the certificate serial number range to display. If only the starting certificate serial number is indicated, information for only the designated certificate is shown if available.
|
end-number
|
(Optional) The end of the certificate serial number range to display.
|
expired
|
(Optional) Displays the expired certificates.
|
Command Default
Certificate information is shown for all serial numbers for the specified certificate server, from the first serial number in the certificate database to the last serial number in the certificate database.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Usage Guidelines
This command displays available information on each certificate for the specified certificate server. If the certificate information is not available, the output displayed reads as "<cert not available>". If the certificate information is incomplete, or if it has been corrupted, the output displayed reads as "<certificate incomplete or corrupted>".
You may display information on all the certificates in the certificate database, one certificate in the certificate database, or a range of certificates in the certificate database by setting the start-number and end-number arguments.
Examples
The following example shows the listing of all certificates in the certificate database for the certificate server "mycs":
Router# show crypto pki server mycs certificates
Serial Issued date Expire date Subject Name
1 02:09:09 PST Jan 22 2007 02:09:09 PST Jan 21 2010 cn=company
2 02:57:59 PST Jan 22 2007 02:57:59 PST Jan 22 2008 hostname=client.example.com
3 03:00:12 PST Jan 22 2007 03:00:12 PST Jan 22 2008 hostname=client.example.com
4 19:53:07 PST Jan 18 2007 19:53:07 PST Jan 19 2007 hostname=client.example.com
8 02:57:59 PST Jan 22 2007 02:57:59 PST Jan 22 2008 hostname=client.example.com
9 <Certificate incomplete or corrupted>
The following example shows the information for certificate serial number 3 in the certificate database for the certificate server "mycs":
Router# show crypto pki server mycs certificates start 3
Serial Issued date Expire date Subject Name
3 03:00:12 PST Jan 22 2007 03:00:12 PST Jan 22 2008 hostname=client.example.com
The following example shows the information for certificate serial number 3 through certificate serial number 7 in the certificate database for the certificate server "mycs":
Router# show crypto pki server mycs certificates start 3 end 7
show crypto pki server mycs certificates
Serial Issued date Expire date Subject Name
3 03:00:12 PST Jan 22 2007 03:00:12 PST Jan 22 2008 hostname=client.example.com
4 19:53:07 PST Jan 18 2007 19:53:07 PST Jan 19 2007 hostname=client.example.com
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|
show crypto pki server
|
Displays the current state and configuration of the certificate server.
|
show crypto pki server crl
|
Displays the current status of the CRL.
|
show crypto pki server crl
To display information regarding the status of the current certificate revocation list (CRL), use the
show crypto pki server crl command in privileged EXEC mode.
show crypto pki server cs-label crl
Syntax Description
cs-label
|
Name of the certificate server. The name must match the name specified via the crypto pki server command.
|
Command Defaults
None.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Usage Guidelines
CRLs are issued once every specified time period via the lifetime crl command. It is the responsibility of the network administrator to ensure that the CRL is available from the location that is specified via the cdp-url command. To access information, such as the lifetime and location of the CRL, use the show crypto pki server crl command.
Examples
The following example shows how to access CRL information for the certificate server "mycs":
Router# show crypto pki server mycs crl
Related Commands
Command
|
Description
|
cdp-url
|
Specifies a CDP to be used in certificates that are issued by the certificate server.
|
crypto pki server
|
Enables a Cisco IOS certificate server and enter certificate server configuration mode.
|
lifetime crl
|
Defines the lifetime of the CRL that is used by the certificate server.
|
show crypto pki server requests
To display all outstanding certificate enrollment requests, use the show crypto pki server requests command in privileged EXEC mode.
show crypto pki server cs-label requests
Syntax Description
cs-label
|
Name of the certificate server. The name must match the name specified via the crypto pki server command.
|
Command Default
None
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(20)T
|
This command was introduced.
|
Usage Guidelines
A certificate enrollment request functions as follows:
•
The certificate server receives the enrollment request from an end user, and the following actions occur:
–
A request entry is created in the enrollment request database with the initial state. (See the show pki server command for a complete list of certificate enrollment request states.)
–
The certificate server refers to the command-line interface (CLI) configuration (or the default behavior any time a parameter is not specified) to determine the authorization of the request. Thereafter, the state of the enrollment request is updated in the enrollment request database.
•
At each Simple Certificate Enrollment Protocol (SCEP) query for a response, the certificate server examines the current request and performs one of the following actions:
–
Responds to the end user with a "pending" or "denied" state.
–
Forwards to the request to the certification authority (CA) core, where it will generate and sign the appropriate certificate, store the certificate in the enrollment request database, and return the request to the built-in certificate server SCEP server, who will reply to the end user with the certificate on the next SCEP request.
If the connection of the client has closed, the certificate server will wait for the client user to request another certificate.
All enrollment requests transitions through the certificate enrollment states that are defined in Table 123.
Table 123 Certificate Enrollment Request State Descriptions
Certificate Enrollment State
|
Description
|
authorized
|
The certificate server has authorized the request.
|
denied
|
The certificate server has denied the request for policy reasons.
|
granted
|
The CA core has generated the appropriate certificate for the certificate request.
|
initial
|
The request has been created by the SCEP server.
|
malformed
|
The certificate server has determined that the request is invalid for cryptographic reasons.
|
pending
|
The enrollment request must be manually accepted by the network administrator.
|
Examples
The following example shows output for the certificate server "certsrv1," which has a pending certificate enrollment request:
Router# show crypto pki server certsrv1 requests
Enrollment Request Database:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
1 pending 0A71820219260E526D250ECC59857C2D serialNumber=2326115A+hostname=831.
The following example shows the output for shadow public key infrastructure (PKI) certificate info requests:
Router# show crypto pki server mycs requests
Enrollment Request Database:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
RA rollover certificate requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
Router certificates requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
1 pending A426AF07FE3A4BB69062E0E47198E5BF hostname=client
Router rollover certificates requests:
ReqID State Fingerprint SubjectName
--------------------------------------------------------------
2 pending B69062E0E47198E5BFA426AF07FE3A4B hostname=client
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters PKI configuration mode.
|
show crypto pki timers
To display the status of the managed timers that are maintained by Cisco IOS for public key infrastructure (PKI), use the show crypto pki timers command in privileged EXEC mode.
show crypto pki timers
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2(8)T
|
The show crypto ca timers command was introduced.
|
12.3(7)T
|
This command replaced the show crypto ca timers command.
|
12.2(18)SXD
|
This command was integrated into Cisco IOS Release 12.2(18)SXD.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
Usage Guidelines
For each timer, this command displays the time remaining before the timer expires. It also associates trustpoint certification authorities (CAs), except for certificate revocation list (CRL) timers, by displaying the CRL distribution point.
Examples
The following example is sample output for the show crypto pki timers command:
Router# show crypto pki timers
| 4d15:13:33.144 CRL http://msca-root.cisco.com/CertEnroll/msca-root.crl
|328d11:56:48.372 RENEW msroot
Related Commands
Command
|
Description
|
auto-enroll
|
Enables autoenrollment.
|
crypto pki trustpoint
|
Declares the CA that your router should use.
|
show crypto pki token
To display the Cisco IOS public key infrastructure (PKI) tokens that are configured on the router, use the show crypto pki token command in privileged EXEC mode.
show crypto pki token [name]
Syntax Description
name
|
(Optional) Specifies the name of the token.
|
Command Default
If the name argument is not specified, command output is displayed for all PKI tokens.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(15)T
|
This command was introduced.
|
Examples
The following is sample output from the show crypto pki token command:
Router# show crypto pki token
Configuration for token usbtoken0:
Removal timeout 60 seconds
Configuration for token default:
Secondary Config file "BIFT.CFG"
Table 124 describes the significant fields shown in the display.
Table 124 show crypto pki token Field Descriptions
Field
|
Description
|
Automatic login enabled
|
Indicates that the crypto PKI token is configured to log in automatically.
|
Removal timeout 60 seconds
|
Indicates that the router waits for 60 seconds before removing the Rivest, Shamir, and Adelman (RSA) keys that are stored in the eToken.
|
Secondary Config file
|
Indicates that the specified file will be merged with the running configuration after the eToken is logged into the router.
|
Related Commands
Command
|
Description
|
crypto pki token removal timeout
|
Sets the time interval that the router waits before removing the RSA keys that are stored in the eToken.
|
crypto pki token secondary config
|
Merges a specified file with the running configuration after the eToken is logged into the router.
|
show crypto pki trustpoints
To display the trustpoints that are configured in the router, use the show crypto pki trustpoints command in privileged EXEC or user EXEC mode.
show crypto pki trustpoints [status | label [status]]
Syntax Description
status
|
(Optional) Trustpoint status.
|
label
|
(Optional) Trustpoint name.
|
Command Default
If the label argument (trustpoint name) is not specified, command output is displayed for all trustpoints.
Command Modes
Privileged EXEC (#)
User EXEC (>)
Command History
Release
|
Modification
|
12.2(8)T
|
The show crypto ca trustpoints command was introduced.
|
12.3(7)T
|
This command replaced the show crypto ca trustpoints command.
|
12.3(11)T
|
The status keyword and label argument were added.
|
12.3(14)T
|
The command output was modified to include persistent self-signed certificate parameters.
|
12.4(2)T
|
The command output was modified to include shadow, or rollover, public key infrastructure (PKI) certificate availability and Simple Certificate Enrollment Protocol (SCEP) capabilities.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2(33)SXH
|
This command was integrated into Cisco IOS Release 12.2(33)SXH.
|
12.4(22)T
|
The command output was modified to include X.509 certificate IP address extension information.
|
Examples
The following is sample output from the show crypto pki trustpoints command:
Router# show crypto pki trustpoints
CN = host Certificate Manager
CRL query url:ldap://host
The following is sample output from the show crypto pki trustpoints command when a persistent self-signed certificate has been configured:
Router# show crypto pki trustpoints
serialNumber=C63EBBE9+ipaddress=10.3.0.18+hostname=test.company.com
Persistent self-signed certificate trust point
The following output shows that a shadow PKI certificate is available and shows the SCEP capabilities:
Router# show crypto pki trustpoints
Serial Number: 0FFEBBDC1B6F6D9D0EA7875875E4C695
Rollover certificate configured.
The following output using the status keyword shows that the trustpoint is configured in query mode and is currently trying to query the certificates (the certificate authority (CA) certificate and the router certificate are both pending):
Router# show crypto pki trustpoints status
Issuing CA certificate pending:
cn=r1 Cert Manager,ou=pki,o=company.com,c=country
Fingerprint: C21514AC 12815946 09F635ED FBB6CF31
Router certificate pending:
hostname=host.company.com,o=company.com
The following output using the status keyword shows that the trustpoint has been authenticated:
Router# show crypto pki trustpoints status
Issuing CA certificate configured:
cn=r1 Cert Manager,ou=pki,o=company.com,c=country
Fingerprint: C21514AC 12815946 09F635ED FBB6CF31
Keys generated ............. No
Issuing CA authenticated ....... Yes
Certificate request(s) ..... None
The following output using the status keyword shows that the trustpoint is enrolling and that two of the certificate requests are pending (Signature and Encryption):
Router# show crypto pki trustpoints status
Issuing CA certificate configured:
cn=r1 Cert Manager,ou=pki,o=company.com,c=country
Fingerprint: C21514AC 12815946 09F635ED FBB6CF31
Router Signature certificate pending:
hostname=host.company.com
Request Fingerprint: FAE0D74E BB844EA1 54B26698 56AB42EC
Enrollment polling: 1 times (9 left)
Router Encryption certificate pending:
hostname=host.company.com
Request Fingerprint: F4E815DB D9D9B60F 9B5B1724 3E155DBF
Enrollment polling: 1 times (9 left)
Last enrollment status: Pending
Keys generated ............. Yes (Signature, Encryption)
Issuing CA authenticated ....... Yes
Certificate request(s) ..... Pending
The following output using the status keyword shows that enrollment has succeeded and that two router certificates have been granted (Signature and Encryption):
Router# show crypto pki trustpoints status
Issuing CA certificate configured:
cn=r1 Cert Manager,ou=pki,o=company.com,c=country
Fingerprint: C21514AC 12815946 09F635ED FBB6CF31
Router Signature certificate configured:
hostname=host.company.com,o=company.com
Fingerprint: 8A370B8B 3B6A2464 F962178E 8385E9D6
Router Encryption certificate configured:
hostname=host.company.com,o=company.com
Fingerprint: 43A03218 C0AFF844 AE0C162A 690B414A
Last enrollment status: Granted
Keys generated ............. Yes (Signature, Encryption)
Issuing CA authenticated ....... Yes
Certificate request(s) ..... Yes
The following output using the status keyword shows that trustpoint enrollment has been rejected:
Router# show crypto pki trustpoints status
Issuing CA certificate configured:
cn=r1 Cert Manager,ou=pki,o=company.com,c=country
Fingerprint: C21514AC 12815946 09F635ED FBB6CF31
Last enrollment status: Rejected
Keys generated ............. Yes (General Purpose)
Issuing CA authenticated ....... Yes
Certificate request(s) ..... None
The following output using the status keyword shows that enrollment has succeeded and that the router is configured for autoenrollment using a regenerated key. In addition, the running configuration has been modified so that it will not be saved automatically after autoenrollment.
Router# show crypto pki trustpoints status
Issuing CA certificate configured:
cn=r1 Cert Manager,ou=pki,o=company.com,c=country
Fingerprint: C21514AC 12815946 09F635ED FBB6CF31
Router General Purpose certificate configured:
hostname=host.company.com,o=company.com
Fingerprint: FC365F95 E24D4B55 81347510 10FFE331
Last enrollment status: Granted
* A new key will be generated *
* Configuration will not be saved after enrollment *
Keys generated ............. Yes (General Purpose)
Issuing CA authenticated ....... Yes
Certificate request(s) ..... Yes
Table 125 describes the significant fields shown in the display.
Table 125 show crypto pki trustpoints Field Descriptions
Field
|
Description
|
Trustpoint
|
Name of the trustpoint.
|
Issuing CA certificate pending
|
The CA certificate is being retrieved (query mode).
|
Issuing CA certificate [not] configured
|
A CA certificate is [not] configured.
|
Subject Name
|
Subject name of the indicated certificate.
|
Next query attempt
|
Time until the next query attempt (query mode).
|
Router certificate pending/Router [key usage] certificate pending
|
The trustpoint is attempting to obtain the certificate from the CA server (through query mode or enrollment).
|
Router [key usage] certificate configured
|
Certificate of the specified key usage is configured.
|
Requested Subject Name
|
Subject name used in the enrollment request (Public Key Cryptography Standards 10 [PKCS10]).
|
Fingerprint MD5/SHA1
|
Fingerprint of the indicated certificate (Message Digest 5 [MD5] or Secure Hash Algorithm 1 [SHA]1).
|
Request Fingerprint MD5/SHA1
|
Fingerprint of the PKCS10 enrollment request (MD5/SHA1).
|
Enrollment polling: [polled] times ([remaining] left)/Next poll: in seconds
|
Number of SCEP polling attempts that have been made and that remain before the router gives up/Time until the next polling attempt.
|
Last enrollment status: Pending/Granted/Rejected/Failed
|
Last enrollment attempt status (pending, granted, rejected, or failed).
|
Next enrollment attempt: time (Optional) A new key will be generated. (Optional) Configuration will not be saved after enrollment.
|
The trustpoint is configured autoenrollment and the autoenrollment will happen at time. (Optional) The trustpoint is configured to generate a new key when autoenrollment occurs. (Optional) The running configuration is "dirty," so the configuration will not be saved automatically after autoenrollment.
|
State
|
Current state of the trustpoint.
|
Keys generated
|
"Yes or No" and the key usage (General Purpose or Signature, Encryption).
|
Issuing CA authenticated
|
"Yes or No" if crypto CA authentication has been done successfully.
|
Certificate request(s)
|
Progress of current enrollment: "Pending," "Yes," (complete), or "None" (not in progress).
|
Related Commands
Command
|
Description
|
crypto pki trustpoint
|
Declares the CA that your router should use.
|
show crypto route
To display routes that are created through IPsec via Reverse Route Injection (RRI) or Easy VPN virtual tunnel interfaces (VTIs) in one table, use the show crypto route command in privileged EXEC mode.
show crypto route
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.4(15)T
|
This command was introduced.
|
Examples
The following example displays routes that were created through IPSec using RRI and VTIs:
Router# show crypto route
VPN Routing Table: Shows RRI and VTI created routes
Codes: RRI - Reverse-Route, VTI- Virtual Tunnel Interface
Routes created in table GLOBAL DEFAULT
192.168.6.2/255.255.255.255 [0/0] via 10.0.0.133
10.1.1.0/255.255.255.0 [10/0] via Virtual-Access2 VTI
192.168.6.1/255.255.255.255 [0/0] via Virtual-Access2 VTI
The fields in the above display are self-explanatory.
Related Commands
Command
|
Description
|
reverse-route
|
Creates source proxy information for a crypto map entry.
|
set reverse-route
|
Defines a distance metric for each static route or tags a RRI-created route.
|
show crypto ruleset
To display information about crypto rules on outgoing packets, use the show crypto ruleset command in privileged EXEC mode.
show crypto ruleset [detail]
Syntax Description
detail
|
Displays the directional mode of the IP security (IPsec) security association (SA).
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2(20)T
|
This command was introduced.
|
Examples
The following example displays information about the crypto rules on outgoing packets:
Router# show crypto ruleset
IP ANY ANY IPSec SA Passive
IP ANY ANY IPSec Cryptomap
The following output example shows the directional mode of the IPsec SA:
Router# show crypto ruleset detail
20000001000019 59 ANY ANY DENY -> 20000001999999
20000001000029 11 ANY/848 ANY/848 DENY -> 20000001999999
20000001000035 IP ANY ANY IPSec SA Passive
20000001000039 IP ANY ANY IPSec Cryptomap
Table 126 describes the significant fields shown in the display.
Table 126 show crypto ruleset Field Descriptions
Field
|
Description
|
59 ANY ANY DENY
|
• 59—Hex value of the Open Shortest Path First (OSPF) protocol.
• First ANY—Any source IP address.
• Second ANY—Any destination IP address.
• DENY packets matching this rule will not be encrypted.
|
11 ANY/848 ANY/848 DENY
|
• 11—Hex value of the User Datagram Protocol (UDP).
• First ANY/848—Any source IP address that has a source port 848.
• Second ANY/848—Any destination IP address having a destination port 848.
• DENY—Packets matching this rule will not be encrypted.
|
IP ANY ANY IPSec SA Passive
|
• Policy of "IP packets with any source or destination address or port" is in IPsec security association (SA) passive mode—Receives both clear and encrypted packets; sends only encrypted packets.
|
IP ANY ANY IPSec Cryptomap
|
• Policy of "IP packets with any source or destination address or port" is created by an IPsec crypto map—Receives or sends only encrypted packets.
|
20000001000019 59 ANY ANY DENY -> 20000001999999
|
• The first long digit is the priority number of the policy or rule.
• The second long digit is the deny priority number of the policy or rule.
Note These numbers are internal data values and are generally used by developers.
|
show crypto session
To display status information for active crypto sessions, use the show crypto session command in privileged EXEC mode.
show crypto session [groups | interface type [brief | detail] | isakmp [group group-name | profile
profile-name] [brief | detail] | [local | remote] [ip-address | ipv6-address] [port portnumber] |
[fvrf fvrf-name] [ivrf ivrf-name] [brief | detail] | summary group-name | username username]
IPsec and IKE Stateful Failover Syntax
show crypto session [active | standby]
Syntax Description
groups
|
(Optional) Displays crypto session group usage for all groups.
|
interface type
|
(Optional) Displays crypto sessions on the connected interface.
• The type value is the type of interface connection.
|
brief
|
(Optional) Provides brief information about the session, such as the peer IP address, interface, username, group name/phase1 ID, length of session uptime, and current session status (up/down).
|
detail
|
(Optional) Provides more detailed information about the session, such as the capability of the Internet Key Exchange (IKE) security association (SA), connection ID, remaining lifetime of the IKE SA, inbound or outbound encrypted or decrypted packet number of the IP security (IPsec) flow, dropped packet number, and kilobyte-per-second lifetime of the IPsec SA.
|
isakmp group group-name
|
(Optional) Displays crypto sessions using the Internet Security Association and Key Management Protocol (ISAKMP) group.
• The group-name value is the name of the group.
|
profile profile-name
|
(Optional) Displays crypto sessions using the ISAKMP profile.
• The profile-name value is the name of the profile.
|
local
|
(Optional) Displays status information about crypto sessions of a local crypto endpoint.
|
remote
|
(Optional) Displays status information about crypto sessions of a remote session.
|
ip-address
|
IP address of the local or remote crypto endpoint.
|
ipv6-address
|
IPv6 address of the local or remote crypto endpoint.
|
port portnumber
|
(Optional) Port of the local crypto endpoint.
• The portnumber value can be 1 through 65535. The default value is 500.
|
fvrf fvrf-name
|
(Optional) Displays status information about the front door virtual routing and forwarding (FVRF) session.
• The fvrf-name value is the name of the FVRF session.
|
ivrf ivrf-name
|
(Optional) Displays status information about the inside VRF (IVRF) session.
• The ivrf-name value is the name of the IVRF session.
|
summary group-name
|
(Optional) Displays a list of crypto session groups and associated group members.
|
username username
|
(Optional) Displays the crypto session for the specified extended authentication (XAUTH), public key infrastructure (PKI), or authentication, authorization, and accounting (AAA) username.
|
active
|
(Optional) Displays all crypto sessions in the active state.
|
standby
|
(Optional) Displays all crypto sessions that are in the standby state.
|
Command Default
All existing sessions will be displayed.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
12.2(18)SXD
|
This command was integrated into Cisco IOS Release 12.2(18)SXD.
|
12.3(11)T
|
This command was modified. The active and standby keywords were added.
|
12.4(4)T
|
This command was modified. IPv6 address information was added to the command output.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.(33)SRA.
|
12.4(11)T
|
This command was modified. The brief, groups, interface type, isakmp group group-name, isakmp profile profile-name, summary, and username username keywords and arguments were added. The show crypto session output was updated to include username, ISAKMP profile, ISAKMP group, assigned address, and session uptime.
|
Cisco IOS XE Release 2.1
|
This command was integrated into Cisco IOS XE Release 2.1.
|
Usage Guidelines
This command lists all the active Virtual Private Network (VPN) sessions and the IKE and IPsec SAs for each VPN session. The listing will include the following information:
•
Interface
•
IKE peer description, if available
•
IKE SAs that are associated with the peer by which the IPsec SAs are created
•
IPsec SAs serving the flows of a session
Multiple IKE or IPsec SAs may be established for the same peer (for the same session), in which case IKE peer descriptions will be repeated with different values for the IKE SAs that are associated with the peer and for the IPsec SAs that are serving the flows of the session.
IPv6 does not support the fvfr and ivrf keywords and the vrf-name argument.
Examples
The following example shows the status information for all active crypto sessions:
Router# show crypto session
Crypto session current status
Interface: Virtual-Access2
Assigned address: 10.3.3.4
Session status: UP-ACTIVE
IKE SA: local 10.1.1.1/500 remote 10.1.1.2/500 Active
IKE SA: local 10.1.1.1/500 remote 10.1.1.2/500 Inactive
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 3.3.3.4
Active SAs: 2, origin: crypto map
The following is sample output from the show crypto session brief command:
Router# show crypto session brief
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
Peer I/F Username Group/Phase1_id Uptime Status
10.1.1.2 Vi2 cisco easy 00:50:30 UA
The following is sample output from the show crypto session detail command:
Router# show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Virtual-Access2
Assigned address: 10.3.3.4
Session status: UP-ACTIVE
Peer: 10.1.1.2 port 500 fvrf: (none) ivrf: (none)
IKE SA: local 10.1.1.1/500 remote 10.1.1.2/500 Active
Capabilities:CX connid:1002 lifetime:23:10:15
IPSEC FLOW: permit ip 10.0.0.0/0.0.0.0 host 10.3.3.4
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4425776/626
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4425776/626
Table 127 describes the significant fields shown in the display.
Table 127 show crypto session Field Descriptions
Field
|
Description
|
Interface
|
Interface to which the crypto session is related.
|
Session status
|
Current status of the crypto (VPN) sessions. See Table 128 for explanations of the status of the IKE SA, IPsec SA, and tunnel as shown in the display.
|
IKE SA
|
Information about the IKE SA, such as local and remote address and port, SA status, SA capabilities, crypto engine connection ID, and remaining lifetime of the IKE SA.
|
IPSEC FLOW
|
A snapshot of information about the IPsec-protected traffic flow, such as the status of the flow (for example, permit IP host 10.1.1.5 host 10.1.2.5), the number of IPsec SAs, the origin of the SA, such as manually entered, dynamic, or static crypto maps, number of encrypted or decrypted packets or dropped packets, and the IPsec SA remaining lifetime in kilobytes per second.
|
Table 128 provides an explanation of the current status of the VPN sessions shown in the display.
Table 128 Current Status of the VPN Sessions
IKE SA
|
IPsec SA
|
Tunnel Status
|
Exist, active
|
Exist (flow exists)
|
UP-ACTIVE
|
Exist, active
|
None (flow exists)
|
UP-IDLE
|
Exist, active
|
None (no flow)
|
UP-IDLE
|
Exist, inactive
|
Exist (flow exists)
|
UP-NO-IKE
|
Exist, inactive
|
None (flow exists)
|
DOWN-NEGOTIATING
|
Exist, inactive
|
None (no flow)
|
DOWN-NEGOTIATING
|
None
|
Exist (flow exists)
|
UP-NO-IKE
|
None
|
None (flow exists)
|
DOWN
|
None
|
None (no flow)
|
DOWN
|
Note
IPsec flow may not exist if a dynamic crypto map is being used.
The following sample output shows all crypto sessions that are in the standby state:
Router# show crypto session standby
Crypto session current status
Session status: UP-STANDBY
Peer: 10.165.200.225 port 500
IKE SA: local 10.165.201.3/500 remote 10.165.200.225/500 Active
IKE SA: local 10.165.201.3/500 remote 10.165.200.225/500 Active
IPSEC FLOW: permit ip host 192.168.0.1 host 172.16.0.1
Active SAs: 4, origin: crypto map
Related Commands
Command
|
Description
|
clear crypto session
|
Deletes crypto sessions (IPsec and IKE SAs).
|
description
|
Adds a description for an IKE peer.
|
show crypto isakmp peer
|
Displays peer descriptions.
|
show crypto session group
To display groups that are currently active on the Virtual Private Network (VPN) device, use the show crypto session group command in privileged EXEC mode.
show crypto session group
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
|
Usage Guidelines
If the crypto isakmp client configuration group command and max-users keyword have not been enabled in any VPN group profile, this command will yield a blank result.
Examples
The following example shows that at least one session is active for the group Connections:
Router# show crypto session group
Related Commands
Command
|
Description
|
crypto isakmp client configuration group
|
Specifies to which group a policy profile will be defined.
|
show crypto session summary
|
Displays groups that are currently active on the VPN device and the users that are connected for each of those groups.
|
show crypto session summary
To display groups that are currently active on the Virtual Private Network (VPN) device and the users that are connected for each of those groups, use the show crypto session summary command in privileged EXEC mode.
show crypto session summary
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
|
Usage Guidelines
If the crypto isakmp client configuration group command and max-users keyword are not enabled in any VPN group profile and the crypto isakmp client configuration group command and max-logins keyword are not enabled, this command will yield a blank result.
Examples
The following example shows that the group "cisco" is active and that it has one user connected, green, who is connected one time. The number in parentheses (1) is the number of simultaneous logins for that user.
Router# show crypto session summary
Group cisco has 1 connections
Related Commands
Command
|
Description
|
crypto isakmp client configuration group
|
Specifies to which group a policy profile will be defined.
|
show crypto session group
|
Displays groups that are currently active on the VPN device.
|
show crypto socket
To list crypto sockets, use the show crypto socket command in privileged EXEC mode.
show crypto socket
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2(11)T
|
This command was introduced.
|
12.2(18)SXE
|
This command was integrated into Cisco IOS Release 12.2(18)SXE.
|
12.4(5)
|
The Flags field was added to command output.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.(33)SRA.
|
Usage Guidelines
Use this command to list crypto sockets and the state of the sockets.
Examples
The following sample output shows the number of crypto socket connections (2) and their state:
Router# show crypto socket
Number of Crypto Socket connections 2
Tu0 Peers (local/remote): 192.168.2.2/192.168.1.1
Local Ident (addr/mask/port/prot): (192.168.2.2/255.255.255.255/0/47)
Remote Ident (addr/mask/port/prot): (192.168.1.1/255.255.255.255/0/47)
Client: "TUNNEL SEC" (Client State: Active)
Tu1 Peers (local/remote): 192.168.2.2/192.168.1.3
Local Ident (addr/mask/port/prot): (192.168.2.2/255.255.255.255/0/47)
Remote Ident (addr/mask/port/prot): (192.168.1.3/255.255.255.255/0/47)
Client: "TUNNEL SEC" (Client State: Active)
Crypto Sockets in Listen state:
Client: "TUNNEL SEC" Profile: "dmvpn-profile" Map-name: "dmvpn-profile-head-2"
Table 129 describes the significant fields in the display.
Table 129 show crypto socket Field Descriptions
Field
|
Description
|
Number of Crypto Socket connections
|
Number of crypto sockets in the system.
|
Socket State
|
This state can be Open, which means that active IPSec security associations (SAs) exist, or it can be Closed, which means that no active IPSec SAs exist.
|
Client
|
Application name and its state.
|
Flags
|
If this field says "shared," the socket is shared with more than one tunnel interface.
|
Crypto Sockets in Listen state
|
Name of the crypto IPSec profile.
|
show crypto tech-support
To display the crypto technical support information, use the show crypto tech-support command in privileged EXEC mode.
show crypto tech-support [peer ip-address | vrf vrf-name]
Syntax Description
peer
|
(Optional) Displays the crypto technical support information related to a peer.
|
ip-address
|
(Optional) The peer IPv4 address.
|
vrf
|
(Optional) Displays the crypto technical support information related to VPN routing or forwarding (VRF).
|
vrf-name
|
(Optional) The VRF name.
|
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.4(22)T
|
This command was introduced.
|
Usage Guidelines
Use the optional keywords and arguments to display the specific crypto technical support information.
Examples
The following is sample output from the show crypto tech-support command. The fields are self-explanatory.
Router# show crypto tech-support
------------------ show crypto session remote 1.0.1.2 detail ------------------
------------------ show crypto ipsec sa peer 1.0.1.2 detail ------------------
------------------ show crypto isakmp sa peer 1.0.1.2 detail ------------------
dst src state conn-id status
------------------ show crypto isakmp peers 1.0.1.2 ------------------
------------------ show crypto ruleset detail ------------------
------------------ show processes memory | include Crypto IKMP ----------------
240 0 7112 252 20064 0 0 Crypto IKMP
------------------ show processes cpu | include Crypto IKMP ------------------
240 0 3 0 0.00% 0.00% 0.00% 0 Crypto IKMP
------------------ show crypto eli ------------------
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, FAILCLOSE
IPSec-Session : 0 active, 1400 max, 0 failed
------------------ show cry engine accelerator statistic ------------------
:Statistics for encryption device since the last clear
of counters 1818819 seconds ago
0 packets in 0 packets out
0 paks/sec in 0 paks/sec out
0 Kbits/sec in 0 Kbits/sec out
0 packets decrypted 0 packets encrypte
0 bytes before decrypt 0 bytes encrypted
0 bytes decrypted 0 bytes after encr
0 packets decompressed 0 packets compress
0 bytes before decomp 0 bytes before com
0 bytes after decomp 0 bytes after comp
0 packets bypass decompr 0 packets bypass cs
0 bytes bypass decompres 0 bytes bypass comi
0 packets not decompress 0 packets not compd
0 bytes not decompressed 0 bytes not compre
1.0:1 compression ratio 1.0:1 overall
0 packets in 0 packets out
show crypto vlan
To display the VPN running state for an IPSec VPN SPA, use the show crypto vlan command in privileged EXEC mode.
show crypto vlan
Defaults
No default behavior or values.
Command Modes
Privileged EXEC (#)
Command History
Release
|
Modification
|
12.2(18)SXE2
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
Usage Guidelines
When you show the configuration, the crypto engine subslot configuration state is expressed in the context of the associated interface VLAN. The interface VLAN is also shown as having been added to the appropriate inside trunk port. This is the case even if the configuration was loaded from a legacy (pre-crypto engine subslot) configuration file, or if VLANs were manually added instead of being added through the crypto engine subslot command.
Examples
In the following example, the interface VLAN belongs to the IPSec VPN SPA inside port:
Interface VLAN 2 on IPSec Service Module port 7/1/1 connected to Fa8/3
In the following example, VLAN 2 is the interface VLAN and VLAN 2022 is the hidden VLAN:
Interface VLAN 2 on IPSec Service Module port 3/1/1 connected to VLAN 2022 with crypto map
set coral2
In the following example, either the interface VLAN is missing on the IPSec VPN SPA inside port, the IPSec VPN SPA is removed from the chassis, or the IPSec VPN SPA was moved to a different subslot:
Interface VLAN 2 connected to VLAN 3 (no IPSec Service Module attached)
Related Commands
Command
|
Description
|
crypto connect vlan
|
Creates an interface VLAN for an IPSec VPN SPA and enters crypto-connect mode.
|
crypto engine subslot
|
Assigns an interface VLAN that requires encryption to the IPSec VPN SPA.
|
s