Thursday, February 7, 2013

Cisco ASA: "Show Crypto Ipsec SA Peer" Command - Verifying Two Way Traffic

How do you know if VPN traffic is going across and back or not?  Well, here is how you do that on an Cisco ASA.  If you look at the example below, circled in red, you will see encrypt and decrypt.  Encrypt is your ASA encrypting traffic going across to the remote side.  Decrypt is traffic being decrypted come back from the remote side.  If you see your encrypt numbers going up, and decrypt numbers staying the same, then you know you are getting across, but nothing is coming back.  If you see your decrypt numbers going up, but your encrypt numbers staying the same, then you know that you are getting traffic from the remote side, but not sending anything back.  You need to see both numbers going up to know you have two way traffic. 
Notice the command "show crypto ipsec sa peer".  That shows you the following Phase II information (shorted for brevity).


  1. how can we clear these encap and decap counters?

    1. Bounce the vpn. There is probably a way to clear the counters, not sure right off.


Your comment will be reviewed for approval. Thank you for submitting your comments.