Viewing and Managing Connections

Now that I've discussed how to build some basic types of L2L connections, I'll focus on how to view and manage these connections using some basic show, clear, and debug commands in the following two sections.

Viewing IPsec Data SAs

To view your ISAKMP/IKE Phase 2 data SAs, use the following show command:

Router# show crypto ipsec sa [map crypto_map_name | address | identity | interface interface_type_and_#] [detail]

If you don't enter any optional parameters, all data SAs are displayed. The address parameter sorts the SAs based on the peers' IP addresses. The identity parameter displays a summarized view. You can qualify what data SAs are displayed with additional parameters: the map parameter allows you to restrict the SAs displayed to the crypto map specified, whereas the interface parameter restricts the displayed SAs to those terminated on the specified interface. The detail parameter also will display send and receive error counter statistics.

Example 17-11 illustrates the use of this command. In this example, the local ident and remote ident specifies the traffic to be protected based on the crypto ACL. The current peer specifies the remote peer's address. The first two #pkts lines specify the number of IPsec packets encapsulated and deencapsulated, encrypted and decrypted, hashed and verified. Below this are the inbound and outbound SAs. Because only ESP is used for the data connections, only two SAs are seen (inbound esp sas and outbound esp sas). In both cases, the SAs are protected by AES-128 and MD5. AH and PCP (compression) are not used and thus no SAs for these exist.

Example 17-11. Using the show crypto ipsec sa Command

r3640# show crypto ipsec sa interface: Ethernet0/0 Crypto map tag: mymap, local addr 192.1.1.40 protected vrf: (none) local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer 192.1.1.20 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 192.1.1.40, remote crypto endpt.: 192.1.1.20 path mtu 1500, ip mtu 1500 current outbound spi: 0xED39B285(3979981445) inbound esp sas: spi: 0x5B5A20FC(1532633340) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 3001, flow_id: SW:1, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4458063/3572) IV size: 16 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xED39B285(3979981445) transform: esp-aes esp-md5-hmac , in use settings ={Tunnel, } conn id: 3002, flow_id: SW:2, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4458063/3570) IV size: 16 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:

Managing IPsec Data SAs

Whenever you make changes to things such as crypto ACLs, transform sets, and other information related to an entry or entries in a crypto map, any existing data SAs built with this information are not updated automatically; you either have to wait for the data SA to expire, or tear them down manually to be rebuilt with the updated information. To tear down a data SA or SAs manually, use the following command:

Router# clear crypto sa [peer IP_address | map crypto_map_name | spi IP_address protocol SPI_# | counters]

If you don't specify any optional parameters, all data SAs are cleared on the router. To clear data SAs used with a specific remote peer, enter the peer parameter. To clear all data SAs associated with a particular crypto map, use the map parameter. To remove a specific SA based on a peer's IP address, data encapsulation protocol (AH or ESP), and SPI number, use the spi parameter. The counters parameter resets the statistical counters displayed in the show crypto ipsec sa command, like the #pkts information shown previously in Example 17-11.

The main debug command used to troubleshoot the setup of data SAs is debug crypto ipsec I'll discuss this command in more depth in Chapter 19, "Troubleshooting Router Connections."