show vpn-sessiondb
Displays detailed information about active VPN sessions on the Cisco ASA Firewall.
Overview
The 'show vpn-sessiondb' command is a critical diagnostic tool on Cisco ASA Firewalls for monitoring and troubleshooting VPN sessions. It provides real-time visibility into all active VPN connections, including AnyConnect remote access, clientless SSL VPN, IPsec LAN-to-LAN tunnels, and other VPN types. The command retrieves session details from the ASA's session database, which tracks each VPN tunnel's state, user identity, encryption parameters, traffic statistics, and duration. This information is essential for verifying that VPN configurations are working as intended, ensuring security policies are enforced, and identifying potential issues such as authentication failures, encryption mismatches, or resource exhaustion.
Networking concepts behind this command include VPN tunnel establishment, session management, and security association (SA) tracking. When a VPN client connects, the ASA creates a session entry that persists until the tunnel is torn down. The session database is updated in real-time as traffic flows, allowing administrators to see current byte counts and idle times. On the ASA platform, this command is available in privileged EXEC mode and can be filtered by session type, user attributes, or sorted by various fields to narrow down specific sessions. It is commonly used during troubleshooting workflows to check if a user is connected, verify their assigned IP address, confirm encryption strength, or detect unusually long idle times that may indicate a hung session.
Compared to similar commands on other platforms, such as 'show crypto session' on IOS routers, 'show vpn-sessiondb' offers more granular detail and is specifically optimized for ASA's VPN capabilities. It also supports a summary mode for quick health checks. Understanding how to interpret the output is vital for network engineers managing remote access VPNs, as it directly impacts security and user experience.
show vpn-sessiondb [all | anyconnect | ipsec | l2l | l2l-ipv6 | load-balancing | nac | nac-policy | nac-session | ssl | webvpn] [filter {name value | aaa-user | assigned-ip | browser-proxy | client-type | client-version | duration | encryption | group | group-alias | group-policy | idle | ip-addr | ip-addr-assign | login-time | public-ip | pxf | radius-session-id | username | vpn-access-time | vpn-features | vpn-session-id | vpn-tunnel-protocol}] [sort {aaa-user | assigned-ip | client-type | client-version | duration | encryption | group | group-alias | group-policy | idle | ip-addr | ip-addr-assign | login-time | public-ip | username | vpn-access-time | vpn-tunnel-protocol}] [count] [summary]When to Use This Command
- Verify active VPN connections after a configuration change to ensure users are connected correctly.
- Troubleshoot a user unable to access resources by checking their session details and assigned IP.
- Monitor VPN session counts for capacity planning or license compliance.
- Identify idle or long-duration sessions that may indicate security issues or need for reauthentication.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| all | all | Displays detailed information for all active VPN sessions of all types. This is the most comprehensive output. |
| anyconnect | anyconnect | Filters the output to show only AnyConnect (SSL VPN) sessions, including both client-based and clientless if applicable. |
| ipsec | ipsec | Displays only IPsec VPN sessions, including LAN-to-LAN and remote access IPsec (IKEv1/IKEv2). |
| l2l | l2l | Shows only LAN-to-LAN IPsec VPN sessions, excluding remote access IPsec. |
| l2l-ipv6 | l2l-ipv6 | Displays only IPv6 LAN-to-LAN IPsec VPN sessions. |
| load-balancing | load-balancing | Shows VPN session load-balancing information, including cluster status and session distribution. |
| nac | nac | Displays Network Admission Control (NAC) session information. |
| nac-policy | nac-policy | Shows NAC policy details for VPN sessions. |
| nac-session | nac-session | Displays NAC session details for VPN users. |
| ssl | ssl | Shows SSL VPN sessions (both AnyConnect and clientless). |
| webvpn | webvpn | Displays only clientless SSL VPN (WebVPN) sessions. |
| filter | filter {name value | aaa-user | assigned-ip | ...} | Filters the output based on a specific attribute, such as username, group, or IP address. Useful for isolating a single session. |
| sort | sort {aaa-user | assigned-ip | ...} | Sorts the output by a specified field, such as username or duration, to help identify patterns. |
| count | count | Displays only the total number of sessions matching the filter, without detailed output. |
| summary | summary | Provides a high-level summary of active sessions by type, including counts and maximums. |
Command Examples
Display all active VPN sessions
show vpn-sessiondb allSession Type: AnyConnect Username : jdoe Index : 1 Assigned IP : 10.10.10.1 Public IP : 203.0.113.5 Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel License : AnyConnect Premium Encryption : AES-256 Hashing : SHA-384 Bytes Tx : 12345678 Bytes Rx : 87654321 Group Policy : Engineering Tunnel Group : Eng-VPN Login Time : 12:34:56 UTC Mon Mar 10 2025 Duration : 2h:34m:12s Idle Time : 0h:05m:23s
Shows one AnyConnect session for user jdoe. Assigned IP is the internal IP, Public IP is the external IP. Protocol indicates multiple tunnels. Encryption and hashing show strong security. Bytes Tx/Rx indicate traffic volume. Login time and duration show session age. Idle time is low, indicating active use.
Display summary of all VPN sessions
show vpn-sessiondb summaryVPN Session Summary Active Sessions : 25 Maximum Sessions : 100 Cumulative : 1500 AnyConnect Client : 20 Clientless SSL VPN : 3 IPsec LAN-to-LAN : 2 IPsec IKEv1 : 0 IPsec IKEv2 : 0 Load Balancing : Disabled NAC : Disabled
Provides a high-level count of active sessions broken down by type. Useful for quick health check. Active vs maximum shows utilization. Cumulative shows total sessions since last reboot.
Understanding the Output
The output of 'show vpn-sessiondb' is organized per session. Key fields include: Username (the authenticated user), Assigned IP (internal IP assigned to the VPN client), Public IP (the external IP of the client), Protocol (e.g., AnyConnect-Parent SSL-Tunnel DTLS-Tunnel indicates multiple tunnels for redundancy), Encryption and Hashing (should be strong like AES-256 and SHA-384 for security), Bytes Tx/Rx (traffic counters, useful for bandwidth monitoring), Group Policy and Tunnel Group (applied policies), Login Time and Duration (session age), and Idle Time (time since last traffic; high idle may indicate a stale session). Healthy values: Encryption AES-256 or higher, Hashing SHA-256 or higher, Idle Time low (seconds to minutes), Duration reasonable for work hours. Problem values: Weak encryption (DES, MD5), very high idle time (hours), or unexpected public IPs (possible unauthorized access). The summary view gives a quick count; if active sessions approach maximum, consider scaling or license upgrade. Cumulative sessions help track total usage over time.
Configuration Scenarios
Verifying AnyConnect VPN Sessions After Configuration Change
After modifying the AnyConnect VPN group policy to enforce stronger encryption, an administrator wants to verify that existing sessions are using the new settings.
Topology
[Internet] --- [ASA (outside: 203.0.113.1)] --- [Inside Network]Steps
- 1.Connect to the ASA via SSH or console.
- 2.Enter privileged EXEC mode: enable
- 3.Run 'show vpn-sessiondb anyconnect' to list all AnyConnect sessions.
- 4.Check the Encryption field for each session; it should show AES-256 or higher.
- 5.If any session shows weak encryption, disconnect it using 'vpn-sessiondb logoff' and instruct the user to reconnect.
! No configuration change needed for this verification step.
Verify: Run 'show vpn-sessiondb anyconnect' and confirm all sessions show Encryption: AES-256.
Watch out: Existing sessions may not pick up new encryption settings until they reconnect; the ASA does not renegotiate active tunnels automatically.
Troubleshooting a User Unable to Access Resources
A user reports they cannot reach internal servers after connecting via AnyConnect. The administrator needs to check the user's session details.
Topology
[User Laptop] --- [Internet] --- [ASA (outside: 203.0.113.1)] --- [Internal Server: 10.10.10.100]Steps
- 1.Obtain the user's username (e.g., jdoe).
- 2.Run 'show vpn-sessiondb filter name jdoe' to see the specific session.
- 3.Check the Assigned IP (e.g., 10.10.10.1) and verify it is in the correct subnet.
- 4.Check the Group Policy and Tunnel Group to ensure correct access policies are applied.
- 5.Verify the Public IP matches the user's expected external IP.
- 6.Check Idle Time; if very high, the session may be stale.
! No configuration change needed for troubleshooting.
Verify: The user's session should show an Assigned IP in the correct pool and a Group Policy that allows access to the internal server.
Watch out: The user's public IP may be behind NAT; the ASA sees the NAT address, not the actual client IP.
Troubleshooting with This Command
The 'show vpn-sessiondb' command is invaluable for troubleshooting VPN connectivity issues on Cisco ASA. When a user cannot connect or experiences poor performance, start by checking the session database to confirm the user is actually connected. Use 'show vpn-sessiondb filter name <username>' to isolate a specific session. Look at the 'Protocol' field: for AnyConnect, you should see 'AnyConnect-Parent SSL-Tunnel DTLS-Tunnel' indicating both control and data channels are up. If only SSL-Tunnel is present, DTLS may be blocked, causing performance issues. Check 'Encryption' and 'Hashing' to ensure strong algorithms are in use; weak encryption (e.g., DES, MD5) may indicate a misconfiguration or downgrade attack. 'Bytes Tx/Rx' counters should be incrementing; if they are zero or very low, the tunnel may be up but no traffic is flowing, possibly due to routing or ACL issues. 'Idle Time' is critical: a high idle time (e.g., >30 minutes) suggests the session is inactive and may need to be terminated to free resources. If the user reports intermittent drops, check 'Duration' and compare with login time to see if the session has been re-established recently. For LAN-to-LAN tunnels, use 'show vpn-sessiondb l2l' to verify both ends are up and see traffic statistics. If sessions are not appearing, check the ASA's syslogs for authentication failures or phase 1/2 errors. The summary view ('show vpn-sessiondb summary') helps identify capacity issues: if 'Active Sessions' is near 'Maximum Sessions', consider upgrading the license or optimizing session timeouts. Additionally, if you see unexpected sessions from unknown public IPs, investigate potential unauthorized access. Remember that the session database is cleared on ASA reboot, so cumulative counts reset. For persistent issues, correlate with 'debug crypto' commands, but use caution in production.
CCNA Exam Tips
Remember that 'show vpn-sessiondb' is specific to ASA; on IOS routers, use 'show crypto session' or 'show vpn-sessiondb' on IOS-XE with appropriate license.
Know the difference between 'all' (detailed per session) and 'summary' (aggregate counts).
Be able to identify session types: AnyConnect, Clientless SSL, IPsec LAN-to-LAN, and their corresponding protocol fields.
Common Mistakes
Using 'show vpn-sessiondb' without any filter on a busy ASA, which can overwhelm the output; always use filters or summary when possible.
Confusing 'Assigned IP' with 'Public IP'; the assigned IP is the internal VPN IP, public IP is the client's internet IP.
Assuming all sessions are AnyConnect; the output clearly shows session type, so check that field.
Platform Notes
On Cisco ASA, 'show vpn-sessiondb' is the primary command for VPN session monitoring. It differs from IOS/IOS-XE where similar information is obtained via 'show crypto session' or 'show vpn-sessiondb' (on IOS-XE with security license). ASA provides more detailed per-session output and supports extensive filtering. On ASA with version 9.x and later, the command includes support for IKEv2 sessions and IPv6 LAN-to-LAN. The 'summary' option is particularly useful for quick health checks. On FTD (Firepower Threat Defense), the equivalent command is 'show vpn-sessiondb' but may have limited output due to the FMC management plane; use 'system support vpn-sessiondb' for detailed info. On older ASA versions (pre-8.4), the command syntax was slightly different (e.g., 'show vpn-sessiondb' without 'all' option). Always check the ASA version with 'show version' to ensure correct syntax. For load balancing environments, 'show vpn-sessiondb load-balancing' provides cluster-specific data. Note that the session database is stored in memory; a large number of sessions can impact ASA performance, so use filters to limit output.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions