Show crypto ipsec sa Command

This command is executed from the privileged EXEC mode to view established IPsec SAs. To remove the existing SAs, use the clear crypto sa command. This command shows you all established SAs, and the output can become difficult to sort through if there are several established VPNs on the router. Several optional commands enable you to specify exactly what you are looking for on the router, as follows:

• address Enables you to define the destination peer IP address

• identity Displays flow information only

• interface Enables you to select connections terminating to a specific interface on the router

• map Enables you to select SAs that were created for a specific crypto map

• active Displays active security associations

• standby Displays security associations that are in a standby state

• Virtual routing and forwarding (VRF):

- peer Enables you to identify all VRF SAs based on address or VRF name

- detail Provides detailed error counters

Example 21-3 depicts the output from the New York router when it has an established SA with the router in San Francisco (with no optional commands used).

0 0

Post a comment