A network engineer is troubleshooting an IPsec VPN tunnel that fails to establish. The configuration includes a crypto map with a matching access list. Which command should be used to verify the security associations and error counters for the IPsec phase?
Trap 1: show crypto engine statistics
Shows crypto engine utilization, not SA details.
Trap 2: debug crypto isakmp
Debug command that can impact performance; not a verification show command.
Trap 3: show crypto isakmp sa
Shows IKE phase 1 SAs, not IPsec phase 2 SAs.
- A
show crypto ipsec sa
Displays IPsec security associations and packet/error counters.
- B
show crypto engine statistics
Why wrong: Shows crypto engine utilization, not SA details.
- C
debug crypto isakmp
Why wrong: Debug command that can impact performance; not a verification show command.
- D
show crypto isakmp sa
Why wrong: Shows IKE phase 1 SAs, not IPsec phase 2 SAs.