Courseiva
VPNPrivileged EXEC

show crypto ipsec sa

Displays the current state and statistics of IPsec security associations (SAs) to verify VPN tunnel establishment and monitor encrypted traffic.

Syntax·Privileged EXEC
show crypto ipsec sa

When to Use This Command

  • Verify that an IPsec VPN tunnel is up and active after configuration.
  • Troubleshoot why encrypted traffic is not passing through a VPN tunnel.
  • Monitor packet encryption/decryption counts and error counters for a specific SA.
  • Check the lifetime and expiration status of an IPsec SA to anticipate rekey events.

Command Examples

Basic display of all IPsec SAs

show crypto ipsec sa
interface: Tunnel0
    Crypto map tag: CMAP, local addr 192.168.1.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   current_peer 203.0.113.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1500, #pkts encrypt: 1500, #pkts digest: 1500
    #pkts decaps: 1200, #pkts decrypt: 1200, #pkts verify: 1200
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 203.0.113.5
     plaintext mtu 1400, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xABCD1234(2882401844)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x5678EF01(1450745345)
        transform: esp-aes 256 esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, sibling_flags 80000040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4500000/2879)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0xABCD1234(2882401844)
        transform: esp-aes 256 esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, sibling_flags 80000040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4500000/2879)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:

The output shows one IPsec SA pair (inbound and outbound) for tunnel Tunnel0. 'local ident' and 'remote ident' define the traffic selectors. '#pkts encaps/encrypt' shows outbound encrypted packets; '#pkts decaps/decrypt' shows inbound decrypted packets. 'current outbound spi' is the Security Parameter Index for outbound. 'inbound esp sas' and 'outbound esp sas' show the transform set (esp-aes 256 esp-sha-hmac), remaining lifetime in kilobytes and seconds, and status (ACTIVE).

Detailed display for a specific peer

show crypto ipsec sa peer 203.0.113.5
interface: Tunnel0
    Crypto map tag: CMAP, local addr 192.168.1.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   current_peer 203.0.113.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1500, #pkts encrypt: 1500, #pkts digest: 1500
    #pkts decaps: 1200, #pkts decrypt: 1200, #pkts verify: 1200
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 192.168.1.1, remote crypto endpt.: 203.0.113.5
     plaintext mtu 1400, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xABCD1234(2882401844)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x5678EF01(1450745345)
        transform: esp-aes 256 esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, sibling_flags 80000040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4500000/2879)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound esp sas:
      spi: 0xABCD1234(2882401844)
        transform: esp-aes 256 esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, sibling_flags 80000040, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4500000/2879)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

Filtering by peer shows only SAs associated with that remote IP. This is useful when multiple VPN tunnels exist. The output is identical in structure to the basic display but limited to the specified peer.

Understanding the Output

The output is organized per interface and crypto map. Key fields: 'local ident' and 'remote ident' define the traffic selectors (subnets/protocols/ports) that trigger encryption. '#pkts encaps' and '#pkts encrypt' count outbound packets; '#pkts decaps' and '#pkts decrypt' count inbound packets. Large discrepancies may indicate asymmetric routing or ACL misconfiguration. '#send errors' and '#recv errors' should be zero; non-zero values indicate problems. 'current outbound spi' is the SPI used for outbound packets. Under 'inbound esp sas' and 'outbound esp sas', check 'Status: ACTIVE' for a healthy SA. 'remaining key lifetime (k/sec)' shows how much traffic (in kilobytes) and time (seconds) remain before rekey. If lifetime approaches zero, the SA will expire. 'transform' shows the encryption and authentication algorithms. 'PFS (Y/N)' indicates Perfect Forward Secrecy usage. 'replay detection support: Y' is normal. If 'Status' is not ACTIVE or counters are not incrementing, the tunnel may be down or misconfigured.

CCNA Exam Tips

1.

CCNA exam tip: The 'show crypto ipsec sa' command is used to verify that IPsec SAs have been established; if no SAs appear, the tunnel is not up.

2.

CCNA exam tip: Pay attention to the '#pkts encaps' and '#pkts decaps' counters; if they are not incrementing when traffic is sent, the tunnel may not be matching the interesting traffic ACL.

3.

CCNA exam tip: The 'Status: ACTIVE' line is critical; if it shows 'ACTIVE' the SA is up; if missing or 'IDLE', the tunnel is down.

4.

CCNA exam tip: The 'remaining key lifetime' values help determine if the SA is about to expire; a rekey will occur automatically, but if the lifetime reaches zero, the SA is deleted.

Common Mistakes

Mistake 1: Assuming the tunnel is up based on 'show crypto isakmp sa' alone; IPsec SAs must also be present. Always check 'show crypto ipsec sa'.

Mistake 2: Misinterpreting 'local ident' and 'remote ident'; these must match the crypto ACL exactly. If they show 0.0.0.0/0, the ACL may be misconfigured.

Mistake 3: Ignoring error counters; non-zero '#send errors' or '#recv errors' indicate problems like MTU issues or peer unreachability.

Related Commands

show crypto isakmp sa

Displays the current state of Internet Key Exchange (IKE) Security Associations (SAs) used for IPsec VPN tunnels, allowing verification of Phase 1 tunnel establishment.

show crypto map

Displays the configured crypto map entries, including their match criteria, peer addresses, and transform sets, used to verify IPsec VPN policy configuration.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions