Crypto Show Commands
Crypto Show Commands
show crypto ipsec sa
This command displays current Security Associations (SAs) settings.
Syntax
show crypto ipsec sa
map-name
address
Mode
EXEC or Global configuration:
Sample Output
The following is sample output when NAT is not present between the crypto endpoints. The first
section is the inbound SA, and the second section, the outbound SA. The UDP port follow the the
IP address for crypto endpoints when a NAT is present.
XSR#show crypto ipsec sa
10.1.1.2/32, UDP, 1701
ESP: SPI=f5ae2b52, Transform=3DES/HMAC-SHA, Life=3575S/249929KB
Local crypto endpt.=10.2.1.34, Remote crypto endpt.=10.1.1.2
Encapsulation=Transport
10.2.1.34/32, UDP, 1701
ESP: SPI=5419ec15, Transform=3DES/HMAC-SHA, Life=3575S/249933KB
Local crypto endpt.=10.2.1.34, Remote crypto endpt.=10.1.1.2
Encapsulation=Transport
The following is sample output when NAT is present between the crypto endpoints. Note that
UDP‐Encaps displays, indicating that encapsulation is enabled with a NAT present.
10.2.1.10/32, UDP, 1701
ESP: SPI=40d5e065, Transform=3DES/HMAC-SHA, Life=3589S/249932KB
Local crypto endpt.=10.2.1.34:4500, Remote crypto endpt.=10.2.1.10:41108
Encapsulation=Transport UDP-Encaps
10.2.1.34/32, UDP, 1701
ESP: SPI=5c0f6fb5, Transform=3DES/HMAC-SHA, Life=3589S/249934KB
Local crypto endpt.=10.2.1.34:4500, Remote crypto endpt.=10.2.1.10:41108
Encapsulation=Transport UDP-Encaps
Parameter Description
10.2.1.10/32, UDP, 1701
10.2.1.34/32, UDP, 1701
52 packets
14-118 Configuring the VPN
[map map-name | address]
Shows any existing SAs created for the crypto map set named map‐name.
Shows all existing SAs, sorted by the destination address (either the local address
or the address of the IPSec remote peer) and then by protocol (AH or ESP).
XSR>
or
==>
10.2.1.34/32, UDP, 1701 : 71 packets
==>
10.1.1.2/32, UDP, 1701 : 36 packets
==>
10.2.1.34/32, UDP, 1701 : 52 packets
==>
10.2.1.10/32, UDP, 1701 : 32 packets
IP address, protocol, and protocol port number of the
source ACL entry associated with this SA.
IP address, protocol, and protocol port number of the
destination ACL entry associated with this SA.
Number of packets processed by this SA.
XSR(config)#