show crypto ipsec sa
Displays the current IPsec security association (SA) database, showing active tunnels and their parameters.
Overview
The 'show crypto ipsec sa' command is a fundamental troubleshooting and verification tool for IPsec VPNs on Cisco ASA firewalls. It displays the IPsec security associations (SAs) that have been negotiated between the ASA and its peers. An IPsec SA is a set of security parameters (encryption algorithm, authentication method, keys, etc.) that define how traffic is protected between two endpoints. This command is essential for confirming that a VPN tunnel is operational, monitoring traffic flow, and diagnosing issues such as packet drops, misconfigured transform sets, or SA lifetime expirations.
IPsec operates in two phases: IKE phase 1 establishes a secure channel (ISAKMP SA), and IKE phase 2 negotiates the IPsec SAs that actually encrypt user traffic. The 'show crypto ipsec sa' command reveals the results of phase 2. It shows the local and remote identities (traffic selectors), the peer IP address, packet counters, error counters, and the SA timing. On Cisco ASA, the output is organized per interface and crypto map, making it easy to correlate with the configuration.
This command is used in various scenarios: after initial VPN configuration to verify the tunnel is up, during routine monitoring to check for packet loss or rekey failures, and when troubleshooting connectivity issues. It fits into a broader troubleshooting workflow: first check IKE phase 1 with 'show crypto isakmp sa', then IPsec SAs with this command, and finally examine packet captures if needed. Understanding the output is crucial for any network engineer managing site-to-site or remote-access VPNs on ASA platforms.
show crypto ipsec sa [peer <ip-address>] [map <map-name>] [identity <identity>] [detail]When to Use This Command
- Verify that an IPsec tunnel is established and active after configuration.
- Troubleshoot why traffic is not being encrypted or decrypted as expected.
- Check the lifetime and byte counters of an SA to monitor tunnel usage.
- Identify the peer IP address and transform set used for a specific tunnel.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| peer | peer <ip-address> | Filters the output to show only SAs with the specified peer IP address. Useful for focusing on a specific tunnel when multiple VPNs exist. |
| map | map <map-name> | Filters by crypto map name. Helps isolate SAs associated with a particular crypto map, especially when multiple maps are configured. |
| identity | identity <identity> | Filters by the identity (traffic selector) of the SA. The identity is typically a subnet or host address. Useful for finding SAs protecting specific networks. |
| detail | detail | Provides additional information such as path MTU, IPsec overhead, and media MTU. Also repeats some fields for clarity. |
Command Examples
Basic IPsec SA Display
show crypto ipsec sainterface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 203.0.113.1
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 198.51.100.1
#pkts encaps: 100, #pkts decaps: 95
#pkts encrypt: 100, #pkts decrypt: 95
#pkts verify: 0, #pkts compressed: 0
#pkts decompressed: 0, #pkts not compressed: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed: 0, #pkts decaps failed: 0
#pkts invalid prot: 0, #pkts verify failed: 0
#pkts invalid identity: 0, #pkts invalid len: 0
#pkts replay rollover: 0, #pkts replay failed: 0
#pkts internal err: 0, #pkts replay ignored: 0
local crypto endpt.: 203.0.113.1, remote crypto endpt.: 198.51.100.1
path mtu: 1500, ipsec overhead: 58, media mtu: 1500
current outbound spi: 0x12345678(305419896)
current inbound spi : 0x87654321(2271560481)
inbound esp sas:
spi: 0x87654321(2271560481)
transform: esp-aes-256 esp-sha-hmac
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 2879
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x12345678(305419896)
transform: esp-aes-256 esp-sha-hmac
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 2879
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001The output shows one active IPsec SA between local 203.0.113.1 and remote 198.51.100.1. The local and remote identities define the traffic selectors (subnets). Packet counters show 100 encapsulated and 95 decapsulated, indicating some packet loss. The SA uses AES-256 encryption and SHA-HMAC authentication. The remaining key lifetime is 2879 seconds. The anti-replay bitmap shows no failures.
Detailed IPsec SA for a Specific Peer
show crypto ipsec sa peer 198.51.100.1 detailinterface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 203.0.113.1
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 198.51.100.1
#pkts encaps: 1000, #pkts decaps: 1000
#pkts encrypt: 1000, #pkts decrypt: 1000
#pkts verify: 0, #pkts compressed: 0
#pkts decompressed: 0, #pkts not compressed: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed: 0, #pkts decaps failed: 0
#pkts invalid prot: 0, #pkts verify failed: 0
#pkts invalid identity: 0, #pkts invalid len: 0
#pkts replay rollover: 0, #pkts replay failed: 0
#pkts internal err: 0, #pkts replay ignored: 0
local crypto endpt.: 203.0.113.1, remote crypto endpt.: 198.51.100.1
path mtu: 1500, ipsec overhead: 58, media mtu: 1500
current outbound spi: 0x12345678(305419896)
current inbound spi : 0x87654321(2271560481)
inbound esp sas:
spi: 0x87654321(2271560481)
transform: esp-aes-256 esp-sha-hmac
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 2879
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x12345678(305419896)
transform: esp-aes-256 esp-sha-hmac
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 2879
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
path mtu: 1500, ipsec overhead: 58, media mtu: 1500
current outbound spi: 0x12345678(305419896)
current inbound spi : 0x87654321(2271560481)
inbound esp sas:
spi: 0x87654321(2271560481)
transform: esp-aes-256 esp-sha-hmac
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 2879
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x12345678(305419896)
transform: esp-aes-256 esp-sha-hmac
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 2879
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001The detail output repeats some information but provides additional details like path MTU and IPsec overhead. The packet counters show 1000 encaps and decaps with no errors, indicating a healthy tunnel. The SA timing shows remaining lifetime, and the anti-replay bitmap is clean.
Understanding the Output
The 'show crypto ipsec sa' output is organized per interface and crypto map. The first section shows the crypto map tag, sequence number, and local address. The local and remote identities define the traffic selectors (subnets, protocol, port) that the SA protects. The current_peer indicates the remote IP address. Packet counters are critical: '#pkts encaps' and '#pkts encrypt' should match for outbound traffic; '#pkts decaps' and '#pkts decrypt' for inbound. Non-zero values in error counters like '#pkts invalid sa (rcv)' or '#pkts decaps failed' indicate problems. The SA timing shows remaining key lifetime; if it reaches zero, the SA will be renegotiated. The transform set (e.g., esp-aes-256 esp-sha-hmac) defines encryption and authentication algorithms. The anti-replay bitmap shows received sequence numbers; a large gap may indicate replay attacks or packet loss. Healthy output shows matching encaps/decaps counts, zero errors, and a reasonable remaining lifetime. Problematic output shows mismatched counters, non-zero errors, or missing SAs.
Configuration Scenarios
Verifying a Site-to-Site VPN Tunnel
A site-to-site VPN is configured between ASA1 (203.0.113.1) and ASA2 (198.51.100.1) to connect the 10.0.0.0/24 and 192.168.1.0/24 networks.
Topology
ASA1 (outside:203.0.113.1) --- Internet --- ASA2 (outside:198.51.100.1)
10.0.0.0/24 192.168.1.0/24Steps
- 1.Configure IKEv2 policy and crypto map on both ASAs.
- 2.Apply crypto map to the outside interface.
- 3.Initiate traffic from 10.0.0.1 to 192.168.1.1 to trigger the tunnel.
- 4.Run 'show crypto ipsec sa' on ASA1 to verify the SA.
! ASA1 Configuration crypto ikev2 policy 1 encryption aes-256 integrity sha group 14 prf sha lifetime 86400 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 crypto map outside_map 10 match address VPN_ACL crypto map outside_map 10 set peer 198.51.100.1 crypto map outside_map 10 set ikev2 ipsec-proposal AES256 crypto map outside_map interface outside access-list VPN_ACL extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
Verify: Run 'show crypto ipsec sa peer 198.51.100.1'. Look for matching local/remote identities, non-zero packet counters, and zero error counters.
Watch out: Ensure the ACL on both sides are mirror images; otherwise, the SA may not establish or traffic may not be encrypted.
Troubleshooting with This Command
When troubleshooting IPsec VPN issues on Cisco ASA, the 'show crypto ipsec sa' command is your primary tool for the data plane. Start by checking if any SAs exist. If the output is empty, the IKE phase 2 negotiation failed. Check 'show crypto isakmp sa' to ensure phase 1 is up. If phase 1 is up but no IPsec SA, verify the crypto map configuration, ACLs, and transform sets. Common issues include mismatched ACLs (traffic selectors), incorrect peer IP, or incompatible transform sets.
If SAs are present but traffic is not passing, examine the packet counters. Compare '#pkts encaps' and '#pkts encrypt' – they should be equal. If encaps is higher than encrypt, packets are being dropped before encryption. Check for ACL hits on the crypto map. Similarly, compare '#pkts decaps' and '#pkts decrypt'. Non-zero error counters indicate specific problems: '#pkts invalid sa (rcv)' suggests the SA is not recognized (maybe stale), '#pkts decaps failed' indicates decryption errors (often due to mismatched keys), and '#pkts replay failed' points to anti-replay issues. Also check the remaining key lifetime; if it's very low, the SA may be about to expire. If the SA expires and rekey fails, traffic will be dropped.
Another useful check is the anti-replay bitmap. A large gap or many failures could indicate packet loss or a replay attack. Also verify the path MTU and IPsec overhead; if the media MTU is smaller than the path MTU, fragmentation may occur. Use the 'detail' parameter to see these values. If you suspect a specific peer, filter with 'peer <ip>'. To reset SAs for testing, use 'clear crypto ipsec sa peer <ip>' but be cautious as it tears down active tunnels.
CCNA Exam Tips
Remember that '#pkts encaps' counts packets before encryption, while '#pkts encrypt' counts after; they should be equal.
Know that a missing SA (no output) often indicates IKE phase 2 failure; check 'show crypto isakmp sa'.
Be able to identify the transform set and its parameters (encryption, authentication, DH group) from the output.
Common Mistakes
Confusing '#pkts encaps' with '#pkts encrypt' – encaps is before encryption, encrypt is after.
Ignoring error counters like '#pkts invalid sa (rcv)' which indicate SA mismatches.
Assuming a tunnel is up based on IKE SA alone; always verify IPsec SA for data plane.
Platform Notes
On Cisco ASA, the 'show crypto ipsec sa' command behaves similarly to Cisco IOS routers but with some differences. The ASA output includes additional fields like 'in use settings' which shows the tunnel type (L2L for LAN-to-LAN, RA for remote access) and IKE version. The ASA also supports IKEv2 natively, and the output will indicate 'IKEv2' in the settings. On IOS, the output is more compact and may not show the 'in use settings' line. The ASA also includes 'IV size' and 'replay detection support' fields. For troubleshooting, the ASA provides a 'detail' option that IOS does not have. On other platforms like Juniper SRX, the equivalent command is 'show security ipsec security-associations', which has a different format. On Palo Alto, it's 'show vpn ipsec sa'. Version differences: On ASA 9.x and later, the output includes IKEv2 SAs. Older ASA versions (8.x) used IKEv1 and the output may show 'IKEv1' instead. Always ensure you are using the correct command syntax for your ASA version; for example, 'show crypto ipsec sa' works on all versions, but parameters like 'detail' are available from 8.4(2) onwards.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions