Friday, May 31, 2013

Cisco ASA: show cry ipsec sa peer | i ident|caps

I wanted to add a quick note on a cool addition to a command in the Cisco ASA.  If you troubleshoot VPNs much or configure them often, then you know what its like to check for phase I and phase II to make sure everything is good with the VPN.  I know I do!  So I found a 'include' statement tonight that might be helpful to you when looking at phase II traffic statistics. It really shortens up the amount of info it gives you if you are just trying to verify traffic.  Here it is:
show cry ipsec sa | i ident|caps

Here is a sample output when running that command above:
 ciscoasa# show cry ipsec sa | i ident|caps
      local ident (addr/mask/prot/port): (
      remote ident (addr/mask/prot/port): (
      #pkts encaps: 149, #pkts encrypt: 149, #pkts digest: 149
      #pkts decaps: 95, #pkts decrypt: 95, #pkts verify: 95
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

This is all it shows, and that helps a lot when just trying to get the VPN up and verifying traffic.

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.