Table Of Contents

show crypto ace redundancy

show crypto ca certificates

show crypto ca crls

show crypto ca roots

show crypto ca timers

show crypto ca trustpoints

show crypto call admission statistics

show crypto ctcp

show crypto datapath

show crypto debug-condition

show crypto dynamic-map

show crypto eli

show crypto eng qos

show crypto engine

show crypto engine accelerator logs

show crypto engine accelerator ring

show crypto engine accelerator sa-database

show crypto engine accelerator statistic

show crypto gdoi

show crypto ha

show crypto ipsec client ezvpn

show crypto ipsec default transform-set

show crypto ipsec sa

show crypto ipsec security-association lifetime

show crypto ipsec transform-set

show crypto isakmp default policy

show crypto isakmp key

show crypto isakmp peers

show crypto isakmp policy

show crypto isakmp profile

show crypto isakmp sa

show crypto key mypubkey rsa

show crypto key pubkey-chain rsa

show crypto map (IPsec)

show crypto mib ipsec flowmib endpoint

show crypto mib ipsec flowmib failure

show crypto mib ipsec flowmib global

show crypto mib ipsec flowmib history

show crypto mib ipsec flowmib history failure size

show crypto mib ipsec flowmib history tunnel size

show crypto mib ipsec flowmib spi

show crypto mib ipsec flowmib tunnel

show crypto mib ipsec flowmib version

show crypto mib isakmp flowmib failure

show crypto mib isakmp flowmib global

show crypto mib isakmp flowmib history

show crypto mib isakmp flowmib peer

show crypto mib isakmp flowmib tunnel

show crypto pki certificates

show crypto pki certificates storage

show crypto pki crls

show crypto pki server

show crypto pki server certificates

show crypto pki server crl

show crypto pki server requests

show crypto pki timers

show crypto pki token

show crypto pki trustpoints

show crypto route

show crypto ruleset

show crypto session

show crypto session group

show crypto session summary

show crypto socket

show crypto vlan

show crypto ace redundancy

To display information about a Blade Failure Group, use the show crypto ace redundancy command in privileged EXEC mode.

show crypto ace redundancy

Defaults

No default behavior or values.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(18)SXE2	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Examples

The following example shows information about a Blade Failure Group that has a group ID of 1 and consists of two IPSec VPN SPAs—one IPSec VPN SPA is in slot 3, subslot 0 and one IPSec VPN SPA is in slot 5, subslot 0:

Router# show crypto ace redundancy

--------------------------------------

LC Redundancy Group ID            :1

Pending Configuration Transactions:0

Current State                     :OPERATIONAL

Number of blades in the group     :2

Slots

--------------------------------------

Slot:3 Subslot:0

Slot state:0x36

Booted

Received partner config

Completed Bulk Synchronization

Crypto Engine in Service

Rebooted 22 times

Initialization Timer not running

Slot:5 Subslot:0

Slot state:0x36

Booted

Received partner config

Completed Bulk Synchronization

Crypto Engine in Service

Rebooted 24 times

Initialization Timer not running

ACE B2B Group State:OPERATIONAL Event:BULK DONE

ACE B2B Group State:CREATED Event:CONFIG_DOWNLOAD_DONE

ACE B2B Group State:DELETED Event:CONFIG_DELETE

ACE B2B Group State:OPERATIONAL Event:BULK DONE

ACE B2B Group State:CREATED Event:CONFIG_DOWNLOAD_DONE

ACE B2B Group State:DELETED Event:CONFIG_DELETE

ACE B2B Group State:OPERATIONAL Event:CONFIG_DOWNLOAD_DONE

ACE B2B Group State:DELETED Event:CONFIG_ADD

ACE B2B Group State:CREATED Event:UNDEFINED B2B HA EVENT

ACE B2B Group State:CREATED Event:CONFIG_DOWNLOAD_DONE

Related Commands

Command	Description
linecard-group feature card	Assigns a group ID to a Blade Failure Group.
redundancy	Enters redundancy configuration mode.
show redundancy linecard-group	Displays the components of a Blade Failure Group.

show crypto ca certificates

---

Note This command was replaced by the show crypto pki certificates command effective with Cisco IOS Release 12.3(7)T.

---

To display information about your certificate, the certification authority certificate, and any registration authority certificates, use the show crypto ca certificates command in EXEC mode.

show crypto ca certificates

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

This command shows information about the following certificates:

•Your certificate, if you have requested one from the CA (see the crypto pki enroll command)

•The certificate of the CA, if you have received the CA's certificate (see the crypto pki authenticate command)

•RA certificates, if you have received RA certificates (see the crypto pki authenticate command)

Examples

The following is sample output from the show crypto ca certificates command after you authenticated the CA by requesting the CA's certificate and public key with the crypto pki authenticate command:

CA Certificate

  Status: Available

  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F

  Key Usage: Not Set

The CA certificate might show Key Usage as "Not Set."

The following is sample output from the show crypto ca certificates command, and shows the router's certificate and the CA's certificate. In this example, a single, general purpose RSA key pair was previously generated, and a certificate was requested but not received for that key pair.

Certificate

  Subject Name

    Name: myrouter.example.com

    IP Address: 10.0.0.1

    Serial Number: 04806682

  Status: Pending

  Key Usage: General Purpose

    Fingerprint: 428125BD A3419600 3F6C7831 6CD8FA95 00000000

CA Certificate

  Status: Available

  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F

  Key Usage: Not Set

Note that in the previous sample, the router's certificate Status shows "Pending." After the router receives its certificate from the CA, the Status field changes to "Available" in the show output.

The following is sample output from the show crypto ca certificates command, and shows two router's certificates and the CA's certificate. In this example, special usage RSA key pairs were previously generated, and a certificate was requested and received for each key pair.

Certificate

  Subject Name

    Name: myrouter.example.com

    IP Address: 10.0.0.1

  Status: Available

  Certificate Serial Number: 428125BDA34196003F6C78316CD8FA95

  Key Usage: Signature

Certificate

  Subject Name

    Name: myrouter.example.com

    IP Address: 10.0.0.1

  Status: Available

  Certificate Serial Number: AB352356AFCD0395E333CCFD7CD33897

  Key Usage: Encryption

CA Certificate

  Status: Available

  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F

  Key Usage: Not Set

The following is sample output from the show crypto ca certificates command when the CA supports an RA. In this example, the CA and RA certificates were previously requested with the crypto ca authenticate command.

CA Certificate

  Status: Available

  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F

  Key Usage: Not Set

RA Signature Certificate

  Status: Available

  Certificate Serial Number: 34BCF8A0

  Key Usage: Signature

RA KeyEncipher Certificate

  Status: Available

  Certificate Serial Number: 34BCF89F

  Key Usage: Encryption

Related Commands

Command	Description
crypto pki authenticate	Authenticates the CA (by obtaining the certificate of the CA).
crypto pki enroll	Obtains the certificates of your router from the CA.
debug crypto pki messages	Displays debug messages for the details of the interaction (message dump) between the CA and the route.
debug crypto pki transactions	Displays debug messages for the trace of interaction (message type) between the CA and the router.

show crypto ca crls

---

Note This command was replaced by the show crypto pki crls command effective with Cisco IOS Release 12.3(7)T.

---

To display the current certificate revocation list (CRL) on router, use the show crypto ca crls command in EXEC mode.

show crypto ca crls

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.1	This command was introduced.

Examples

The following is sample output of the show crypto ca crls command:

Router# show crypto ca crls 

          CRL Issuer Name: 

              OU = sjvpn, O = cisco, C = us

              LastUpdate: 16:17:34 PST Jan 10 2002

              NextUpdate: 17:17:34 PST Jan 11 2002

              Retrieved from CRL Distribution Point: 

                LDAP: CN = CRL1, OU = sjvpn, O = cisco, C = us

Related Commands

Command	Description
crypto pki crl request	Requests that a new CRL be obtained immediately from the CA.

show crypto ca roots

The show crypto ca roots command is replaced by the show crypto ca trustpoints command. See the show crypto ca trustpoints command for more information.

show crypto ca timers

---

Note This command was replaced by the show crypto pki timers command effective with Cisco IOS Release 12.3(8)T.

---

To display the status of the managed timers that are maintained by Cisco IOS for public key infrastructure (PKI), use the show crypto ca timers command in EXEC mode.

show crypto ca timers

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.2(8)T	This command was introduced.
12.2(18)SXD	This command was integrated into Cisco IOS Release 12.2(18)SXD.

Usage Guidelines

For each timer, this command displays the time remaining before the timer expires. It also associates trustpoint certification authorities (CAs), except for certificate revocation list (CRL) timers, by displaying the CRL distribution point.

Examples

The following example is sample output for the show crypto ca timers command:

Router# show crypto ca timers

PKI Timers

| 4d15:13:33.144  

 | 4d15:13:33.144  CRL http://msca-root.cisco.com/CertEnroll/msca-root.crl

 |328d11:56:48.372  RENEW msroot

 | 6:43.201  POLL verisign

Related Commands

Command	Description
auto-enroll	Enables autoenrollment.
crypto pki trustpoint	Declares the CA that your router should use.

show crypto ca trustpoints

---

Note This command was replaced by the show crypto pki trustpoints command effective with Cisco IOS Release 12.3(7)T and 12.2(18)SXD.

---

To display the trustpoints that are configured in the router, use the show crypto pki trustpoints command in privileged EXEC or user EXEC mode.

show crypto ca trustpoints

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC
User EXEC

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

This command replaces the show crypto ca roots command. If you enter the show crypto ca roots command, the output will be written back as the show crypto pki trustpoints command.

Examples

The following is sample output from the show crypto ca trustpoints command:

Router# show crypto ca trustpoints

Trustpoint bo:

    Subject Name:

    CN = bomborra Certificate Manager

     O = cisco.com

     C = US

          Serial Number:01

    Certificate configured.

    CEP URL:http://bomborra

    CRL query url:ldap://bomborra

Related Commands

Command	Description
crypto pki trustpoint	Declares the CA that your router should use.

show crypto call admission statistics

To monitor Crypto Call Admission Control (CAC) statistics, use the show crypto call admission statistics command in user EXEC or privileged EXEC mode.

show crypto call admission statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

User EXEC
Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.
12.2(18)SXD1	This command was integrated into Cisco IOS Release 12.2(18)SXD1.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH	This command was integrated into Cisco IOS Release 12.2(33)SXH.

Usage Guidelines

Enter this command to display information about the Crypto CAC configuration parameters and their history, including statistics regarding the current security association (SA) count, SAs being negotiated, total new SA requests, the number of Internet Key Exchange (IKE) SA requests accepted and rejected, and details regarding why requests were rejected.

Examples

The following example shows sample output from the show crypto call admission statistics command:

Router# show crypto call admission statistics 

Crypto Call Admission Control Statistics

-----------------------------------------------------------

System Resource Limit: 0    Max IKE SAs 0

Total IKE SA Count:    0    active:     0   negotiating: 0

Incoming IKE Requests: 0    accepted:   0   rejected:    0

Outgoing IKE Requests: 0    accepted:   0   rejected:    0

Rejected IKE Requests: 0    rsrc low:   0   SA limit:    0

Table 82 describes the significant fields shown in the display.

Table 82 show crypto call admission statistics Field Descriptions 

Field	Description
System resource limit	Percentage of system resources that the router can be using before IKE starts dropping all SA requests.
Max IKE SAs	Number of active IKE SA requests allowed on the router.
Total IKE SA Count	Number of IKE SAs.
active	Number of active SAs.
negotiating	Number of SA requests being negotiated.
Incoming IKE Requests	Number of incoming IKE SA requests.
Incoming IKE Requests accepted	Number of accepted IKE SA requests.
Incoming IKE Requests rejected	Number of rejected incoming IKE SA requests.
Outgoing IKE Requests	Number of outgoing IKE SA requests.
Outgoing IKE requests accepted	Number of accepted outgoing IKE SA requests.
Outgoing IKE requests rejected	Number of rejected outgoing IKE SA requests.
Rejected IKE Requests	Number of IKE requests that were rejected.
rsrc low	Number of IKE requests that were rejected because system resources were low or the preconfigured system resource limit was exceeded.
SA limit	Number of IKE SA requests that were rejected because the SA limit has been reached.

Related Commands

Command	Description
clear crypto call admission statistics	Clears the counters that track the number of accepted and rejected IKE SA requests.

show crypto ctcp

To display information about a Cisco Tunnel Control Protocol (cTCP) session, use the show crypto ctcp command in privileged EXEC mode.

show crypto ctcp [peer ip-address] [detail]

Syntax Description

peer	(Optional) Displays information about a specific peer.
ip-address	(Optional) IP address of the specific peer.
detail	(Optional) Displays information about the local TCP sequence number and the TCP sequence number of the packets for the peer.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(9)T	This command was introduced.

Examples

The following show command output displays detailed information about a specific peer:

Router# show crypto ctcp peer 10.76.235.21 detail

    Remote                 Local                VRF                 Status

    10.76.235.21:3519      10.76.248.239:10000                      CTCP_ACK_R

                           LocalSeq#6807392F    RemoteSeq#010116C7

Table 83 provides information about significant fields in the display.

Table 83 show crypto ctcp Field Descriptions

Field	Description
Remote	IP address of the remote peer with which this cTCP session is set up.
Local	IP address of the server to which the cTCP packets are addressed.
VRF	Name of the Virtual Private Network routing and forwarding (VRF) instance to which this session belongs. If the VRF is blank, the global routing table is used.
Status	Status of the cTCP session. CTCP_ACK_R is a successful cTCP setup. Any other state indicates that cTCP is not yet set up or failed to be set up.
LocalSeq	Sequence number of the last Transmission Control Protocol (TCP) packet sent by the server on this connection.
RemoteSeq	Sequence number of the last TCP packet that was received by the peer on this connection.

Related Commands

Command	Description
crypto ctcp	Configures cTCP encapsulation for Easy VPN.

show crypto datapath

To display the counters that help troubleshoot an encrypted data path, use the show crypto datapath command in privileged EXEC mode.

show crypto datapath {ipv4 | ipv6} {realtime | snapshot} {all | non-zero} [error | internal | punt | success]

Syntax Description

ipv4	Designate IPv4 is used in the network.
ipv6	Designate IPv6 is used in the network.
realtime	Displays the counters that capture traffic statistics as they occur.
snapshot	Displays the counters that capture traffic statistics as of a single point in time.
all	Display all counters.
non-zero	Display all counters that have at least one event recorded.
error	(Optional) Display the packet processing and dropped packet errors.
internal	(Optional) Track the movement of a packet from end to end across an encrypted data path.
punt	(Optional) Display the instances when the configured processing method failed, and an alternative was used.
success	(Optional) Display the interfaces where packets were successfully processed.

Command Default

The command defaults are:

•IP version: ipv4

•Counters: all

•Display time: realtime

Command Modes

Privileged EXEC

Command History

Release	Modification
12.4(9)T	This command was introduced.

Usage Guidelines

Use the show crypto datapath counters command to troubleshoot an encrypted data path.

---

Note Cisco recommends use of this command only for troubleshooting under the guidance of a Cisco TAC engineer.

---

You must specify the IP version used in the network. You can display all counters, only the counters that have recorded events, or one of these specific counters:

•Error counters track packet processing errors and associated packet drops. When a packet encounters an error, the first 64 bytes of that packet are stored in a buffer, to facilitate troubleshooting.

•Internal counters show the detailed movement of a packet, end to end, across an encrypted data path.

•Punt counters track instances when the configured packet processing method failed, and an alternative method was used. Because such instances might indicate a problem, it is useful to track them.

•Success counters help diagnose network performance problems. Frequently, although a network is configured for fast switching or CEF, packets are using a slower path. Success counters record the interfaces in the data path where packets were successfully processed and reveal the actual processing path.

You must also choose the display timeframe for the counters:

•The realtime option captures traffic statistics as they occur, and results in significant discrepancies between the first data reports and later data, because the counters increment with the traffic flow. This is the default option.

•The snapshot option captures traffic statistics as of a specific point in time, and results in a close match among all counts, because the counters do not increment with the continuing traffic flow.

Examples

The following example shows output from the show crypto datapath command. In this example, the snapshot option is specified for the timeframe, and only counters that have recorded events are displayed. The output of this command is intended for use by Cisco TAC engineers.

Router# show crypto datapath ipv4 snapshot non-zero 

Success Statistics: Snapshot at 21:34:30 PST Mar 4 2006 

  crypto check input core 

    2nd round ok:            245      1st round ok:            118 

  post crypto ip encrypt 

    post encrypt ipflowok:   230 

  crypto ceal post encrypt switch 

    post encrypt ipflowok-2: 230 

Error Statistics: Snapshot at 21:34:30 PST Mar 4 2006 

Punt Statistics: Snapshot at 21:34:30 PST Mar 4 2006 

  crypto ceal post decrypt switch 

    fs to ps:                245 

Internal Statistics: Snapshot at 21:34:30 PST Mar 4 2006 

  crypto check input 

    check input core not con 378      check input core consume 623 

  crypto check input core 

    came back from ce:       245      deny pak:                15 

  crypto ipsec les fs 

    not esp or ah:           1113 

  post crypto ip decrypt 

    decrypt switch:          245 

  crypto decrypt ipsec sa check 

    check ident success:     245 

  crypto ceal post decrypt switch 

    fs:                      245 

  crypto ceal post decrypt fs 

    les ip turbo fs:         245      tunnel ip les fs:        245 

  crypto ceal post decrypt ps 

    proc inline:             245 

  crypto ceal punt to process inline 

    coalesce:                245      simple enq:              245 

  crypto ceal post encrypt switch 

    ps:                      230 

  crypto ceal post encrypt ps 

    ps coalesce:             230      simple enq:              230 

  crypto engine ps vec 

    ip encrypt:              230 

  crypto send epa packets 

    ucast next hop:          230      ip ps send:              230

Related Commands

Command	Description
show monitor event-trace	Displays contents of error history buffers.

show crypto debug-condition

To display crypto debug conditions that have already been enabled in the router, use the show crypto debug-condition command in privileged EXEC mode.

show crypto debug-condition {[peer] [connid] [spi] [fvrf] [gdoi-group groupname]
[isakmp profile profile-name] [ivrf] [local ip-address] [unmatched] [username username]}

Syntax Description

peer	(Optional) Displays debug conditions related to the peer. Possible conditions can include peer IP address, subnet mask, hostname, username, and group key.
connid	(Optional) Displays debug conditions related to the connection ID.
spi	(Optional) Displays debug conditions related to the security parameter index (SPI).
fvrf	(Optional) Displays debug conditions related to the front-door virtual private network (VPN) routing and forwarding (FVRF) instance.
gdoi-group groupname	(Optional) Displays debug conditions related to the Group Domain of Interpretation (GDOI) group filter. •The groupname value is the name of the GDOI group.
isakmp profile profile-name	(Optional) Displays debug conditions related to the Internet Security Association Key Management Protocol (ISAKMP) profile filter. •The profile-name value is the name of the profile filter.
ivrf	(Optional) Displays debug conditions related to the inside VRF (IVRF) instance.
local ip-address	(Optional) Displays debug conditions related to the local address debug condition filters. •The ip-address is the IP address of the local crypto endpoint.
unmatched	(Optional) Displays debug messages related to the Internet Key Exchange (IKE), IP Security (IPsec), or the crypto engine, depending on what was specified via the debug crypto condition unmatched [engine | gdoi-group | ipsec | isakmp] command.
username username	(Optional) Displays debug messages related to the AAA Authentication (Xauth) or public key infrastructure (PKI) and authentication, authorization, and accounting (AAA) username filter.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.3(2)T	This command was introduced.
12.2(18)SXD	This command was integrated into Cisco IOS Release 12.2(18)SXD.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.4(11)T	The gdoi-group groupname, isakmp profile profile-name, local ip-address, and username username keywords and arguments were added.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

You can specify as many filter values as specified via the debug crypto condition command. (You cannot specify a filter value that you did not use in the debug crypto condition command.)

Examples

The following example shows how to display debug messages when the peer IP address is 10.1.1.1, 10.1.1.2, or 10.1.1.3 and when the connection ID 2000 of crypto engine 0 is used. This example also shows how to enable global debug crypto CLIs and enable the show crypto debug-condition command to verify conditional settings.

Router# debug crypto condition connid 2000 engine-id 1

Router# debug crypto condition peer ipv4 10.1.1.1

Router# debug crypto condition peer ipv4 10.1.1.2

Router# debug crypto condition peer ipv4 10.1.1.3

Router# debug crypto condition unmatched 

! Verify crypto conditional settings.

Router# show crypto debug-condition

Crypto conditional debug currently is turned ON

IKE debug context unmatched flag:ON

IPsec debug context unmatched flag:ON

Crypto Engine debug context unmatched flag:ON

IKE peer IP address filters:

10.1.1.1  10.1.1.2   10.1.1.3

Connection-id filters:[connid:engine_id]2000:1,

! Enable global crypto CLIs to start conditional debugging.

Router# debug crypto isakmp

Router# debug crypto ipsec

Router# debug crypto engine

The following example shows how to disable all crypto conditional settings via the reset keyword:

Router# debug crypto condition reset

! Verify that all crypto conditional settings have been disabled.

Router# show crypto debug-condition

Crypto conditional debug currently is turned OFF

IKE debug context unmatched flag:OFF

IPsec debug context unmatched flag:OFF

Crypto Engine debug context unmatched flag:OFF

Related Commands

Command	Description
debug crypto condition	Defines conditional debug filters.
debug crypto condition unmatched	Displays crypto conditional debug messages when context information is unavailable to check against debug conditions.

show crypto dynamic-map

To display a dynamic crypto map set, use the show crypto dynamic-map command in EXEC mode.

show crypto dynamic-map [tag map-name]

Syntax Description

tag map-name

(Optional) Displays only the crypto dynamic map set with the specified map-name.

Command Modes

EXEC

Command History

Release	Modification
11.3 T	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the show crypto dynamic-map command to view a dynamic crypto map set.

Examples

The following is sample output for the show crypto dynamic-map command:

Router# show crypto dynamic-map

Crypto Map Template"vpn1" 1

        ISAKMP Profile: vpn1-ra

        No matching address list set.

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={ 

                vpn1,

The following partial configuration was in effect when the above show crypto dynamic-map command was issued:

crypto dynamic-map vpn1 1

 set transform-set vpn1 

 set isakmp-profile vpn1-ra

 reverse-route

Related Commands

Command	Description
show crypto map	Views the crypto map configuration.

show crypto eli

To display how many IKE-SAs and IPSec sessions are active and how many Diffie-Hellman keys are in use for each hardware crypto engine, use the show crypto eli in user EXEC or privileged EXEC mode.

show crypto eli

Syntax Description

This command has no arguments or keywords.

Command Modes

User EXEC (<)
Privileged EXEC (#)

Command History

Release	Modification
12.1(5)E	This command was introduced.
12.2(14)S	This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.2(33)SRA.
12.2(33)SXH	This command was integrated into Cisco IOS release 12.2(33)SXH.

Usage Guidelines

Use this command to obtain a snapshot of how many Internet Key Exchange (IKE) and IP Security (IPSec) sessions are active and how many Diffie-Hellman keys are in use for each hardware crypto engine. The show crypto eli command also allows you to see how far an ISA is from reaching its maximum limit.

---

Note IKE is a key management protocol standard that is used in conjunction with the IPSec standard. IPSec can be configured without IKE. However, IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. When IKE is used with IPSec, IKE automatically negotiates the IPSec security associations (SAs).

---

(The eli component of the command calls the Encryption Layer Interface.)

Examples

The following is sample output for the show crypto eli command:

Router# show crypto eli 

Encryption Layer :  ACTIVE 

 Number of crypto engines = 2. 

 Slot-3 crypto engine details. 

 Capability-IPSec :No-IPPCP, 3DES, NoRSA 

 IKE-Session   :    0 active,  2029 max, 0 failed 

 DH-Key        :    0 active,  1014 max, 0 failed 

 IPSec-Session :    0 active,  4059 max, 0 failed 

 Slot-5 crypto engine details. 

 Capability-IPSec :No-IPPCP, 3DES, NoRSA 

 IKE-Session   :    0 active,  2029 max, 0 failed 

 DH-Key        :    0 active,  1014 max, 0 failed 

 IPSec-Session :    0 active,  4059 max, 0 failed 

The following is sample output for the show crypto eli command for the IPSec VPN SPA:

Router# show crypto eli

>>Hardware Encryption : ACTIVE

>> Number of hardware crypto engines = 2

>> 

>> CryptoEngine SPA-IPSEC-2G[3/0] details: state = Active

>> Capability      : 

>>     IPSEC: DES, 3DES, AES, RSA

>> 

>> IKE-Session   :     0 active, 16383 max, 0 failed

>> DH            :     0 active,  9999 max, 0 failed

>> IPSec-Session :     0 active, 65534 max, 0 failed

>> 

>> CryptoEngine SPA-IPSEC-2G[3/1] details: state = Active

>> Capability      : 

>>     IPSEC: DES, 3DES, AES, RSA

>> 

>> IKE-Session   :     1 active, 16383 max, 0 failed

>> DH            :     0 active,  9999 max, 0 failed

>> IPSec-Session :     2 active, 65534 max, 0 failed

Table 84 describes significant fields shown in the display.

Table 84 show crypto eli summary Field Descriptions

Field	Description
active	The number of sessions that are active on a given hardware crypto engine.
max	The maximum number of sessions allowed for any given IKE, DH, or IPSec entry.
failed	The number of times that Cisco IOS software attempted to create more sessions than the number specified in "max."

show crypto eng qos

To monitor and maintain low latency queueing (LLQ) for IPSec encryption engines, use the show crypto eng qos command in privileged EXEC mode.

show crypto eng qos

Syntax Description

This command has no keywords or arguments.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(13)T	This command was introduced in Cisco IOS Release 12.2(13)T.
12.2(14)S	This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Use the show crypto eng qos command to determine if QoS is enabled on LLQ for IPSec encryption engines.

Examples

The following example shows how to determine if LLQ for IPSec encryption engines is enabled:

Router# show crypto eng qos

crypto engine name: Multi-ISA Using VAM2

        crypto engine type: hardware

                      slot: 5

                   queuing: enabled

         visible bandwidth: 30000 kbps

                  llq size: 0

    default queue size/max: 0/64

      interface table size: 32

  FastEthernet0/0 (3), iftype 1, ctable size 16, input filter:ip

precedence 5

    class voice (1/3), match ip precedence 5

          bandwidth 500 kbps, max token 100000

          IN  match pkt/byte 0/0, police drop 0

          OUT match pkt/byte 0/0, police drop 0

  class default, match pkt/byte 0/0, qdrop 0

  crypto engine bandwidth:total 30000 kbps, allocated 500 kbps

The field descriptions in the above display are self-explanatory.

show crypto engine

To display a summary of the configuration information for the crypto engines, use the
show crypto engine command in privileged EXEC mode.

show crypto engine [accelerator | brief | configuration | connections | qos]

Syntax Description

accelerator	(Optional) Displays crypto accelerator information.
brief	(Optional) Displays a summary of the configuration information for the crypto engine.
configuration	(Optional) Displays the version and configuration information for the crypto engine.
connections	(Optional) Displays information about the crypto engine connections.
qos	(Optional) Displays quality of service (QoS) information. •This keyword has a null output if any advanced integration module (AIM) except AIM-VPN/SSL-1 is used. The command-line interface (CLI) will accept the command, but there will be no output.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.2	This command was introduced on the Cisco 7200, RSP7000, and 7500 series routers.
12.2(15)ZJ	This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T.
12.4(4)T	IPv6 address information was added to command output.
12.4(9)T	AIM-VPN/SSL-3 encryption module information was added to command output.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

This command displays all crypto engines and displays the AIM-VPN product name.

If a hardware crypto engine does not support native Group Domain of Interpretation (GDOI) header preservation, the show crypto engine connections active output for Group Encrypted Transport VPN (GET VPN) IP security (IPsec) connections displays a bogus IP address of 0.0.0.0 (see the show crypto engine connections active example below).

Examples

The following example of the show crypto engine command and the brief keyword shows typical crypto engine summary information:

Router# show crypto engine brief

crypto engine name:  Virtual Private Network (VPN) Module

        crypto engine type:  hardware

                     State:  Enabled

                  Location:  aim 0

	VPN Module in slot:  0

	      Product Name:  AIM-VPN/SSL-3

	 Software Serial #:  55AA

	         Device ID:  001F - revision 0000

	         Vendor ID:  0000

	       Revision No:  0x001F0000

	      VSK revision:  0

	      Boot version:  255

	       DPU version:  0

	       HSP version:  3.3(18) (PRODUCTION)

	      Time running:  23:39:30

               Compression:  Yes

                       DES:  Yes

                     3 DES:  Yes

                   AES CBC:  Yes (128,192,256)

                  AES CNTR:  No

     Maximum buffer length:  4096

          Maximum DH index:  3500

          Maximum SA index:  3500

        Maximum Flow index:  7000

      Maximum RSA key size:  2048

        crypto engine name:  Cisco VPN Software Implementation

        crypto engine type:  software

             serial number:  CAD4FCE1

       crypto engine state:  installed

     crypto engine in slot:  N/A

The following example of the show crypto engine command shows IPv6 information:

Router# show crypto engine connections

    ID Interface  Type  Algorithm           Encrypt  Decrypt IP-Address

     1 Et2/0      IPsec MD5                       0       46 FE80::A8BB:CCFF:FE01:2C02

     2 Et2/0      IPsec MD5                      41        0 FE80::A8BB:CCFF:FE01:2C02

     5 Tu0        IPsec SHA+DES                   0        0 
3FFE:2002::A8BB:CCFF:FE01:2C02

     6 Tu0        IPsec SHA+DES                   0        0 
3FFE:2002::A8BB:CCFF:FE01:2C02

  1001 Tu0        IKE   SHA+DES                   0        0 
3FFE:2002::A8BB:CCFF:FE01:2C02

The following show crypto engine command output displays information for a situation in which a hardware crypto engine does not support native GDOI:

Router# show crypto engine connections active

Crypto Engine Connections

ID Interface     Type  Algorithm           Encrypt  Decrypt IP-Address

1079 Se0/0/0.10  IPsec AES+SHA                   0        0 0.0.0.0

1080 Se0/0/0.10  IPsec AES+SHA                   0        0 0.0.0.0

4364 <none>      IKE   SHA+3DES                  0        0 

4381 <none>      IKE   SHA+3DES                  0        0 

Table 85 describes significant fields shown in the display.

Table 85 show crypto engine brief Field Descriptions 

Field	Description
crypto engine name	Name of the crypto engine as assigned with the key-name argument in the crypto key generate dss command.
crypto engine type	If "software" is listed, the crypto engine resides in either the Route Switch Processor (RSP) (the Cisco IOS crypto engine) or in a second-generation Versatile Interface Processor (VIP2). If "crypto card" or "ESA" is listed, the crypto engine is associated with an Encryption Service Adapter (ESA).
crypto engine state	The state "installed" indicates that a crypto engine is located in the given slot, but it is not configured for encryption. The state "dss key generated" indicates the crypto engine found in that slot has DSS keys already generated.
crypto engine in slot	Chassis slot number of the crypto engine. For the Cisco IOS crypto engine, this is the chassis slot number of the RSP.

Related Commands

Command	Description
crypto engine accelerator	Enables the use of the onboard hardware accelerator for IPSec encryption.

show crypto engine accelerator logs

To display information about the last 32 CryptoGraphics eXtensions (CGX) Library packet processing commands and associated parameters sent from the VPN module driver to the VPN module hardware, use the show crypto engine accelerator logs command in privileged EXEC mode.

show crypto engine accelerator logs

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(1)XC	This command was introduced on the Cisco 1720 and Cisco 1750 platforms.
12.1(2)T	This command was integrated into Cisco IOS Release 12.1(2)T.

Usage Guidelines

Use this command when encrypted traffic is sent to the router and a problem with the encryption module is suspected. Use the debug crypto engine accelerator logs command to enable command logging before using this command.

---

Note The show crypto engine accelerator logs command is intended only for Cisco Systems TAC personnel to collect debugging information.

---

Examples

The following is sample output for the show crypto engine accelerator logs command:

Router# show crypto engine accelerator logs

Contents of packet log (current index = 20):

tag = 0x5B02, cmd = 0x5000

param[0] = 0x000E, param[1] = 0x57E8

param[2] = 0x0008, param[3] = 0x0000

param[4] = 0x0078, param[5] = 0x0004

param[6] = 0x142C, param[7] = 0x142C

param[8] = 0x0078, param[9] = 0x000C

tag = 0x5B03, cmd = 0x4100

param[0] = 0x000E, param[1] = 0x583C

param[2] = 0x0034, param[3] = 0x0040

param[4] = 0x00B0, param[5] = 0x0004

param[6] = 0x1400, param[7] = 0x1400

param[8] = 0x0020, param[9] = 0x000C

tag = 0x5C00, cmd = 0x4100

param[0] = 0x000E, param[1] = 0x57BC

param[2] = 0x0034, param[3] = 0x0040

param[4] = 0x00B0, param[5] = 0x0004

param[6] = 0x1400, param[7] = 0x1400

param[8] = 0x0020, param[9] = 0x000C

.

.

.

tag = 0x5A01, cmd = 0x4100

param[0] = 0x000E, param[1] = 0x593C

param[2] = 0x0034, param[3] = 0x0040

param[4] = 0x00B0, param[5] = 0x0004

param[6] = 0x1400, param[7] = 0x1400

param[8] = 0x0020, param[9] = 0x000C

Contents of cgx log (current index = 12):

cmd = 0x0074 ret = 0x0000

param[0] = 0x0010, param[1] = 0x028E

param[2] = 0x0039, param[3] = 0x0D1E

param[4] = 0x0100, param[5] = 0x0000

param[6] = 0x0000, param[7] = 0x0000

param[8] = 0x0000, param[9] = 0x0000

cmd = 0x0062 ret = 0x0000

param[0] = 0x0035, param[1] = 0x1BE0

param[2] = 0x0100, param[3] = 0x0222

param[4] = 0x0258, param[5] = 0x0000

param[6] = 0x0000, param[7] = 0x0000

param[8] = 0x0000, param[9] = 0x0000

cmd = 0x0063 ret = 0x0000

param[0] = 0x0222, param[1] = 0x0258

param[2] = 0x0000, param[3] = 0x0000

param[4] = 0x0000, param[5] = 0x0000

param[6] = 0x0000, param[7] = 0x020A

param[8] = 0x002D, param[9] = 0x0000

.

.

.

cmd = 0x0065 ret = 0x0000

param[0] = 0x0222, param[1] = 0x0258

param[2] = 0x0010, param[3] = 0x028E

param[4] = 0x00A0, param[5] = 0x0008

param[6] = 0x0001, param[7] = 0x0000

param[8] = 0x0000, param[9] = 0x0000

Related Commands

Command	Description
debug crypto engine acclerator logs	Enables logging of commands and associated parameters sent from the VPN module driver to the VPN module hardware using a debug flag.

show crypto engine accelerator ring

To display the contents and status of the control command, transmit packets, and receive packet rings used by the hardware accelerator crypto engine, use the show crypto engine accelerator ring command in privileged EXEC mode.

show crypto engine accelerator ring [control | packet | pool]

Syntax Description

control	(Optional) Number of control commands that are queued for execution by the hardware accelerator crypto engine are displayed.
packet	(Optional) Contents and status information for the transmit packet rings that are used by the hardware accelerator crypto engine are displayed.
pool	(Optional) Contents and status information for the receive packet rings that are used by the hardware accelerator crypto engine are displayed.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(3)XL	This command was introduced for the Cisco uBR905 cable access router.
12.2(2)XA	Support was added for the Cisco uBR925 cable access router.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T and implemented for the AIM-VPN/EPII and AIM-VPN/HPII on the following platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745.
12.2(15)ZJ	This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
12.3(4)T	The AIM-VPN/BPII was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.

Usage Guidelines

This command displays the command ring information.

If there were valid data in any of the rings, the ring entry would be printed.

Examples

The following example shows the command ring information:

Router# show crypto engine accelerator ring packet 

PPQ RING:

cmd ring:head = 10 tail =10

result ring:head = 10 tail =10

destination ring:head = 10 tail =10

source ring:head = 10 tail =10

free ring:head = 0 tail =255

        00000000  071A96C5

        00000000  071A96C5

        00000001  071A9465

        00000001  071A9465

        00000002  071A9205

        00000002  071A9205

.

.

.

Related Commands

Command	Description
clear crypto engine accelerator counter	Resets the statistical and error counters for the hardware accelerator to zero.
crypto ca	Defines the parameters for the certification authority used for a session.
crypto cisco	Defines the encryption algorithms and other parameters for a session.
crypto dynamic-map	Creates a dynamic map crypto configuration for a session.
crypto engine accelerator	Enables the use of the onboard hardware accelerator for IPSec encryption.
crypto ipsec	Defines the IPSec SAs and transformation sets.
crypto isakmp	Enables and defines the IKE protocol and its parameters.
crypto key	Generates and exchanges keys for a cryptographic session.
crypto map	Creates and modifies a crypto map for a session.
debug crypto engine accelerator control	Displays each control command as it is given to the crypto engine.
debug crypto engine accelerator packet	Displays information about each packet sent for encryption and decryption.
show crypto engine accelerator sa-database	Displays the active (in-use) entries in the crypto engine SA database.
show crypto engine accelerator statistic	Displays the current run-time statistics and error counters for the crypto engine.
show crypto engine brief	Displays a summary of the configuration information for the crypto engine.
show crypto engine configuration	Displays the version and configuration information for the crypto engine.
show crypto engine connections	Displays a list of the current connections maintained by the crypto engine.

show crypto engine accelerator sa-database

To display active (in-use) entries in the platform-specific virtual private network (VPN) module database, use the show crypto engine accelerator sa-database command in privileged EXEC mode.

show crypto engine accelerator sa-database

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(1)XC	This command was introduced on the Cisco 1720 and Cisco 1750 platforms.
12.1(2)T	This command was integrated into Cisco IOS Release 12.1(2)T.

Usage Guidelines

Use this command when encrypted traffic is sent to the router and a problem with the encryption module is suspected.

---

Note The show crypto engine accelerator sa-database command is intended only for Cisco Systems TAC personnel to collect debugging information.

---

Examples

The following is sample output for the show crypto engine accelerator sa-database command:

Router# show crypto engine accelerator sa-database 

Flow Summary

        Index   Algorithms

        005      tunnel inbound  esp-md5-hmac esp-des ah-sha-hmac 

        006      tunnel outbound esp-md5-hmac esp-des ah-sha-hmac 

        007      tunnel inbound  esp-md5-hmac esp-des ah-sha-hmac 

        008      tunnel outbound esp-md5-hmac esp-des ah-sha-hmac 

        009      tunnel inbound  esp-md5-hmac esp-des ah-sha-hmac 

        010      tunnel outbound esp-md5-hmac esp-des ah-sha-hmac 

SA Summary:

        Index   DH-Index        Algorithms

        003     001(deleted)    DES SHA

        004     002(deleted)    DES SHA

DH Summary

        Index Group Config

Related Commands

Command	Description
debug crypto engine acclerator logs	Enables logging of commands and associated parameters sent from the VPN module driver to the VPN module hardware using a debug flag.

show crypto engine accelerator statistic

To display IP Security (IPsec) encryption statistics and error counters for the onboard hardware accelerator of the router or the IPsec Virtual Private Network (VPN) Shared Port Adapter (SPA), use the show crypto engine accelerator statistic command in privileged EXEC mode.

show crypto engine accelerator statistic

IPsec VPN SPA (SPA-IPSEC-2G) and VSPA (WS-IPSEC-3G)

show crypto engine accelerator statistic [slot slot/subslot | all] [coreutil | detail]

Syntax Description

slot slot/subslot	(IPsec VPN SPA and VSPA only—Optional) Chassis slot number and secondary slot number on the SPA Interface Processor (SIP) where the SPA is installed. Refer to the appropriate hardware manual for slot information. For SIPs, refer to the platform-specific SPA hardware installation guide or the corresponding "Identifying Slots and Subslots for SIPs and SPAs" topic in the platform-specific SPA software configuration guide. Displays platform statistics for the corresponding SPA. This output will not include network interface controller statistics.
all	(IPsec VPN SPA and VSPA only—Optional) Displays platform statistics for all IPsec VPN SPAs or VSPAs on the router. This output will not include network interface controller statistics.
coreutil	(VSPA only—Optional) Displays VPN core utilization statistics.
detail	(IPsec VPN SPA and VSPA only—Optional) Displays platform statistics for the SPA and network interface controller statistics. Note that the controller statistics contain Layer 2 (L2) counters.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.1(1)XC	This command was introduced for the Cisco 1700 series router and other Cisco routers that support hardware accelerators for IPsec encryption.
12.1(3)XL	This command was implemented on the Cisco uBR905 cable access router.
12.2(2)XA	Support was added for the Cisco uBR925 cable access router.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T and implemented for the AIM-VPN/EPII and AIM-VPN/HPII on the following platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745. In addition, the output for this show command was enhanced to display compression statistics.
12.2(15)ZJ	This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
12.3(4)T	The AIM-VPN/BPII was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA to support the IPsec VPN SPA on Cisco 7600 series routers.
12.4(9)T	Output was added for the AIM-VPN Secure Sockets Layer (SSL) encryption module.
12.2(33)SXH	This command was integrated into Cisco IOS Release 12.2(33)SXH to support the IPsec VPN SPA on Catalyst 6500 series switches.
12.2(33)SXI	The coreutil keyword was added for the VSPA, and output was added to display the percent utilization with other utilization statistics in the crypto engine.
12.4(24)T	Output was modified to display reassembly and fragmentation-drop counters for VPN Service Adaptor (VSA) traffic statistics.

Usage Guidelines

No specific usage guidelines apply to the hardware accelerators.

IPsec VPN SPA and VSPA

Enter the slot keyword to display platform statistics for the corresponding SPA. This output will not include network interface controller statistics.

Enter the all keyword to display platform statistics for all IPsec VPN SPAs and VSPAs on the router. This output will not include network interface controller statistics.

Enter the detail keyword to display platform statistics for the SPA and network interface controller statistics. Note that the controller statistics contain L2 counters.

VSPA

Enter the coreutil keyword to display VPN core utilization statistics. This output will not include network interface controller statistics.

---

Tip In Cisco IOS Release 12.2(8)T and later releases, you can add a time stamp to show commands using the exec prompt timestamp command in line configuration mode.

---

Examples

Hardware VPN Module

The following example displays compression statistics for a hardware VPN module:

Router# show crypto engine accelerator statistic 

Device:   AIM-VPN/SSL-3

Location: AIM Slot: 0

Virtual Private Network (VPN) Module in slot : 0

	Statistics for Hardware VPN Module since the last clear

	 of counters 85319 seconds ago

	            560 packets in                         560 packets out           

	          95600 bytes in                        124720 bytes out             

	              0 paks/sec in                          0 paks/sec out          

	              0 Kbits/sec in                         0 Kbits/sec out         

	              0 packets decrypted                  560 packets encrypted     

	              0 bytes before decrypt            124720 bytes encrypted       

	              0 bytes decrypted                  95600 bytes after encrypt   

	              0 packets decompressed                 0 packets compressed    

	              0 bytes before decomp                  0 bytes before comp     

	              0 bytes after decomp                   0 bytes after comp      

	              0 packets bypass decompr               0 packets bypass compres

	              0 bytes bypass decompres               0 bytes bypass compressi

	              0 packets not decompress               0 packets not compressed

	              0 bytes not decompressed               0 bytes not compressed  

                  1.0:1 compression ratio                1.0:1 overall

	          10426 commands out                     10426 commands acknowledged 

		Last 5 minutes: 

	              0 packets in                           0 packets out           

	              0 paks/sec in                          0 paks/sec out          

	              0 bits/sec in                          0 bits/sec out          

	              0 bytes decrypted                      0 bytes encrypted       

	              0 Kbits/sec decrypted                  0 Kbits/sec encrypted   

                  1.0:1 compression ratio                1.0:1 overall

	Errors:

	   ppq full errors         :        0   ppq rx errors           :        0

	   cmdq full errors        :        0   cmdq rx errors          :        0

	   ppq down errors         :        0   cmdq down errors        :        0

	   no buffer               :        0   replay errors           :        0

	   dest overflow           :        0   authentication errors   :        0

	   Other error             :        0   Raw Input Underrun      :        0

	   IPSEC Unsupported Option:        0   IPV4 Header Length      :        0

	   ESP Pad Length          :        0   IPSEC Decompression     :        0

	   AH ESP seq mismatch     :        0   AH Header Length        :        0

	   AH ICV Incorrect        :        0   IPCOMP CPI Mismatch     :        0

	   IPSEC ESP Modulo        :        0   Unexpected IPV6 Extensio:        0

	   Unexpected Protocol     :        0   Dest Buf overflow       :        0

	   IPSEC Pkt is fragment   :        0   IPSEC Pkt src count     :        0

	   Invalid IP Version      :        0   Unwrappable             :        0

	   SSL Output overrun      :        0   SSL Decompress failure  :        0

	   SSL BAD Decomp History  :        0   SSL Version Mismatch    :        0

	   SSL Input overrun       :        0   SSL Conn Modulo         :        0

	   SSL Input Underrun      :        0   SSL Connection closed   :        0

	   SSL Unrecognised content:        0   SSL record header length:        0

	   PPTP Duplicate packet   :        0   PPTP Exceed max missed p:        0

	   RNG self test fail      :        0   DF Bit set              :        0

	   Hash Miscompare         :        0   Unwrappable object      :        0

	   Missing attribute       :        0   Invalid attrribute value:        0

	   Bad Attribute           :        0   Verification Fail       :        0

	   Decrypt Failure         :        0   Invalid Packet          :        0

	   Invalid Key             :        0   Input Overrun           :        0

	   Input Underrun          :        0   Output buffer overrun   :        0

	   Bad handle value        :        0   Invalid parameter       :        0

	   Bad function code       :        0   Out of handles          :        0

	   Access denied           :        0   Out of memory           :        0

	   NR overflow             :        0   pkts dropped            :        0

	Warnings:

	   sessions_expired        :        0   packets_fragmented      :        0

	   general:                :        0

	HSP details:

	   hsp_operations          :    10441   hsp_sessio 

Table 86 describes significant fields shown in the above display.

Table 86 show crypto engine accelerator statistic Compression Statistics Descriptions 

Counter	Description
packets decompressed	Number of packets that were decompressed by the interface.
packets compressed	Number of packets that were compressed by the interface.
bytes before decomp	Number of compressed bytes that were presented to the compression algorithm from the input interface on decrypt.
bytes before comp	Number of uncompressed bytes (payload) that were presented to the compression algorithm from Cisco IOS on encrypt.
bytes after decomp	Number of decompressed bytes that were sent to Cisco IOS by the compression algorithm on decryption.
bytes after comp	Number of compressed bytes that were forwarded to Cisco IOS by the algorithm on encryption.
packets bypass compres	Number of packets that were not compressed because they were too small (<128 bytes).
packets not compressed	Number of packets that were not compressed because the packets were expanded rather than compressed.
compression ratio	Ratio of compression and decompression of packets presented to the compression algorithm that were successfully compressed or decompressed. This statistic measures the efficiency of the algorithm for all packets that were compressed or decompressed.
overall	Ratio of compression and decompression of packets presented to the compression algorithm, including those that were not compressed due to expansion or too small. This ratio indicates whether the data traffic on this interface is suitable for compression. A ratio of 1:1 would imply that no successful compression is being performed on this data traffic.

7200/VSA

The following example is output from a Cisco 7200 with VSA:

Router# show crypto engine accelerator statistic 0

Inbound rate: 0pps 0kb/s  Outbound rate: 0pps 0kb/s

    TRAFFIC                     Transmitted                  Received

 -------------------------------------------------------------------------------

  Message  Count:                         5                         5

  Message  Byte Count:                 1212                       256

  Message  Overflow:                      0 

  Outbound Count:                        54                       154

  Outbound Byte Count:                12472                     30332

  Outbound Overflow:                      0 

  Inbound  Count:                       153                       153

  Inbound  Byte Count:                26304                     19864

  Inbound  Overflow:                      0 

  Reassembled Pkt:                        0

  Fragments Dropped:                      0

     IPPE:                                0

     EPPE:                                0

     FIFO:                                0

     RAE:                                 0

  Inbound Traffic:  

 -------------------------------------------------------------------------------

  Decrypted Pkt:                        150

  Passthrough Pkt:                        3

  IKE Pkt:                                0

  SPI Error:                              0

  Policy Violation:                       0

  Outbound Traffic:             Route cache                 Processor

 -------------------------------------------------------------------------------

  Encrypted Pkt:                        150                         0

  Passthrough Pkt:                        0                         4

  Policy Violation:                       0

  Queue Depth:

 ------------------------------------------------------------------------------

  TXRing Current Queue Depth:

    High Priority   :                     0.0 %

    Medium Priority :                     0.0 %

    Low Priority    :                     0.0 %

VSA RX Exception statistics:

   Invalid SA              :          0   Enc Dec mismatch        :          0

   Next Header mismatch    :          0   Pad mismatch            :          0

   MAC mismatch            :          0   Anti replay failed      :          0

   Enc Seq num overflow    :          0   Dec IPver mismatch      :          0

   Enc IPver mismatch      :          0   TTL Decr                :          0

   Selector checks         :          0   UDP mismatch            :          0

   IP Parse error          :          0   Fragmentation Error     :          0

   IB Selector check       :          0   TimeBased Replay Err    :          0

   Misc. Exceptions        :          0

Table 87 describes significant fields shown in the above display.

Table 87 show crypto engine statistic Field Descriptions for a Cisco 7200/VSA 

Field	Description
Message Count	Number of messages sent to the VSA.
Message Byte Count	Byte count for the above messages.
Message Overflow	Number of messages that could not be sent because there was no space in the transmission (TX) ring.
Outbound Count	Number of outbound packets sent to the VSA for classification and/or encryption (includes packets for encryption/passthrough).
Outbound Byte Count	Byte count of the above packets.
Outbound Overflow	Number of outbound packets that could not be sent.
Inbound Count	Number of inbound packets sent to the VSA for classification and/or decryption.
Inbound Byte Count	Byte count for the above packets.
Inbound Overflow	Number of inbound packets that could not be sent because the TX ring was full.
Reassembled Pkt	Number of reassembled packets.
Fragments Dropped	Total number of fragments dropped.
IPPE	Number of inbound fragments dropped by the Ingress Packet Processing Engine (IPPE)
EPPE	Number of outbound fragments dropped by the Egress Packet Processing Engine (EPPE).
FIFO	Number of fragments dropped by the FIFO (First In First Out) fragment queue.
RAE	Number of fragments dropped by the Reassembly Engine (RAE).
Inbound Traffic
Decrypted Pkt	Number of decrypted packets.
Passthrough Pkt	Clear packets in the inbound direction.
IKE Pkt	Internet Key Exchange (IKE) packets that were received.
SPI Error	Received packets having an invalid Security Parameter Index (SPI).
Policy Violation	The VSA received clear packets that should have come encrypted as per the policy.
Outbound Traffic
Encrypted Pkt	Number of encrypted packets.
Passthrough Pkt	Outbound clear packets.
Policy Violation	No outbound SA to encrypt the packet.
Queue Depth
TXRing Current Queue Depth	Current queue depth of the three TX rings.
VSA RX Exception statistics	Errors from the crypto chip.
Invalid SA	Specified SA does not exist.
Enc Dec mismatch	Packet came on the wrong type of SA.
Next Header mismatch	Wrong nextheader field was found in the packet.
Pad mismatch	Wrong pad found in the packet.
MAC mismatch	Authentication check failed.
Anti replay failed	Anti-replay error.
Enc Seq num overflow	Sequence number reached the max for the SA.
Dec IPver mismatch	Wrong IP version for the packet to be decrypted (for example, an IPv4 packet came in for an IPv6 SA).
Enc IPver mismatch	Wrong IP version for the packet to be encrypted. Wrong IP version for the packet to be encrypted.
TTL Decr	Time to Live decremented to 0 (zero).
Selector checks	Decrypted packet failed the policy check.
UDP mismatch	User Data Protocol (UDP) packet failed the sanity check.
IP Parse error	Error in IP packet parsing.
Fragmentation Error	Could not fragment; DF bit set.
IB Selector check	Decrypted packet failed the policy check (for Group Encrypted Transport Virtual Private Network [GET VPN]).
TimeBased Replay Err	Time-based anti-replay failed (for GET VPN).
Misc. Exceptions	Errors not classified as any of the above.

IPsec VPN SPA and VSPA

The following example shows the platform statistics for the IPsec VPN SPA in slot 1 subslot 0 and also displays the network interface controller statistics (this platform output is from a Catalyst 6500 series with installed IPsec VPN SPA):

Router# show crypto engine accelerator statistic slot 1/0 detail

VPN module in slot 1/0

Decryption Side Data Path Statistics

====================================

Packets RX...............: 454260

Packets TX...............: 452480

IPSec Transport Mode.....: 0

IPSec Tunnel Mode........: 452470

AH Packets...............: 0

ESP Packets..............: 452470

GRE Decapsulations.......: 0

NAT-T Decapsulations.....: 0

Clear....................: 8

ICMP.....................: 0

Packets Drop.............: 193

Authentication Errors....: 0

Decryption Errors........: 0

Replay Check Failed......: 0

Policy Check Failed......: 0

Illegal CLear Packet.....: 0

GRE Errors...............: 0

SPD Errors...............: 0

HA Standby Drop..........: 0

Hard Life Drop...........: 0

Invalid SA...............: 191

SPI No Match.............: 0

Destination No Match.....: 0

Protocol No Match........: 0

Reassembly Frag RX.......: 0

IPSec Fragments..........: 0

IPSec Reasm Done.........: 0

Clear Fragments..........: 0

Clear Reasm Done.........: 0

Datagrams Drop...........: 0

Fragments Drop...........: 0

Decryption Side Controller Statistics 

=====================================

Frames RX................: 756088

Bytes RX.................: 63535848

Mcast/Bcast Frames RX....: 2341

RX Less 128Bytes.........: 756025

RX Less 512Bytes.........: 58

RX Less 1KBytes..........: 2

RX Less 9KBytes..........: 3

RX Frames Drop...........: 0

Frames TX................: 452365

Bytes TX.................: 38001544

Mcast/Bcast Frames TX....: 9

TX Less 128Bytes.........: 452343

TX Less 512Bytes.........: 22

TX Less 1KBytes..........: 0

TX Less 9KBytes..........: 0

Encryption Side Data Path Statistics

====================================

Packets RX...............: 756344

Packets TX...............: 753880

IPSec Transport Mode.....: 0

IPSec Tunnel Mode........: 753869

GRE Encapsulations.......: 0

NAT-T Encapsulations.....: 0

LAF prefragmented........: 0

Fragmented...............: 0

Clear....................: 753904

ICMP.....................: 0

Packets Drop.............: 123

IKE/TED Drop.............: 27

Authentication Errors....: 0

Encryption Errors........: 0

HA Standby Drop..........: 0

Hard Life Drop...........: 0

Invalid SA...............: 191

Reassembly Frag RX.......: 0

Clear Fragments..........: 0

Clear Reasm Done.........: 0

Datagrams Drop...........: 0

Fragments Drop...........: 0

Encryption Side Controller Statistics

=====================================

Frames RX................: 454065

Bytes RX.................: 6168274/

Mcast/Bcast Frames RX....: 1586

RX Less 128Bytes.........: 1562

RX Less 512Bytes.........: 452503

RX Less 1KBytes..........: 0

RX Less 9KBytes..........: 0

RX Frames Drop...........: 0

Frames TX................: 753558

Bytes TX.................: 100977246

Mcast/Bcast Frames TX....: 2

TX Less 128Bytes.........: 3

TX Less 512Bytes.........: 753555

TX Less 1KBytes..........: 0

TX Less 9KBytes..........: 0

Table 88 describes significant fields shown in the above display.

Table 88 show crypto engine accelerator statistic IPsec VPN SPA
Statistics Descriptions 

Field	Description
Decryption Data Side Path Statistics
Packets RX	Number of packets received on the decryption side of the IPsec VPN SPA.
Packets TX	Number of packets transmitted by the IPsec VPN SPA in the decryption direction.
IPSec Transport Mode	Number of packets in IPsec Transport Mode.
IPSec Tunnel Mode	Number of packets in IPsec Tunnel Mode.
AH Packets	Number of packets with authentication headers (AHs).
ESP Packets	Number of packets with Encapsulating Security Payload (ESP) headers.
GRE Decapsulations	Number of packets that were generic routing encapsulating (GRE) decapsulated.
NAT-T Decapsulations	Number of packets that were Network Address Translation-Traversal (NAT-T) decapsulated.
Clear	Number of clear packets received.
ICMP	Number of Internet Control Message Protocol (ICMP) packets received.
Packets Drop	Number of packet drops. Note Does not represent the sum of the individual drop subtotals displayed (does not include BPDU/CDP/MOP packets dropped).
Authentication Errors	Number of authentication errors.
Decryption Errors	Number of decryption errors.
Replay Check Failed	Number of replay check errors.
Policy Check Failed	Number of policy check errors.
Illegal Clear Packet	Number of illegal clear packets.
GRE Errors	Number of GRE errors due to invalid packets or invalid security associations (SAs). Note These errors correspond to the sum of the following GRE errors in the output of the show stats icpu command: "GRE Packet Errors," "GRE SA No Match," and "Invalid GRE SA," which count, respectively, the number of GRE packets that are RFC compliant but that use a format currently not supported by the VPN module, the number of GRE packets in which the SA lookup results is a no match, and the number of GRE packets in which the SA lookup matches an entry marked as invalid.
SPD Errors	Number of Security Policy Database (SPD) errors. Note These errors correspond to the sum of the following SPD errors in the output of the show stats icpu command: "SPD Lookup Failed," "SPD Invalid," and "SPD ID No Match."
HA Standby Drop	Number of packet drops on a High Availability (HA) standby IPsec VPN SPA. Note The standby IPsec VPN SA is not supposed to receive packets.
Hard Life Drop	Number of packet drops due to SA hard life expiration. Note These packets are dropped during rekeying after the SA volume lifetime has been reached.
Invalid SA	Number of packet drops due to invalid SA.
SPI No Match	Number of packet drops due to a Security Parameter Index (SPI) mismatch.
Destination No Match	Number of packet drops due to destination no match.
Protocol No Match	Number of packet drops due to protocol no match.
Reassembly Frag RX	Number of packets that required reassembly processing.
IPSec Fragments	Number of IPsec fragments.
IPSec Reasm Done	Number of IPsec fragments reassembled.
Clear Fragments	Number of clear fragments.
Clear Reasm Done	Number of clear fragments reassembled.
Datagrams Drop	Number of reassembled datagrams dropped.
Fragments Drop	Number of fragments dropped.
Decryption Side Controller Statistics
Frames RX	Number of frames received.
Bytes RX	Number of bytes received.
Mcast/Bcast Frames RX	Number of multicast/broadcast frames received.
RX Less 128Bytes	Number of frames having a size less than 128 bytes.
RX Less 512Bytes	Number of frames having a size greater than or equal to 128 bytes and less than 512 bytes.
RX Less 1KBytes	Number of frames having a size greater than or equal to 512 bytes and less than 1 kilobyte (KB).
RX Less 9KBytes	Number of frames having a size greater than or equal to 1 KB and less than 9 KBs.
RX Frames Drop	Number of frames dropped.
Frames TX	Number of frames transmitted.
Bytes TX	Number of bytes transmitted.
Mcast/Bcast Frames TX	Number of multicast/broadcast frames transmitted.
TX Less 128Bytes	Number of frames having a size less than 128 bytes.
TX Less 512Bytes	Number of frames having a size greater than or equal to 128 bytes and less than 512 bytes.
TX Less 1KBytes	Number of frames having a size greater than or equal to 512 bytes and less than 1 KB.
TX Less 9KBytes	Number of frames having a size greater than or equal to 1 KB and less than 9 KBs.
Encryption Side Data Path Statistics
Packets RX	Number of packets received on the encryption side of the IPsec VPN SPA.
Packets TX	Number of packets transmitted by the IPsec VPN SPA in the encryption direction.
IPSec Transport Mode	Number of packets in IPsec Transport Mode.
IPSec Tunnel Mode	Number of packets in IPsec Tunnel Mode.
GRE Encapsulations	Number of packets that were GRE encapsulated.
NAT-T Encapsulations	Number of packets that were NAT-T encapsulated.
LAF prefragmented	Number of packets with Look Ahead Fragmentation set and that were prefragmented.
Fragmented	Number of packets fragmented.
Clear	Number of clear packets.
ICMP	Number of ICMP packets.
Packets Drop	Number of packet drops. Note Does not represent the sum of the individual drop subtotals displayed (does not include BPDU/CDP/MOP packets dropped).
IKE/TED Drop	Number of packet drops because SA has not been set up.
Authentication Errors	Number of authentication errors.
Encryption Errors	Number of Encryption errors.
HA Standby Drop	Number of packet drops on a HA standby IPsec VPN SPA. Note The standby IPsec VPN SPA is not supposed to receive packets.
Hard Life Drop	Number of packet drops due to SA hard-life expiration. Note These packets are dropped during rekeying after the SA volume lifetime has been reached.
Invalid SA	Number of packet drops due to invalid SA.
Reassembly Frag RX	Number of packets that required reassembly processing.
Clear Fragments	Number of clear fragments.
Clear Reasm Done	Number of clear fragments reassembled.
Datagrams Drop	Number of reassembled datagrams dropped.
Fragments Drop	Number of fragments dropped.
Encryption Side Controller Statistics
Frames RX	Number of frames received.
Bytes RX	Number of bytes received.
Mcast/Bcast Frames RX	Number of multicast/broadcast frames received.
RX Less 128Bytes	Number of frames having a size less than 128 bytes.
RX Less 512Bytes	Number of frames having a size greater than or equal to 128 bytes and less than 512 bytes.
RX Less 1KBytes	Number of frames having a size greater than or equal to 512 bytes and less than 1 KB.
RX Less 9KBytes	Number of frames having a size greater than or equal to 1 KB and less than 9 KBs.
RX Frames Drop	Number of frames dropped.
Frames TX	Number of frames transmitted.
Bytes TX	Number of bytes transmitted.
Mcast/Bcast Frames TX	Number of multicast/broadcast frames transmitted.
TX Less 128Bytes	Number of frames having a size less than 128 bytes.
TX Less 512Bytes	Number of frames having a size greater than or equal to 128 bytes and less than 512 bytes.
TX Less 1KBytes	Number of frames having a size greater than or equal to 512 bytes and less than 1 KB.
TX Less 9KBytes	Number of frames having a size greater than or equal to 1 KB and less than 9 KBs.

VSPA

The following examples show the output when the coreutil keyword is used with the VSPA and the Catalyst 6500 series switch using Cisco IOS Release 12.2(33)SXI and later releases:

Router#: show crypto engine accelerator statistic slot 2/0 coreutil

Utilization Percentages for VPN blade in slot 2/0

Blade Utilization Percentages

==========================

Last 5 seconds ---------------------

Slowpath ...................... 35 %

Inbound ....................... 24 %

Outbound ...................... 32 %

QoS ........................... 44 %

Last 1 minute ----------------------

Slowpath ...................... 12 %

Inbound ....................... 11 %

Outbound ...................... 15 %

QoS ........................... 23 %

Last 5 minutes ---------------------

Slowpath ....................... 8 %

Inbound ....................... 11 %

Outbound ...................... 11 %

QoS ........................... 10 %

Router# show crypto engine accelerator statistic all coreutil

Utilization Percentages for VPN blade in slot 2/0

Blade Utilization Percentages

==========================

Last 5 seconds ---------------------

Slowpath ...................... 35 %

Inbound ....................... 24 %

Outbound ...................... 32 %

QoS ........................... 44 %

Last 1 minute ----------------------

Slowpath ...................... 12 %

Inbound ....................... 11 %

Outbound ...................... 15 %

QoS ........................... 23 %

Last 5 minutes ---------------------

Slowpath ....................... 8 %

Inbound ....................... 11 %

Outbound ...................... 11 %

QoS ........................... 10 %

Utilization Percentages for VPN blade in slot 2/1

Blade Utilization Percentages

==========================

Last 5 seconds ---------------------

Slowpath ...................... 88 %

Inbound ....................... 78 %

Outbound ...................... 79 %

QoS ........................... 32 %

Last 1 minute ----------------------

Slowpath ...................... 76 %

Inbound ....................... 80 %

Outbound ...................... 80 %

QoS ........................... 13 %

Last 5 minutes ---------------------

Slowpath ...................... 75 %

Inbound ....................... 65 %

Outbound ...................... 70 %

QoS ........................... 12 %

Table 89 describes significant fields shown in the above display.

Table 89 show crypto engine accelerator statistic coreutil VSPA Statistics Descriptions 

Field	Description
Blade Utilization Percentages
Slowpath	Utilization of slowpath traffic capacity.
Inbound	Utilization of inbound traffic capacity.
Outbound	Utilization of outbound traffic capacity.
QoS	Utilization of QoS traffic capacity.

Related Commands

Command	Description
clear crypto engine accelerator counter	Resets the statistical and error counters for the hardware accelerator to zero.
crypto ca	Defines the parameters for the certification authority used for a session.
crypto cisco	Defines the encryption algorithms and other parameters for a session.
crypto dynamic-map	Creates a dynamic map crypto configuration for a session.
crypto engine accelerator	Enables the use of the onboard hardware accelerator of the Cisco uBR905 and Cisco uBR925 routers for IPsec encryption.
crypto ipsec	Defines the IPsec SAs and transformation sets.
crypto isakmp	Enables and defines the IKE protocol and its parameters.
crypto key	Generates and exchanges keys for a cryptographic session.
crypto map	Creates and modifies a crypto map for a session.
debug crypto engine accelerator control	Displays each control command as it is given to the crypto engine.
debug crypto engine accelerator packet	Displays information about each packet sent for encryption and decryption.
show crypto engine accelerator ring	Displays the contents of command and transmit rings for the crypto engine.
show crypto engine accelerator sa-database	Displays the active (in-use) entries in the crypto engine security association (SA) database.
show crypto engine brief	Displays a summary of the configuration information for the crypto engine.
show crypto engine configuration	Displays the version and configuration information for the crypto engine.
show crypto engine connections	Displays a list of the current connections maintained by the crypto engine.

show crypto gdoi

To display information about a Group Domain of Interpretation (GDOI) configuration, use the show crypto gdoi command in privileged EXEC mode.

show crypto gdoi [group group-name] [gm [acl | rekey | replay] | ks [acl | coop [version] | members | policy | rekey | replay]] [ipsec sa]

Syntax Description

group group-name	(Optional) Displays information about the group specified.
gm	(Optional) Displays information about group members.
acl	(Optional) Displays the access control list (ACL) that has been applied to the GDOI group.
rekey	(Optional) Displays rekey information.
replay	(Optional) Displays group information for time-based anti-replay.
ks	(Optional) Displays information about key servers.
coop	(Optional) Displays information about the cooperative key servers.
version	(Optional) Displays information about the cooperative key server and client versions.
members	(Optional) Displays information about registered group members.
policy	(Optional) Displays key server policy information.
ipsec sa	(Optional) Displays information about the IP security (IPsec) security association (SA) for all group members. •If this keyword is used with the group group-name keyword and argument option, information is displayed for only the group that is specified.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(6)T	This command was introduced.
12.4(11)T	The group group-name keyword and argument and gm, acl, rekey, replay, ks, coop [version], members, policy, and ipsec sa keywords were added.
Cisco IOS XE Release 2.3	This command was implemented on the Cisco ASR 1000 series routers.

Examples

The following output displays information about a configuration for a GDOI group member:

Router# show crypto gdoi

Group Information

   Group Name                  : diffint

   Group Identity              : 3333

   Group Members Registered    : 0

   Group Server                : 10.0.5.2

   Group Name                  : test

   Group Identity              : 4444

   Group Members Registered    : 0

   Group Server                : 10.0.5.2

The following output displays information about a configuration for a GDOI key server:

Router# show crypto gdoi

Group Information

   Group Name                  : diffint

   Group Identity              : 3333

   Group Members Registered    : 1

   Group Server                : Local

   Group Rekey Lifetime        : 300 secs

   Group Rekey

       Remaining Lifetime      : 84 secs

   IPSec SA Number             : 1

     IPSec SA Rekey Lifetime   : 120 secs

     Profile Name              : gdoi-p

   SA Rekey

       Remaining Lifetime      : 64 secs

   access-list 120 permit ip host 10.0.1.1 host 192.168.1.1

   access-list 120 permit ip host 10.0.100.2 host 192.168.1.1

   Group Member List for Group diffint :

   Member ID                   : 10.0.3.1

   Group Name                  : test

   Group Identity              : 4444

   Group Members Registered    : 0

   Group Server                : Local

   Group Rekey Lifetime        : 600 secs

   IPSec SA Number             : 1

     IPSec SA Rekey Lifetime   : 120 secs

     Profile Name              : gdoi-p

   access-list 120 permit ip host 10.0.1.1 host 192.168.1.1

   access-list 120 permit ip host 10.0.100.2 host 192.168.1.1

show crypto ha

To display all virtual IP (VIP) addresses that are currently in use by IP Security (IPSec) and Internet Key Exchange (IKE), use the show crypto ha command in privileged EXEC mode.

show crypto ha

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(11)T	This command was introduced.

Examples

The following output from the show crypto ha command shows all VIP addresses that are being used by IPSec and IKE:

Router# show crypto ha

IKE VIP: 209.165.201.3

  stamp: 74 BA 70 27 9C 4F 7F 81 3A 70 13 C9 65 22 E7 76 

IKE VIP: 255.255.255.253

  stamp: Not set

IKE VIP: 255.255.255.254

  stamp: Not set

IPSec VIP: 209.165.201.3

IPSec VIP: 255.255.255.253

IPSec VIP: 255.255.255.254

show crypto ipsec client ezvpn

To display the Cisco Easy VPN Remote configuration, use the show crypto ipsec client ezvpn command in privileged EXEC mode.

show crypto ipsec client ezvpn

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.2(4)YA	This command was introduced on Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX	This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.

Examples

The following example shows a typical display from the show crypto ipsec client ezvpn command for an active Virtual Private Network (VPN) connection when the router is in client mode. The last two lines indicate that a configuration URL and configuration version number have been pushed through the Mode-Configuration Exchange by the server to the Easy VPN remote device.

Router# show crypto ipsec client ezvpn 

Tunnel name: hw1 

Inside interface list: FastEthernet0/0, Serial1/0, 

Outside interface: Serial0/0 

Current State: IPSEC_ACTIVE

Last Event: SOCKET_UP

Address: 192.168.201.0

Mask: 255.255.255.224

DNS Primary: 192.168.201.1

DNS Secondary: 192.168.201.2

NBMS/WINS Primary: 192.168.201.3

NBMS/WINS Secondary: 192.168.201.4

Default Domain: cisco.com 

Configuration URL: http://10.8.8.88/easy.cfg

Configuration Version: 10

The following example shows a typical display from the show crypto ipsec client ezvpn command for an active VPN connection when the router is in network-extension mode:

Router# show crypto ipsec client ezvpn 

Tunnel name: hw1 

Inside interface list: FastEthernet0/0, Serial1/0, 

Outside interface: Serial0/0 

Current State: IPSEC_ACTIVE

Last Event: SOCKET_UP

Address: 192.168.202.128

Mask: 255.255.255.224

Default Domain: cisco.com

Split Tunnel List: 1

       Address    : 192.168.200.225

       Mask       : 255.255.255.224

       Protocol   : 0x0

       Source Port: 0

       Dest Port  : 0

The following example shows a typical display from the show crypto ipsec client ezvpn command for an inactive VPN connection:

Router# show crypto ipsec client ezvpn 

Current State: IDLE

Last Event: REMOVE INTERFACE CFG

Router#

The following example displays information about the outside interface "Virtual-Access1", which is bound to the real interface (Ethernet0/0) on which the user has configured Easy VPN as an outside interface:

Router# show crypto ipsec client ezvpn

Easy VPN Remote Phase: 5

Tunnel name : ez

Inside interface list: Ethernet1/0,

Outside interface: Virtual-Access1 (bound to Ethernet0/0)

Easy VPN connect ACL checking active

Connect : ACL based with access-list 101

Current State: CONNECT_REQUIRED

Last Event: TRACKED OBJECT UP

Save Password: Disallowed

Current EzVPN Peer: 10.0.0.2

Table 90 describes significant fields shown by the show crypto ipsec client ezvpn command:

Table 90 show crypto ipsec client ezvpn Field Descriptions 

Field	Description
Current State	Displays whether the VPN tunnel connection is active or idle. Typically, when the tunnel is up, the current state is IPSEC ACTIVE.
Last Event	Displays the last event performed on the VPN tunnel. Typically, the last event before a tunnel is created is SOCKET UP.
Address	Displays the IP address used on the outside interface.
Mask	Displays the subnet mask used for the outside interface.
DNS Primary	Displays the primary domain name system (DNS) server provided by the Dynamic Host Configuration Protocol (DHCP) server.
DNS Secondary	Displays the secondary DNS server provided by the DHCP server.
Domain Name	Displays the domain name provided by the DHCP server.
NBMS/WINS Primary	Displays the primary NetBIOS Microsoft Windows Name Server provided by the DHCP server.
NBMS/WINS Secondary	Displays the secondary NetBIOS Microsoft Windows Name Server provided by the DHCP server.

Related Commands

Command	Description
show crypto ipsec transform	Displays the specific configuration for one or all transformation sets.

show crypto ipsec default transform-set

To display the default IP Security (IPsec) transform sets currently in use by Internet Key Exchange (IKE), use the show crypto ipsec default transform-set command in privileged EXEC mode.

show crypto ipsec default transform-set

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(20)T	This command was introduced.
Cisco IOS XE Release 2.4	This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

If the default transform sets are in use, the show crypto ipsec default transform-set command displays the two default transform sets each of which defines an Encapsulation Security Protocol (ESP) encryption transform type and an ESP authentication transform type.

Examples

The following example displays the two default transform sets. No user defined transform sets have been configured, the default transform sets have not been disabled, and the crypto engine supports the encryption algorithm.

Router# show crypto ipsec default transform-set 

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac  } 

   will negotiate = { Transport,  }, 

Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac  } 

   will negotiate = { Transport,  },

Table 91 show crypto ipsec default transform-set Field Descriptions

Default Transform Name	ESP Encryption Transform and Description	ESP Authentication Transform and Description
#$!default_transform_set_1	esp-aes (ESP with the 128-bit Advanced Encryption Standard [AES] encryption algorithm)	esp-sha-hmac (ESP with the Secure Hash Algorithm [SHA-1, HMAC variant] authentication algorithm)
#$!default_transform_set_0	esp-3des (ESP with the 168-bit Triple Data Encryption Standard [3DES or Triple DES] encryption algorithm)	esp-sha-hmac

The following example shows that when the default transform sets are disabled with the no crypto ipsec default transform-set, the show crypto ipsec default transform-set has no output.

Router(config)# no crypto ipsec default transform-set

Router(config)# exit

Router#

Router# show crypto ipsec default transform-set 

Router#

Related Commands

Command	Description
crypto ipsec transform-set	Defines a transform set.
show crypto ipsec transform-set	Displays the configured transform sets.
show crypto map (IPsec)	Displays the crypto map configuration.

show crypto ipsec sa

To display the settings used by current security associations (SAs), use the show crypto ipsec sa command in privileged EXEC mode.

show crypto ipsec sa [map map-name | address | identity | interface interface-type interface-number | peer [vrf fvrf-name] address | vrf ivrf-name | ipv6 [interface-type interface-number]] [detail]

IPsec and IKE Stateful Failover Syntax

show crypto ipsec sa [active | standby]

Syntax Description

map map-name	(Optional) Any existing SAs that were created for the crypto map set named map-name are displayed.
address	(Optional) All existing SAs are displayed, sorted by the destination address (either the local address or the address of the IP security (IPsec) remote peer) and then by protocol (Authentication Header [AH] or Encapsulation Security Protocol [ESP]).
identity	(Optional) Only the flow information is displayed. It does not show the SA information.
interface interface-type interface-number	(Optional) All existing SAs created for an interface that is named interface are displayed.
peer [vrf fvrf-name] address	(Optional) All existing SAs with the peer address. If the peer address is in the Virtual Routing and Forwarding (VRF), specify vrf and the fvrf-name.
vrf ivrf-name	(Optional) All existing SAs whose inside virtual routing and forwarding (IVRF) is the same as the ivrf-name.
ipv6	(Optional) Displays IPv6 crypto IPsec SAs.
detail	(Optional) Detailed error counters are displayed. (The default is the high-level send or receive error counters.)
active	(Optional) Displays high availability- (HA-) enabled IPsec SAs that are in the active state.
standby	(Optional) Displays HA-enabled IPsec SAs that are in the standby state.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
11.3 T	This command was introduced.
12.2(13)T	The "remote crypto endpt" and "in use settings" fields were modified to support Network Address Translation (NAT) traversal.
12.2(15)T	The interface keyword and interface-type interface-number arguments were added. The peer keyword, the vrf keyword, and the fvrf-name argument were added. In addition, the address keyword was added to the peer keyword string. The vrf keyword and ivrf-name argument were added.
12.3(11)T	The active and standby keywords were added.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.(33)SRA.
12.4(11)T	This command was integrated into Cisco IOS Release 12.4(11)T.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

If no keyword is used, all SAs are displayed. They are sorted first by interface and then by traffic flow (for example, source or destination address, mask, protocol, or port). Within a flow, the SAs are listed by protocol (ESP or AH) and direction (inbound or outbound).

Examples

The following is sample output for the show crypto ipsec sa command:

Router# show crypto ipsec sa

interface: Tunnel1

    Crypto map tag: Tunnel1-head-0, local addr 10.5.5.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.5.5.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (10.5.5.1/255.255.255.255/47/0)

   current_peer 10.5.5.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 492908510, #pkts encrypt: 492908510, #pkts digest: 492908510

    #pkts decaps: 492908408, #pkts decrypt: 492908408, #pkts verify: 492908408

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 55, #recv errors 0

     local crypto endpt.: 10.5.5.2, remote crypto endpt.: 10.5.5.1

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2

     current outbound spi: 0xDE4EE29D(3729711773)

     inbound esp sas:

       spi: 0xC06CA92B(3228346667)

         transform: esp-3des esp-sha-hmac ,

         in use settings ={Tunnel, }

         conn id: 3139, flow_id: VSA:1139, crypto map: Tunnel1-head-0

         sa timing: remaining key lifetime (k/sec): (3948785/556)

         IV size: 8 bytes

         replay detection support: Y

         Status: ACTIVE

     inbound ah sas:

       spi: 0xC87AB936(3363486006)

         transform: ah-md5-hmac ,

         in use settings ={Tunnel, }

         conn id: 3139, flow_id: VSA:1139, crypto map: Tunnel1-head-0

         sa timing: remaining key lifetime (k/sec): (3948785/556)

         replay detection support: Y

         Status: ACTIVE

     inbound pcp sas:

     outbound esp sas:

       spi: 0xDE4EE29D(3729711773)

         transform: esp-3des esp-sha-hmac ,

         in use settings ={Tunnel, }

         conn id: 3140, flow_id: VSA:1140, crypto map: Tunnel1-head-0

         sa timing: remaining key lifetime (k/sec): (3948785/556)

         IV size: 8 bytes

         replay detection support: Y

         Status: ACTIVE

     outbound ah sas:

       spi: 0xAEEDD4F1(2934822129)

         transform: ah-md5-hmac ,

         in use settings ={Tunnel, }

         conn id: 3140, flow_id: VSA:1140, crypto map: Tunnel1-head-0

         sa timing: remaining key lifetime (k/sec): (3948785/556)

         replay detection support: Y

         Status: ACTIVE

     outbound pcp sas:

The following is sample output for the show crypto ipsec sa identity detail command:

Router# show crypto ipsec sa identity detail 

interface: Tunnel1

    Crypto map tag: Tunnel1-head-0, local addr 10.5.5.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   current_peer (none) port 500

     DENY, flags={ident_is_root,}

     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

     #pkts compressed: 0, #pkts decompressed: 0

     #pkts not compressed: 0, #pkts compr. failed: 0

     #pkts not decompressed: 0, #pkts decompress failed: 0

     #pkts no sa (send) 0, #pkts invalid sa (rcv) 0

     #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

     #pkts invalid prot (recv) 0, #pkts verify failed: 0

     #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

     #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

     ##pkts replay failed (rcv): 0

     #pkts internal err (send): 0, #pkts internal err (recv) 0

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.5.5.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (10.5.5.1/255.255.255.255/47/0)

   current_peer 10.5.5.1 port 500

     PERMIT, flags={origin_is_acl,}

     #pkts encaps: 492923510, #pkts encrypt: 492923510, #pkts digest: 492923510

     #pkts decaps: 492923408, #pkts decrypt: 492923408, #pkts verify: 492923408

     #pkts compressed: 0, #pkts decompressed: 0

     #pkts not compressed: 0, #pkts compr. failed: 0

     #pkts not decompressed: 0, #pkts decompress failed: 0

     #pkts no sa (send) 55, #pkts invalid sa (rcv) 0

     #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

     #pkts invalid prot (recv) 0, #pkts verify failed: 0

     #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

     #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

     ##pkts replay failed (rcv): 0

     #pkts internal err (send): 0, #pkts internal err (recv) 0

Table 92 describes the significant fields shown in the above displays (show crypto ipsec sa and show crypto ipsec sa detail).

Table 92 show crypto ipsec sa Field Descriptions

Field	Description
crypto map tag	Policy tag for IPsec.
protected vrf	Internal virtual route forwarding (IVRF) name that applies to the IPsec interface.
local ident (addr/mask/prot/port)	Local selector that is used for encryption and decryption.
remote ident (addr/mask/prot/port)	Remote selector that is used for encryption and decryption.
current peer	Current peer with which the IPsec tunnel communicates.
PERMIT, flags	IPsec security association (SA) is triggered by the access control list (ACL) permit action.
pkts encaps	Statistics number of packets that were successfully encapsulated by IPsec.
pkts encrypt	Statistics number of packets that were successfully encrypted by IPsec.
pkts digest	Statistics number of packets that were successfully hash digested by IPsec.
pkts decaps	Statistics number of packets that were successfully decapsulated by IPsec.
pkts decrypt	Statistics number of packets that were successfully decrypted by IPsec.
pkts verify	Received packets that passed the hash digest check.
pkts compressed	Number of packets that were successfully compressed by IPsec.
pkts decompressed	Number of packets that were successfully decompressed by IPsec.
pkts not compressed	Number of outbound packets that were not compressed.
pkts compr. failed	Number of packets that failed compression by IPsec.
pkts not decompressed	Number of inbound packets that were not compressed.
pkts decompress failed	Number of packets that failed decompression by IPsec.
send errors	Number of outbound packets that had errors.
recv errors	Number of inbound packets that had errors.
local crypto endpt.	Local end point terminated by IPsec.
remote crypto endpt.	Remote end point terminated by IPsec.
path mtu	Maximum transmission unit (MTU) size that is figured based on the Internet Control Message Protocol (ICMP) unreachable packet. This value also has to consider the IPsec overhead.
current outbound spi	Current outbound Security Parameters Index (SPI).
ip mtu	Interface MTU size that considers the IPsec overhead.
ip mtu idb	Interface description block (IDB) that is used to figure out the crypto IP MTU.
current outbound spi	Current outbound Security Parameter Index (SPI).
inbound esp sas	Encapsulating Security Payload (ESP) for the SA for the inbound traffic.
spi	SPI for classifying the inbound packet.
transform	Security algorithm that is used to provide authentication, integrity, and confidentiality.
in use settings	Transform that the SA uses (for example: tunnel mode, transport mode, UDP-encapsulated tunnel mode, or UDP-encapsulated transport mode).
conn id	ID that is stored in the crypto engine to identify the IPsec/Internet Key Exchange (IKE) SA.
flow id	SA identity.
crypto map	Policy for the IPsec.
sa timing: remaining key lifetime (k/sec)	Seconds or kilobytes remaining before a rekey occurs.
IV size	Size of the initialization vector that is used for the cryptographic synchronization data used to encrypt the payload.
replay detection support	A specific SA has enabled the replay detection feature.
inbound ah sas	Authentication algorithm for the SA for inbound traffic.
inbound pcp sas	Compression algorithm for the SA for inbound traffic.
outbound esp sas	Encapsulating security payload for the SA for outbound traffic.
outbound ah sas	Authentication algorithm for the SA for outbound traffic.
outbound pcp sas	Compression algorithm for the SA for outbound traffic.
DENY, flags	IPsec SA is triggered by the ACL deny action.
pkts decompress failed	Number of packets decompressed by IPsec that failed.
pkts no sa (send)	Outbound packets cannot find the associated IPsec SA.
pkts invalid sa (rcv)	Received packets that failed the IPsec format check.
pkts invalid prot (recv)	Received packets that have the wrong protocol field.
pkts verify failed	Received packets that failed the hash digest check.
pkts invalid identity (recv)	Packets after decryption cannot find the associated selector.
pkts pkts invalid len (rcv)	For the software crypto engine, inbound packets that have a bad pad length.
pkts replay rollover (send)	Sent packets that failed the replay test check.
pkts replay rollover (rcv)	Received packets that failed the replay test check.
pkts internal err (send)	Sent packets that failed because of a software or hardware error.*
pkts internal err (rcv)	Received packets that failed because of a software or hardware error.
protected vrf	IVRF name that applies to the IPsec interface.

show crypto ipsec sa vrf Command Output

The following is sample output for the show crypto ipsec sa vrf command:

Router# show crypto ipsec sa vrf vpn2

interface: Ethernet1/2

    Crypto map tag: ra, local addr. 172.16.1.1

   protected vrf: vpn2

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (10.4.1.4/255.255.255.255/0/0)

   current_peer: 10.1.1.1:500

     PERMIT, flags={}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.1.1, remote crypto endpt.: 10.1.1.1

     path mtu 1500, media mtu 1500

     current outbound spi: 50110CF8

     inbound esp sas:

      spi: 0xA3E24AFD(2749516541)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 5127, flow_id: 7, crypto map: ra

        sa timing: remaining key lifetime (k/sec): (4603517/3503)

        IV size: 8 bytes

        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x50110CF8(1343294712)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 5128, flow_id: 8, crypto map: ra

        sa timing: remaining key lifetime (k/sec): (4603517/3502)

        IV size: 8 bytes

        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

The following configuration was in effect when the preceding show crypto ipsec sa vrf command was issued. The IPsec remote access tunnel was "UP" when this command was issued.

crypto dynamic-map vpn1 1

 set transform-set vpn1 

 set isakmp-profile vpn1-ra

 reverse-route

!

crypto dynamic-map vpn2 1

 set transform-set vpn2 

 set isakmp-profile vpn2-ra

 reverse-route

!

!

crypto map ra 1 ipsec-isakmp dynamic vpn1 

crypto map ra 2 ipsec-isakmp dynamic vpn2

Table 93 describes the significant fields shown in the above show crypto ipsec sa vrf display. Additional fields are self-explanatory or can be found in Table 93.

Table 93 show crypto ipsec sa vrf Field Descriptions

Field	Description
remote crypto endpt.	Remote end point terminated by IPsec.
media mtu	MTU value for media, such as an Ethernet or a serial interface.
inbound esp sas	Encapsulating security payload for the SA of the inbound traffic.

IPsec and IKE Stateful Failover Examples

The following sample output shows the IPsec SA status of only the active device:

Router# show crypto ipsec sa active

interface: Ethernet0/0

    Crypto map tag: to-peer-outside, local addr 10.165.201.3

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/0/0)

   current_peer 209.165.200.225 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3

    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 209.165.201.3, remote crypto endpt.: 209.165.200.225

     path mtu 1500, media mtu 1500

     current outbound spi: 0xD42904F0(3559458032)

     inbound esp sas:

      spi: 0xD3E9ABD0(3555306448)

        transform: esp-3des ,

        in use settings ={Tunnel, }

        conn id: 2006, flow_id: 6, crypto map: to-peer-outside

        sa timing: remaining key lifetime (k/sec): (4586265/3542)

             HA last key lifetime sent(k): (4586267)

        ike_cookies: 9263635C CA4B4E99 C14E908E 8EE2D79C

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

Table 94 describes the significant fields shown in the above show crypto ipsec sa active display. Additional fields are self-explanatory or can be found in Table 1 or Table 93.

Table 94 show crypto ipsec sa active Field Descriptions.

Field	Description
HA last key lifetime sent (k)	Last stored kilobytes lifetime value for high availability (HA).
ike_cookies	ID that identifies the IKE SAs.

The following sample output shows the IPsec SA status of only the standby device:

Router# show crypto ipsec sa standby

interface: Ethernet0/0

    Crypto map tag: to-peer-outside, local addr 10.165.201.3

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/0/0)

   current_peer 209.165.200.225 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 209.165.201.3, remote crypto endpt.: 209.165.200.225

     path mtu 1500, media mtu 1500

     current outbound spi: 0xD42904F0(3559458032)

     inbound esp sas:

      spi: 0xD3E9ABD0(3555306448)

        transform: esp-3des ,

        in use settings ={Tunnel, }

        conn id: 2012, flow_id: 12, crypto map: to-peer-outside

        sa timing: remaining key lifetime (k/sec): (4441561/3486)

             HA last key lifetime sent(k): (4441561)

        ike_cookies: 00000000 00000000 00000000 00000000

        IV size: 8 bytes

        replay detection support: Y

        Status: STANDBY

     inbound ah sas:

      spi: 0xF3EE3620(4092474912)

        transform: ah-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2012, flow_id: 12, crypto map: to-peer-outside

        sa timing: remaining key lifetime (k/sec): (4441561/3486)

             HA last key lifetime sent(k): (4441561)

        ike_cookies: 00000000 00000000 00000000 00000000

        replay detection support: Y

        Status: STANDBY

     inbound pcp sas:

     outbound esp sas:

      spi: 0xD42904F0(3559458032)

        transform: esp-3des ,

        in use settings ={Tunnel, }

        conn id: 2011, flow_id: 11, crypto map: to-peer-outside

        sa timing: remaining key lifetime (k/sec): (4441561/3485)

             HA last key lifetime sent(k): (4441561)

        ike_cookies: 00000000 00000000 00000000 00000000

        IV size: 8 bytes

        replay detection support: Y

        Status: STANDBY

     outbound ah sas:

      spi: 0x75251086(1965363334)

        transform: ah-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2011, flow_id: 11, crypto map: to-peer-outside

        sa timing: remaining key lifetime (k/sec): (4441561/3485)

             HA last key lifetime sent(k): (4441561)

        ike_cookies: 00000000 00000000 00000000 00000000

        replay detection support: Y

        Status: STANDBY

     outbound pcp sas:

The fields in the above display are self-explanatory or can be found in Table 1, Table 93, or Table 94.

show crypto ipsec security-association lifetime

To display the security association (SA) lifetime value configured for a particular crypto map entry, use the show crypto ipsec security-association lifetime command in EXEC mode.

show crypto ipsec security-association lifetime

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.3 T	This command was introduced.\
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Examples

The following is sample output for the show crypto ipsec security-association lifetime command:

Router# show crypto ipsec security-association lifetime

Security-association lifetime: 4608000 kilobytes/120 seconds

The following configuration was in effect when the previous show crypto ipsec security-association lifetime command was issued:

crypto ipsec security-association lifetime seconds 120

show crypto ipsec transform-set

To display the configured transform sets or active default transform sets, use the show crypto ipsec transform-set command in privileged EXEC mode.

show crypto ipsec transform-set [tag transform-set-name]

Syntax Description

tag transform-set-name

(Optional) Only the specified transform sets are displayed.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
11.3 T	This command was introduced.
12.2(13)T	The command output was expanded to include a warning message for users who try to configure an IP Security (IPsec) transform that the hardware does not support.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.4(20)T	The command output was expanded to include information about active default transform sets.
Cisco IOS XE Release 2.4	This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

There are two default transform sets supported in Cisco IOS k9 images only:

•Esp-aes esp-sha-hmac

•Esp-3des esp-sha-hmac

The show crypto ipsec transform-set command will display the default transform sets if there are no other transform set configured, you have not disabled the default transform sets by issuing the no crypto ipsec default transform-set command, and the crypto engine supports the encryption algorithm.

Examples

The following is sample output for the show crypto ipsec transform-set command when the default transform sets have been disabled with the no crypto ipsec default transform-set command:

Router# show crypto ipsec transform-set

Transform set combined-des-sha: {esp-des esp-sha-hmac}

   will negotiate = { Tunnel,  }, 

Transform set combined-des-md5: {esp-des esp-md5-hmac}

   will negotiate = { Tunnel,  }, 

Transform set t1: {esp-des esp-md5-hmac} 

   will negotiate = {Tunnel,}, 

Transform set t100: {ah-sha-hmac} 

   will negotiate = {Transport,}, 

Transform set t2: {ah-sha-hmac} 

   will negotiate = {Tunnel,}, 

   { esp-des  } 

   will negotiate = {Tunnel,}, 

The following configuration was in effect when the previous show crypto ipsec transform-set command was issued:

crypto ipsec transform-set combined-des-sha esp-des esp-sha-hmac 

crypto ipsec transform-set combined-des-md5 esp-des esp-md5-hmac 

crypto ipsec transform-set t1 esp-des esp-md5-hmac 

crypto ipsec transform-set t100 ah-sha-hmac 

 mode transport

crypto ipsec transform-set t2 ah-sha-hmac esp-des

no crypto ipsec default transform-set 

The following sample output from the show crypto ipsec transform-set command displays a warning message after a user tries to configure an IPsec transform that the hardware does not support:

Router# show crypto ipsec transform-set

Transform set transform-1:{ esp-256-aes esp-md5-hmac  }

   will negotiate = { Tunnel,  },

WARNING: encryption hardware does not support transform esp-aes 256 within IPSec transform 
transform-1

The following is sample output for the show crypto ipsec transform-set command when the default transform sets are active and the crypto engine supports the encryption algorithm:

Router# show crypto ipsec transform-set

Transform set asset: { esp-256-aes esp-sha-hmac  } 

   will negotiate = { Transport,  }, 

Transform set aesset: { esp-256-aes esp-sha-hmac  } 

   will negotiate = { Transport,  }, 

Transform set #$!default_transform_set_1: { esp-aes esp-sha-hmac  } 

   will negotiate = { Transport,  }, 

Transform set #$!default_transform_set_0: { esp-3des esp-sha-hmac  } 

   will negotiate = { Transport,  }, 

Related Commands

Command	Description
show crypto ipsec default transform-set	Displays the default IPsec transform sets.
show crypto ipsec transform-set	Displays the configured transform sets.
show crypto map (IPsec)	Displays the crypto map configuration.

show crypto isakmp default policy

To display the default Internet Key Exchange (IKE) policies currently in use, use the show crypto isakmp default policy command in privileged EXEC mode.

show crypto isakmp default policy

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(20)T	This command was introduced.
Cisco IOS XE Release 2.4	This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

If you have neither manually configured IKE policies with the crypto isakmp policy command nor issued the no crypto isakmp default policy command, IPsec will use the default IKE policies to negotiate IKE proposals. There are eight default IKE default policies supported (see Table 95). The default IKE policies define the following policy set parameters:

•The priority, 65507-65514, where 65507 is the highest priority and 65514 is the lowest priority.

•The authentication method, Rivest, Shamir, and Adelman (RSA) or preshared keys (PSK).

•The encryption method, Advanced Encryption Standard (AES) or Triple Data Encryption Standard (3DES).

•The hash function, Secure Hash Algorithm (SHA-1) or Message-Digest algorithm 5 (MD5).

•The Diffie-Hellman (DH) group specification DH2 or DH5.

–DH2 specifies the 768-bit Diffie-Hellman group.

–DH5 specifies the 1536-bit Diffie-Hellman group.

Table 95

Priority	Authentication	Encryption	Hash	Diffie-Hellman
65507	RSA	AES	SHA	DH5
65508	PSK	AES	SHA	DH5
65509	RSA	AES	MD5	DH5
65510	PSK	AES	MD5	DH5
65511	RSA	3DES	SHA	DH2
65512	PSK	3DES	SHA	DH2
65513	RSA	3DES	MD5	DH2
65514	PSK	3DES	MD5	DH2

Default IKE Policies

If you have manually configured IKE policies and you issue the show crypto isakmp default policy command there is no output, since the default IKE policies are not in use.

Examples

The following example displays the eight default policies with protection suites of priorities 65507-65014. The default policies are displayed since there are no user configured policies, the default policies have not been disabled, and EzVPN is not configured.

Router# show crypto isakmp default policy

Default protection suite of priority 65507

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit 

Default protection suite of priority 65508

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65509

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).

        hash algorithm:         Message Digest 5

        authentication method:  Rivest-Shamir-Adleman signature

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65510

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).

        hash algorithm:         Message Digest 5

        authentication method:  pre-shared key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65511

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65512

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65513

        encryption algorithm:   Three key triple DES

        hash algorithm:         Message Digest 5 

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Default protection suite of priority 65514

        encryption algorithm:   Three key triple DES

        hash algorithm:         Message Digest 5 

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

The following example shows that there is no output from the show crypto isakmp default policy command when the default policies have been disabled.

Router(config)# no crypto isakmp default policy

! The default IKE policies have been disabled.

Router(config)# exit

Router# configure terminal

Router# show crypto isakmp default policy

Router#

! There is no output from the show crypto isakmp default policy command.

Related Commands

Command	Description
crypto isakmp policy	Defines an IKE policy.
no crypto isakmp default policy	Disables IKE default policies.
show crypto isakmp policy	Displays the parameters for each IKE policy.

show crypto isakmp key

To list the keyrings and their preshared keys, use the show crypto isakmp key command in privileged EXEC mode.

show crypto isakmp key

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(15)T	This command was introduced.
12.4(4)T	IPv6 address information was added to command output.

Examples

The following is sample output for the show crypto isakmp key command:

Router# show crypto isakmp key

Hostname/Address       Preshared Key

vpn1                   : 172.61.1.1          vpn1

vpn2                   : 10.1.1.1            vpn2

The following configuration was in effect when the above show crypto isakmp key command was issued:

crypto keyring vpn1 

  pre-shared-key address 172.16.1.1 key vpn1

crypto keyring vpn2 

  pre-shared-key address 10.1.1.1 key vpn2

Table 96 describes significant fields in the show crypto isakmp key profile.

Table 96 show crypto isakmp key Field Descriptions

Field	Description
Hostname/Address	The preshared key host name or address.
Preshared Key	The preshared key.
keyring	Name of the crypto keyring. The global keys are listed in the default keyring.
VRF string	The Virtual Private Network routing and forwarding (VRF) of the keyring. If the keyring does not have a VRF, an empty string is printed.

show crypto isakmp peers

To display peer descriptions, use the show crypto isakmp peers command in privileged EXEC mode.

show crypto isakmp peers [ipaddress] | config [peername]

Syntax Description

ipaddress	(Optional) Displays a summary of a specific peer. Note If the optional ipaddress argument is not included with the command, a summarization of all peers is displayed.
config [peername]	(Optional) Displays detailed information about all peers or a specific peer. •The peername value specifies the name of the peer.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.3(4)T	This command was introduced.
12.2(18)SXD	This command was integrated into Cisco IOS Release 12.2(18)SXD.
12.4(4)T	The config keyword was added.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.(33)SRA.
12.4(11)T	The show crypto isakmp peer command name was changed to show crypto isakmp peers.

Usage Guidelines

When using the config keyword, the following commands must be enabled for the accounting update to work correctly: aaa accounting update new info and radius-server vsa send accounting.

Examples

The following output example shows information about the peer named "This-is-another-peer-at-10-1-1-3":

Router# show crypto isakmp peers

Peer: 10.1.1.3 Port: 500

 Description: This-is-another-peer-at-10-1-1-3

 Phase1 id: 10.1.1.3

In the following example, the config keyword has been used to display all manageability information 
for an Easy VPN remote device:

Router# show crypto isakmp peers config

Client-Public-Addr=192.168.10.2:500; Client-Assigned-Addr=172.16.1.209; 
Client-Group=branch; Client-User=branch; Client-Hostname=branch.; Client-Platform=Cisco 
1711; Client-Serial=FOC080210E2 (412454448); Client-Config-Version=11; 
Client-Flash=33292284; Client-Available-Flash=10202680; Client-Memory=95969280; 
Client-Free-Memory=14992140; Client-Image=flash:c1700-advipservicesk9-mz.ef90241;

Client-Public-Addr=192.168.10.3:500; Client-Assigned-Addr=172.16.1.121; 
Client-Group=store; Client-User=store; Client-Hostname=831-storerouter.; 
Client-Platform=Cisco C831; Client-Serial=FOC08472UXR (1908379618); 
Client-Config-Version=2; Client-Flash=24903676; Client-Available-Flash=5875028; 
Client-Memory=45298688; Client-Free-Memory=6295596; 
Client-Image=flash:c831-k9o3y6-mz.ef90241

Related Commands

Command	Description
clear crypto session	Deletes crypto sessions (IPSec and IKE) SAs.
show crypto session	Displays status information for active crypto sessions in a router.

show crypto isakmp policy

To display the parameters for each Internet Key Exchange (IKE) policy, use the show crypto isakmp policy command in privileged EXEC mode.

show crypto isakmp policy

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
11.3T	This command was introduced.
12.2(13)T	The command output was expanded to include a warning message for users who try to configure an IKE encryption method that the hardware does not support.
12.4(4)T	Support for IPv6 was added.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.4(20)T	The command output was expanded to include default IKE policies.
Cisco IOS XE Release 2.4	This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

There are eight default IKE default policies supported with protection suites of priorities 65507-65514, where 65507 is the highest priority and 65514 is the lowest priority. If you have neither manually configured IKE policies with the crypto isakmp policy command nor disabled the default IKE policies by issuing the no crypto isakmp default policy command, the default IKE policies will be displayed when the show crypto isakmp policy command is issued.

Examples

The following is sample output from the show crypto isakmp policy command, after two IKE policies have been configured (with priorities 15 and 20, respectively):

Router# show crypto isakmp policy

Protection suite priority 15

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm:  Message Digest 5

        authentication method:   Rivest-Shamir-Adleman Signature

        Diffie-Hellman Group:    #2 (1024 bit)

        lifetime:      5000 seconds, no volume limit

Protection suite priority 20

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm: Secure Hash Standard

        authentication method:   preshared Key

        Diffie-Hellman Group:    #1 (768 bit)

        lifetime:      10000 seconds, no volume limit

Default protection suite

        encryption algorithm:    DES - Data Encryption Standard (56 bit keys)

        hash algorithm: Secure Hash Standard

        authentication method:   Rivest-Shamir-Adleman Signature

        Diffie-Hellman Group:    #1 (768 bit)

        lifetime:      86400 seconds, no volume limit

---

Note Although the output shows "no volume limit" for the lifetimes, you can currently configure only a time lifetime (such as 86,400 seconds); volume limit lifetimes are not used.

---

The following sample output from the show crypto isakmp policy command displays a warning message after a user tries to configure an IKE encryption method that the hardware does not support:

Router# show crypto isakmp policy

Protection suite of priority 1

        encryption algorithm:  AES - Advanced Encryption Standard (256 bit keys).

WARNING:encryption hardware does not support the configured

encryption method for ISAKMP policy 1

        hash algorithm:        Secure Hash Standard

        authentication method: Pre-Shared Key

        Diffie-Hellman group:  #1 (768 bit)

        lifetime:              3600 seconds, no volume limit

The following sample output from the show crypto isakmp policy command displays the default IKE policies. The manually configured IKE policies with priorities 10 and 20 have been removed.

Router(config)# no crypto isakmp policy 10

Router(config)# no crypto isakmp policy 20

Router(config)# exit

R1# show crypto isakmp policy

Default IKE policy

Protection suite of priority 65507

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65508

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65509

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Message Digest 5

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65510

        encryption algorithm:   AES - Advanced Encryption Standard (128 bit key.

        hash algorithm:         Message Digest 5

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #5 (1536 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65511

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65512

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65513

        encryption algorithm:   Three key triple DES

        hash algorithm:         Message Digest 5

        authentication method:  Rivest-Shamir-Adleman Signature

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

Protection suite of priority 65514

        encryption algorithm:   Three key triple DES

        hash algorithm:         Message Digest 5

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

The field descriptions in the display are self-explanatory.

Related Commands

Command	Description
authentication (IKE policy)	Specifies the authentication method within an IKE policy.
crypto isakmp policy	Defines an IKE policy.
encryption (IKE policy)	Specifies the encryption algorithm within an IKE policy.
group (IKE policy)	Specifies the DH group identifier within an IKE policy.
hash (IKE policy)	Specifies the hash algorithm within an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.
show crypto isakmp default policy	Displays the default IKE policies.

show crypto isakmp profile

To list all the Internet Security Association and Key Management Protocol (ISAKMP) profiles that are defined on a router, use the show crypto isakmp profile command in privileged EXEC mode.

show crypto isakmp profile [tag profilename | vrf vrfname]

Syntax Description

tag profilename	(Optional) Displays ISAKMP profile details specified by the profile name.
vrf vrfname	(Optional) Displays ISAKMP profile details specified by the VPN routing/forwarding instance (VRF) name.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(15)T	This command was introduced.
12.4(4)T	IPv6 support was added.
12.4(11)T	The tag profilename and vrf vrfname keywords and arguments were added.

Examples

The following is sample output from the show crypto isakmp profile command:

Router# show crypto isakmp profile

ISAKMP PROFILE vpn1-ra

   Identities matched are:

group vpn1-ra

   Identity presented is: ip-address

The following sample output shows information for an IPv6 router:

Router# show crypto isakmp profile

ISAKMP PROFILE tom

Identities matched are:

ipv6-address 2001:0DB8:0:1::1/32 

Certificate maps matched are:

Identity presented is: ipv6-address fqdn

keyring(s): <none>

trustpoint(s): <all>

Table 97 describes the significant fields shown in the display.

Table 97 show crypto isakmp profile Field Descriptions

Field	Description
ISAKMP PROFILE	Name of the ISAKMP profile.
Identities matched are:	Lists all identities that the ISAKMP profile will match.
Identity presented is:	The identity that the ISAKMP profile will present to the remote endpoint.

The following configuration was in effect when the preceding show crypto isakmp profile command was issued:

crypto isakmp profile vpn1-ra

 vrf vpn1

 self-identity address

 match identity group vpn1-ra

 client authentication list aaa-list

 isakmp authorization list aaa

 client configuration address initiate

 client configuration address respond

Related Commands

Command	Description
show crypto isakmp key	Lists the keyrings and their preshared keys.

show crypto isakmp sa

To display current Internet Key Exchange (IKE) security associations (SAs), use the show crypto isakmp sa command in privileged EXEC mode.

show crypto isakmp sa [active | standby | detail | nat] [vrf vrfname]

Syntax Description

active	(Optional) Displays high availability- (HA-) enabled Internet Security Association and Key Management Protocol (ISAKMP) SAs that are in the active state.
standby	(Optional) Displays HA-enabled ISAKMP SAs that are in the standby state.
detail	(Optional) Displays all existing IKE SAs, whether in an active or standby state.
nat	(Optional) Displays IKE SAs that have undergone network address translation (NAT).
vrf vrfname	(Optional) Displays IKE SA details about the specified VRF. •The vrfname value is the name of the VRF.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
11.3 T	This command was introduced.
12.3(11)T	The active and standby keywords were added.
12.4(4)T	IPv6 information was added to the command output. The detail and nat keywords were added.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.(33)SRA.
12.4(11)T	The vrf vrfname keyword and argument were added.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

If neither the active keyword nor the standby keyword is specified, current SAs for all configured routers will be shown. Use the nat keyword to display the IP address and port address of a remote peer when NAT is used.

Examples

The following sample output shows the SAs of both the active and standby devices:

Router# show crypto isakmp sa

dst             src             state          conn-id slot status

10.165.201.3   10.165.200.225 QM_IDLE              2    0 STDBY 

10.0.0.1        10.0.0.2        QM_IDLE              1    0 ACTIVE

The following sample output shows the SAs of only the active device:

Router# show crypto isakmp sa active

dst             src             state          conn-id slot status

10.165.201.3   10.165.200.225 QM_IDLE              5    0 ACTIVE

The following sample output shows the SAs of only the standby device:

Router# show crypto isakmp sa standby

dst             src             state          conn-id slot status

10.165.201.3   10.165.200.225 QM_IDLE              5    0 STDBY 

10.165.201.3   10.165.200.225 QM_IDLE              1    0 STDBY 

The following sample output shows the SAs of an active IPv6 device. The IPv4 device is inactive.

Router# show crypto isakmp sa detail

Codes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature

renc - RSA encryption

IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH

Lifetime Cap.

IPv6 Crypto ISAKMP SA

dst: 3FFE:2002::A8BB:CCFF:FE01:2C02

src: 3FFE:2002::A8BB:CCFF:FE01:9002

conn-id: 1001 I-VRF: Status: ACTIVE Encr: des Hash: sha Auth:

psk

DH: 1 Lifetime: 23:45:00 Cap: D Engine-id:Conn-id = SW:1

dst: 3FFE:2002::A8BB:CCFF:FE01:2C02

src: 3FFE:2002::A8BB:CCFF:FE01:9002

conn-id: 1002 I-VRF: Status: ACTIVE Encr: des Hash: sha Auth:

psk

DH: 1 Lifetime: 23:45:01 Cap: D Engine-id:Conn-id = SW:2

Table 98 through Table 101 show the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it will most likely be in its quiescent state (QM_IDLE). For long exchanges, some of the main mode (MM_xxx) states may be observed.

Table 98 States in Main Mode Exchange

State	Explanation
MM_NO_STATE	The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage—there is no state.
MM_SA_SETUP	The peers have agreed on parameters for the ISAKMP SA.
MM_KEY_EXCH	The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated.
MM_KEY_AUTH	The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a Quick Mode exchange begins.

Table 99 States in Aggressive Mode Exchange 

State	Explanation
AG_NO_STATE	The ISAKMP SA has been created, but nothing else has happened yet. It is "larval" at this stage—there is no state.
AG_INIT_EXCH	The peers have done the first exchange in aggressive mode, but the SA is not authenticated.
AG_AUTH	The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE, and a quick mode exchange begins.

Table 100 States in Quick Mode Exchange

State	Explanation
QM_IDLE	The ISAKMP SA is idle. It remains authenticated with its peer and may be used for subsequent quick mode exchanges. It is in a quiescent state.

Table 101 show crypto isakmp sa Field Descriptions

Field	Description
f_vrf/i_vrf (not shown)	The front door virtual routing and forwarding (FVRF) and the inside VRF (IVRF) of the IKE SA. If the FVRF is global, the output shows f_vrf as an empty field.

Related Commands

Command	Description
crypto isakmp policy	Defines an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.

show crypto key mypubkey rsa

To display the RSA public keys of your router, use the show crypto key mypubkey rsa command in privileged EXEC mode.

show crypto key mypubkey rsa

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3 T	This command was introduced.
12.3(7)T	The show output was modified to display whether an RSA key is protected (encrypted) and locked or unlocked.
12.2(18)SXE	This command was integrated into Cisco IOS Release 12.2(18)SXE.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
15.0(1)M	This command was modified to display whether redundancy is specified in the crypto_key_generate_rsa command.

Usage Guidelines

This command displays the RSA public keys of your router.

---

Note Secure Shell (SSH) may generate an additional RSA keypair if you generate a keypair on a router having no RSA keys. The additional keypair is used only by SSH and will have a name such as {router_FQDN}.server. For example, if a router name is "router1.cisco.com," the keyname is "router1.cisco.com.server."

---

Examples

The following is sample output from the show crypto key mypubkey rsa command. Special usage RSA keys were previously generated for this router using the crypto key generate rsa command.

% Key pair was generated at: 06:07:49 UTC Jan 13 1996

Key name: myrouter.example.com

 Usage: Signature Key

 Key Data:

  005C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22 

  04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 

  BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001

% Key pair was generated at: 06:07:50 UTC Jan 13 1996

Key name: myrouter.example.com

 Usage: Encryption Key

 Key Data:

  00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5

  18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB

  07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21

The following example shows how to encrypt the RSA key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the RSA key is encrypted (protected) and unlocked.

Router(config)# crypto key encrypt rsa name pki1-72a.cisco.com passphrase cisco1234

Router(config)# exit

Router# show crypto key mypubkey rsa

% Key pair was generated at:00:15:32 GMT Jun 25 2003

Key name:pki1-72a.cisco.com

Usage:General Purpose Key

*** The key is protected and UNLOCKED. ***

Key is not exportable.

Key Data:

305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E0CC9A 1D23B52C

CD00910C ABD392AE BA6D0E3F FC47A0EF 8AFEE340 0EC1E62B D40E7DCC

23C4D09E

03018B98 E0C07B42 3CFD1A32 2A3A13C0 1FF919C5 8DE9565F 1F020301 0001

% Key pair was generated at:00:15:33 GMT Jun 25 2003

Key name:pki1-72a.cisco.com.server

Usage:Encryption Key

Key is exportable.

Key Data:

307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D3491E 2A21D383

854D7DA8 58AFBDAC 4E11A7DD E6C40AC6 66473A9F 0C845120 7C0C6EC8 1FFF5757

3A41CE04 FDCB40A4 B9C68B4F BC7D624B 470339A3 DE739D3E F7DDB549 91CD4DA4

DF190D26 7033958C 8A61787B D40D28B8 29BCD0ED 4E6275C0 6D020301 0001

Router#

The following example shows how to lock the key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the key is protected (encrypted) and locked.

Router# crypto key lock rsa name pki1-72a.cisco.com passphrase cisco1234

! 

Router# show crypto key mypubkey rsa

% Key pair was generated at:20:29:41 GMT Jun 20 2003

Key name:pki1-72a.cisco.com

Usage:General Purpose Key

*** The key is protected and LOCKED. ***

Key is exportable.

Key Data:

305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC

0D2B55AC 5D199F2F 7CB4B355 C555E07B 6D0DECBE 4519B1F0 75B12D6F 902D6E9F

B6FDAD8D 654EF851 5701D5D7 EDA047ED 9A2A619D 5639DF18 EB020301 0001

The string "Redundancy enabled" in the following example indicates that the redundancy keyword 
was specified when the key was generated by the crypto_key_generate_rsa command. 

Router#show crypto key mypubkey rsa MYKEYS

% Key pair was generated at: 07:38:04 GMT Oct 02 2009

Key name: MYKEYS

 Storage Device: not specified

 Usage: General Purpose Key

 Key is not exportable. Redundancy enabled.

 Key Data:

  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00A63726 28C9EE7D 

  A89AF6E1 5B42A854 A76EDF9F 35681024 A7868113 B93E2384 EF15CD78 8467A797 

  F946268F 067FF15E A1734BE6 3E3444C2 BAE00618 BCAED5A3 BB020301 0001

Related Commands

Command	Description
crypto key encrypt rsa	Encrypts the RSA private key.
crypto key generate rsa	Generates RSA key pairs.
crypto key lock rsa	Locks the RSA private key in a router.

show crypto key pubkey-chain rsa

To display the Rivest, Shamir, and Adelman (RSA) public keys of the peer that are stored on your router, use the show crypto key pubkey-chain rsa command in User EXEC or privileged EXEC mode.

show crypto key pubkey-chain rsa [address key-address | name key-name | vrf vrf-name [address ip-address]]

Cisco IOS Release 12.2(33)SXI

show crypto key pubkey-chain rsa [name key-name]

Syntax Description

address	(Optional) Specifies the address of a particular public key or VRF.
key-address	(Optional) The IP address assigned to a particular public key or VRF.
name	(Optional) Specifies the name of a public key.
key-name	(Optional) The name assigned to a particular public key or VRF.
vrf	(Optional) Mentions a Virtual Private Network (VPN) Routing and Forwarding (VRF) instance.
vrf-name	(Optional) The name assigned to the vrf.
address	(Optional) Specifies the address of a VRF.
ip-address	(Optional) The address of a particular public key to view.

Command Modes

User EXEC (>)
Privileged EXEC (#)

Command History

Release	Modification
11.3T	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXI	This command was integrated into Cisco IOS Release 12.2(33)SXI.
Cisco IOS XE Release 2.1	This command was integrated into Cisco IOS XE Release 2.1.

Usage Guidelines

This command shows RSA public keys stored on your router. These include RSA public keys of peer routers manually configured on your router and keys received by your router via other means (such as by a certificate, if certification authority support is configured).

If a router reboots, any public key derived by the certificates are lost. The public key is derived again when the router requests for certificates.

Use the name or address keywords to display details about a particular RSA public key stored on your router.

If no keywords are used, this command displays a list of all RSA public keys stored on your router.

Examples

The following is sample output from the show crypto key pubkey-chain rsa command:

Router# show crypto key pubkey-chain rsa

Codes: M - Manually Configured, C - Extracted from certificate

Code  Usage        IP-address     Name

M     Signature    209.165.200.225       myrouter.example.com

M     Encryption   209.165.202.129       myrouter.example.com

C     Signature    209.165.200.225     routerA.example.com

C     Encryption   209.165.202.129     routerA.example.com

C     General      209.165.200.225   routerB.domain1.com

This sample output shows manually configured special usage RSA public keys for the peer router. The peer router can be either Router A or Router B. This sample also shows three keys obtained from the certificates of peer routers: special usage keys for peer "routerA" and a general purpose key for peer "routerB."

If certificate support is not used, none of the keys of the peer router show "C" in the code column. You must configure them manually.

The following is sample output from the show crypto key pubkey-chain rsa command. This example also includes the vrf keyword.

Router# show crypto key pubkey-chain rsa vrf

Code Usage          IP-Address/VRF          Keyring         Name

M     General         209.165.200.225              default          

M     General          209.165.202.129              default 

The following is sample output from the show crypto key pubkey-chain rsa name command:

Router# show crypto key pubkey-chain rsa name somerouter.example.com 

Key name: somerouter.example.com

Key address: 209.165.200.225

 Usage: Signature Key

 Source: Manual

 Data:

  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C5E23B 55D6AB22 

  04AEF1BA A54028A6 9ACC01C5 129D99E4 64CAB820 847EDAD9 DF0B4E4C 73A05DD2 

  BD62A8A9 FA603DD2 E2A8A6F8 98F76E28 D58AD221 B583D7A4 71020301 0001

Key name: somerouter.example.com

Key address: 209.165.200.225

 Usage: Encryption Key

 Source: Manual

 Data:

  00302017 4A7D385B 1234EF29 335FC973 2DD50A37 C4F4B0FD 9DADE748 429618D5

  18242BA3 2EDFBDD3 4296142A DDF7D3D8 08407685 2F2190A0 0B43F1BD 9A8A26DB

  07953829 791FCDE9 A98420F0 6A82045B 90288A26 DBC64468 7789F76E EE21

---

Note The Source field in the above example displays "Manual," indicating that the keys were manually configured on the router, not received in the peer's certificate.

---

The following is sample output from the show crypto key pubkey-chain rsa address 209.165.202.129 command:

Router# show crypto key pubkey-chain rsa address 209.165.202.129

Key name: routerB.example.com

Key address: 209.165.202.129

 Usage: General Purpose Key

 Source: Certificate

 Data:

  0738BC7A 2BC3E9F0 679B00FE 53987BCC 01030201 42DD06AF E228D24C 458AD228

  58BB5DDD F4836401 2A2D7163 219F882E 64CE69D4 B583748A 241BED0F 6E7F2F16

  0DE0986E DF02031F 4B0B0912 F68200C4 C625C389 0BFF3321 A2598935 C1B1

---

Note The Source field in the above example displays "Certificate," indicating that the keys were received by the router through the other router's certificate.

---

Related Commands

Command	Description
rsa-pubkey	Defines the RSA manual key to be used for encryption or signature during IKE authentication.

show crypto map (IPsec)

To display the crypto map configuration, use the show crypto map command in user EXEC or privileged EXEC mode.

show crypto map [gdoi fail-close | interface interface | tag map-name]

Syntax Description

gdoi fail-close	(Optional) Displays information about the status of the fail-close mode.
interface interface	(Optional) Displays only the crypto map set that is applied to the specified interface.
tag map-name	(Optional) Displays only the crypto map set that is specified.

Command Default

No crypto maps are shown.

Command Modes

User EXEC (>)

Privileged EXEC (#)

Command History

Release	Modification
11.2	This command was introduced.
12.3(8)T	Output has been modified to display the crypto input and output access control lists (ACLs) that have been configured.
12.4(4)T	IPv6 address information was added to command output.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.4(20)T	Default transform set information was added to command output.
12.4(22)T	The gdoi fail-close keyword was added.
Cisco IOS XE Release 2.3	This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

The show crypto map command allows you to specify a particular crypto map. The crypto maps shown in the command output have been dynamically generated; the user does not have to configure crypto maps in order for them to appear in this command output.

There are two default transform sets supported in Cisco IOS k9 images only:

•Esp-aes esp-sha-hmac

•Esp-3des esp-sha-hmac

The show crypto map command will display the default transform sets if there are no other transform sets configured for the crypto map, you have not disabled the default transform sets by issuing the no crypto ipsec default transform-set command, and the crypto engine supports the encryption algorithm.

Examples

The following example shows that crypto input and output ACLs have been configured:

Router# show crypto map

Crypto Map "test" 10 ipsec-isakmp

 Peer

 Extended IP access list ipsec_acl 

  access-list ipsec_acl permit ip 192.168.2.0 0.0.0.255 192.168.102.0 0.0.0.255 

 Extended IP access check IN list 110 

  access-list 110 permit ip host 192.168.102.47 192.168.2.0 10.0.0.15

  access-list 110 permit ip host 192.168.102.47 192.168.2.32 10.0.0.15

  access-list 110 permit ip host 192.168.102.47 192.168.2.64 10.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.0 10.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.32 10.0.0.15

  access-list 110 permit ip host 192.168.102.57 192.168.2.64 10.0.0.15

 Extended IP access check OUT list 120

  access-list 120 permit ip 192.168.2.0 10.0.0.15 host 192.168.102.47 

  access-list 120 permit ip 192.168.2.32 10.0.0.15 host 192.168.102.47

  access-list 120 permit ip 192.168.2.64 10.0.0.15 host 192.168.102.47

  access-list 120 permit ip 192.168.2.0 10.0.0.15 host 192.168.102.57

  access-list 120 permit ip 192.168.2.32 10.0.0.15 host 192.168.102.57

  access-list 120 permit ip 192.168.2.64 10.0.0.15 host 192.168.102.57

 Current peer: 10.0.0.2 

 Security association lifetime: 4608000 kilobytes/3600 seconds 

 PFS (Y/N): N 

 Transform sets=test

 Interfaces using crypto map test: 

  Serial0/1

Table 102 describes the output in the display.

Table 102 show crypto map Field Descriptions 

Field	Description
Peer	Possible peers that are configured for this crypto map entry.
Extended IP access list	Access list that is used to define which data packets are to be encrypted. Packets that are denied by this access list are forwarded but not encrypted. The "reverse" of this access list is used to check the inbound return packets, which are also encrypted. Packets that are denied by the "reverse" access list are dropped because they should have been encrypted but were not.
Extended IP access check	Access lists that are used to more finely control which data packets are allowed into or out of the IPsec tunnel. Packets that are allowed by the "Extended IP access list" ACL but denied by the "Extended IP access list check" ACL are dropped.
Current peer	Current peer that is being used for this crypto map entry.
Security association lifetime	Number of bytes that are allowed to be encrypted or decrypted or the age of the security association before new encryption keys must be negotiated.
PFS	(Perfect Forward Secrecy) If "Yes," the Internet Security Association and Key Management Protocol (ISAKMP) SKEYID-d key is also renegotiated each time IPSec security association (SA) encryption keys are renegotiated (requires another Diffie-Hillman calculation). Otherwise, the same ISAKMP SKEYID-d key is used when renegotiating IPSec SA encryption keys. ISAKMP keys are renegotiated on a separate schedule, with a default time of 24 hours.
Transform sets	List of transform sets (encryption, authentication, and compression algorithms) that can be used with this crypto map.
Interfaces using crypto map test	Interfaces to which this crypto map is applied. Packets that are leaving from this interface are subject to the rules of this crypto map for encryption. Encrypted packets may enter the router on any interface, and they will be decrypted. Nonencrypted packets that are entering the router through this interface are subject to the "reverse" crypto access list check.

The following example displays the output of the show crypto map command. There are no transform sets configured for the crypto map "mymap", the default transform sets are enabled, and the crypto engine supports the encryption algorithm.

Router# show crypto map 

Crypto Map "mymap" 1 ipsec-isakmp

        Peer = 10.1.1.1

        Extended IP access list 102

            access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={ 

                #$!default_transform_set_1:  { esp-aes esp-sha-hmac  } , 

                #$!default_transform_set_0:  { esp-3des esp-sha-hmac  } , 

        }

        Reverse Route Injection Enabled

        Interfaces using crypto map mymap:

The following example displays the output of the show crypto map command. There are no transform sets configured for the crypto map "mymap" and the default transform sets have been disabled.

Router(config)# no crypto ipsec default transform-set

Router(config)# exit

Router# configure terminal

Router# show crypto map 

Crypto Map "mymap" 1 ipsec-isakmp

        Peer = 10.1.1.1

        Extended IP access list 102

            access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={ 

        }

! There are no transform sets for the crypto map "mymap."

        Reverse Route Injection Enabled

        Interfaces using crypto map mymap:

The following example displays output for the show crypto map command and gdoi fail-close keyword (show crypto map gdoi fail-close). Fail-close has been activated. In addition, an implicit "permit ip any any" entry is configured, causing any traffic other than Telnet and Open Shortest Path First (OSPF) to be dropped:

Router# show crypto map gdoi fail-close

Crypto Map: "svn" 

        Activate: yes

        Fail-Close Access-List: (Deny = Forward In Clear, Permit = Drop)

            access-list 105 deny tcp any port = 23 any

            access-list 105 deny ospf any any

Related Commands

Command	Description
show crypto ipsec default transform-set	Displays the default IPsec transform sets.
show crypto ipsec transform-set	Displays the configured transform sets.

show crypto mib ipsec flowmib endpoint

To display the IP Security (IPsec) phase-2 tunnel endpoint table, use the show crypto mib ipsec flowmib endpoint command in privileged EXEC mode.

show crypto mib ipsec flowmib endpoint [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Displays the parameters for the specified Virtual Private Network (VPN) routing and forwarding (VRF) instance.

Command Modes

Privileged EXEC (#)

Command History

Release	Modification
12.4(20)T	This command was introduced.
Cisco IOS XE Release 2.4	This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

The IPsec phase-2 tunnel endpoint table contains an entry for each active endpoint associated with an IPsec phase-2 tunnel.

Examples

The following example displays the IPsec phase 2 tunnel endpoint table for all VRFs:

Router# show crypto mib ipsec flowmib endpoint

vrf Global

  Index:               1

  Local type:          Single IP address

  Local address:       192.1.2.1

  Protocol:            0

  Local port:          0

  Remote type:         Single IP address

  Remote address:      192.1.2.2

  Remote port:         0

  Index:               2

  Local type:          Subnet

  Local address:       192.1.3.0 255.255.255.0

  Protocol:            0

  Local port:          0

  Remote type:         Subnet

  Remote address:      192.1.3.0 255.255.255.0

  Remote port:         0

Table 103 describes the significant fields shown in the display.

Table 103 show crypto mib ipsec flowmib endpoint Field Descriptions 

Field	Description
Index	The number of the endpoint associated with the IPsec phase-2 tunnel table. The value of this index is a number which begins at one and is incremented with each endpoint associated with an IPsec phase-2 tunnel. The index value will wrap at 2,147,483,647.
Local type	The local endpoint identity type. The three possible values are a single IP address, an IP address range, or an IP subnet.
Local address	The first IP address of the local endpoint. If the local endpoint type is a single IP address, then the local address is the value of the IP address. If the local endpoint type is an IP address range, then the local address is the value of beginning IP address of the range. If the local endpoint type is an IP subnet, then the local address is the value of the subnet.
Protocol	The local endpoint traffic protocol number.
Local port	The local endpoint traffic port number.
Remote type	The remote endpoint identity type. The three possible values are a single IP address, an IP address range, or an IP subnet.
Remote address	The first IP address of the remote endpoint. If the remote endpoint type is a single IP address, then the remote address is the value of the IP address. If the remote endpoint type is an IP address range, then the remote address is the value of beginning IP address of the range. If the remote endpoint type is an IP subnet, then the remote address is the value of the subnet.
Remote port	The remote endpoint traffic port number.

Related Commands

Command	Description
show crypto mib ipsec flowmib failure	Displays statistics associated with IPsec phase-2 failure.
show crypto mib ipsec flowmib global	Displays IPsec phase-2 global statistics.
show crypto mib ipsec flowmib history	Displays statistics associated with previously active IPsec phase-2 tunnels.
show crypto mib ipsec flowmib spi	Displays the IPsec phase-2 security protection index (SPI) table.
show crypto mib ipsec flowmib tunnel	Displays statistics for all active IPsec phase-2 tunnels.

show crypto mib ipsec flowmib failure

To display statistics associated with IP Security (IPsec) phase-2 failure, use the show crypto mib ipsec flowmib failure command in privileged EXEC mode.

show crypto mib ipsec flowmib failure [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Displays the parameters for the specified Virtual Private