Cisco ASA Series Command Reference
show crashinfo -- show curpriv
Download this chapter
show crashinfo -- show curprivshow crashinfo -- show curpriv
Download the complete book
Cisco ASA Series Command ReferenceCisco ASA Series Command Reference (PDF - 17 MB)
 Feedback

Table Of Contents

show crashinfo through show curpriv Commands

show crashinfo

show crashinfo console

show crypto accelerator statistics

show crypto ca certificates

show crypto ca crl

show crypto ca server

show crypto ca server cert-db

show crypto ca server certificate

show crypto ca server crl

show crypto ca server user-db

show crypto ca trustpool

show crypto ca trustpool policy

show crypto debug-condition

show crypto ikev1 sa

show crypto ikev2 sa

show crypto ipsec df-bit

show crypto ipsec fragmentation

show crypto ipsec policy

show crypto ipsec sa

show crypto ipsec stats

show crypto isakmp sa

show crypto isakmp stats

show crypto key mypubkey

show crypto protocol statistics

show crypto sockets

show csc node-count

show ctiqbe

show ctl-file

show cts environment-data

show cts environment-data sg-table

show cts pac

show cts sgt-map

show cts sxp connections

show cts sxp sgt-map

show curpriv


show crashinfo through show curpriv Commands

show crashinfo

To display the contents of the crash file stored in Flash memory, enter the show crashinfo command in privileged EXEC mode.

show crashinfo [save]

Syntax Description

save

(Optional) Displays if the ASA is configured to save crash information to Flash memory or not.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

If the crash file is from a test crash (generated from the crashinfo test command), the first string of the crash file is ": Saved_Test_Crash" and the last string is ": End_Test_Crash". If the crash file is from a real crash, the first string of the crash file is ": Saved_Crash" and the last string is ": End_Crash". (This includes crashes from use of the crashinfo force page-fault or crashinfo force watchdog commands).

If there is no crash data saved in flash, or if the crash data has been cleared by entering the clear crashinfo command, the show crashinfo command displays an error message.

Examples

The following example shows how to display the current crash information configuration: 

hostname# show crashinfo save

crashinfo save enable

The following example shows the output for a crash file test. (However, this test does not actually crash the ASA. It provides a simulated example file.) 

hostname(config)# crashinfo test

hostname(config)# exit

hostname# show crashinfo

: Saved_Test_Crash

Thread Name: ci/console (Old pc 0x001a6ff5 ebp 0x00e88920)

Traceback:

0: 00323143

1: 0032321b

2: 0010885c

3: 0010763c

4: 001078db

5: 00103585

6: 00000000

    vector 0x000000ff (user defined)

       edi 0x004f20c4

       esi 0x00000000

       ebp 0x00e88c20

       esp 0x00e88bd8

       ebx 0x00000001

       edx 0x00000074

       ecx 0x00322f8b

       eax 0x00322f8b

error code n/a

       eip 0x0010318c

        cs 0x00000008

    eflags 0x00000000

       CR2 0x00000000

F-flags  : 0x2

F-flags2 : 0x0

F-flags3 : 0x10000

F-flags4 : 0x0

F-bytes  : 0

Stack dump: base:0x00e8511c size:16384, active:1476

0x00e89118: 0x004f1bb4

0x00e89114: 0x001078b4

0x00e89110-0x00e8910c: 0x00000000

0x00e89108-0x00e890ec: 0x12345678

0x00e890e8: 0x004f1bb4

0x00e890e4: 0x00103585

0x00e890e0: 0x00e8910c

0x00e890dc-0x00e890cc: 0x12345678

0x00e890c8: 0x00000000

0x00e890c4-0x00e890bc: 0x12345678

0x00e890b8: 0x004f1bb4

0x00e890b4: 0x001078db

0x00e890b0: 0x00e890e0

0x00e890ac-0x00e890a8: 0x12345678

0x00e890a4: 0x001179b3

0x00e890a0: 0x00e890b0

0x00e8909c-0x00e89064: 0x12345678

0x00e89060: 0x12345600

0x00e8905c: 0x20232970

0x00e89058: 0x616d2d65

0x00e89054: 0x74002023

0x00e89050: 0x29676966

0x00e8904c: 0x6e6f6328

0x00e89048: 0x31636573

0x00e89044: 0x7069636f

0x00e89040: 0x64786970

0x00e8903c-0x00e88e50: 0x00000000

0x00e88e4c: 0x000a7473

0x00e88e48: 0x6574206f

0x00e88e44: 0x666e6968

0x00e88e40: 0x73617263

0x00e88e3c-0x00e88e38: 0x00000000

0x00e88e34: 0x12345600

0x00e88e30-0x00e88dfc: 0x00000000

0x00e88df8: 0x00316761

0x00e88df4: 0x74706100

0x00e88df0: 0x12345600

0x00e88dec-0x00e88ddc: 0x00000000

0x00e88dd8: 0x00000070

0x00e88dd4: 0x616d2d65

0x00e88dd0: 0x74756f00

0x00e88dcc: 0x00000000

0x00e88dc8: 0x00e88e40

0x00e88dc4: 0x004f20c4

0x00e88dc0: 0x12345600

0x00e88dbc: 0x00000000

0x00e88db8: 0x00000035

0x00e88db4: 0x315f656c

0x00e88db0: 0x62616e65

0x00e88dac: 0x0030fcf0

0x00e88da8: 0x3011111f

0x00e88da4: 0x004df43c

0x00e88da0: 0x0053fef0

0x00e88d9c: 0x004f1bb4

0x00e88d98: 0x12345600

0x00e88d94: 0x00000000

0x00e88d90: 0x00000035

0x00e88d8c: 0x315f656c

0x00e88d88: 0x62616e65

0x00e88d84: 0x00000000

0x00e88d80: 0x004f20c4

0x00e88d7c: 0x00000001

0x00e88d78: 0x01345678

0x00e88d74: 0x00f53854

0x00e88d70: 0x00f7f754

0x00e88d6c: 0x00e88db0

0x00e88d68: 0x00e88d7b

0x00e88d64: 0x00f53874

0x00e88d60: 0x00e89040

0x00e88d5c-0x00e88d54: 0x12345678

0x00e88d50-0x00e88d4c: 0x00000000

0x00e88d48: 0x004f1bb4

0x00e88d44: 0x00e88d7c

0x00e88d40: 0x00e88e40

0x00e88d3c: 0x00f53874

0x00e88d38: 0x004f1bb4

0x00e88d34: 0x0010763c

0x00e88d30: 0x00e890b0

0x00e88d2c: 0x00e88db0

0x00e88d28: 0x00e88d88

0x00e88d24: 0x0010761a

0x00e88d20: 0x00e890b0

0x00e88d1c: 0x00e88e40

0x00e88d18: 0x00f53874

0x00e88d14: 0x0010166d

0x00e88d10: 0x0000000e

0x00e88d0c: 0x00f53874

0x00e88d08: 0x00f53854

0x00e88d04: 0x0048b301

0x00e88d00: 0x00e88d30

0x00e88cfc: 0x0000000e

0x00e88cf8: 0x00f53854

0x00e88cf4: 0x0048a401

0x00e88cf0: 0x00f53854

0x00e88cec: 0x00f53874

0x00e88ce8: 0x0000000e

0x00e88ce4: 0x0048a64b

0x00e88ce0: 0x0000000e

0x00e88cdc: 0x00f53874

0x00e88cd8: 0x00f7f96c

0x00e88cd4: 0x0048b4f8

0x00e88cd0: 0x00e88d00

0x00e88ccc: 0x0000000f

0x00e88cc8: 0x00f7f96c

0x00e88cc4-0x00e88cc0: 0x0000000e

0x00e88cbc: 0x00e89040

0x00e88cb8: 0x00000000

0x00e88cb4: 0x00f5387e

0x00e88cb0: 0x00f53874

0x00e88cac: 0x00000002

0x00e88ca8: 0x00000001

0x00e88ca4: 0x00000009

0x00e88ca0-0x00e88c9c: 0x00000001

0x00e88c98: 0x00e88cb0

0x00e88c94: 0x004f20c4

0x00e88c90: 0x0000003a

0x00e88c8c: 0x00000000

0x00e88c88: 0x0000000a

0x00e88c84: 0x00489f3a

0x00e88c80: 0x00e88d88

0x00e88c7c: 0x00e88e40

0x00e88c78: 0x00e88d7c

0x00e88c74: 0x001087ed

0x00e88c70: 0x00000001

0x00e88c6c: 0x00e88cb0

0x00e88c68: 0x00000002

0x00e88c64: 0x0010885c

0x00e88c60: 0x00e88d30

0x00e88c5c: 0x00727334

0x00e88c58: 0xa0ffffff

0x00e88c54: 0x00e88cb0

0x00e88c50: 0x00000001

0x00e88c4c: 0x00e88cb0

0x00e88c48: 0x00000002

0x00e88c44: 0x0032321b

0x00e88c40: 0x00e88c60

0x00e88c3c: 0x00e88c7f

0x00e88c38: 0x00e88c5c

0x00e88c34: 0x004b1ad5

0x00e88c30: 0x00e88c60

0x00e88c2c: 0x00e88e40

0x00e88c28: 0xa0ffffff

0x00e88c24: 0x00323143

0x00e88c20: 0x00e88c40

0x00e88c1c: 0x00000000

0x00e88c18: 0x00000008

0x00e88c14: 0x0010318c

0x00e88c10-0x00e88c0c: 0x00322f8b

0x00e88c08: 0x00000074

0x00e88c04: 0x00000001

0x00e88c00: 0x00e88bd8

0x00e88bfc: 0x00e88c20

0x00e88bf8: 0x00000000

0x00e88bf4: 0x004f20c4

0x00e88bf0: 0x000000ff

0x00e88bec: 0x00322f87

0x00e88be8: 0x00f5387e

0x00e88be4: 0x00323021

0x00e88be0: 0x00e88c10

0x00e88bdc: 0x004f20c4

0x00e88bd8: 0x00000000 *

0x00e88bd4: 0x004eabb0

0x00e88bd0: 0x00000001

0x00e88bcc: 0x00f5387e

0x00e88bc8-0x00e88bc4: 0x00000000

0x00e88bc0: 0x00000008

0x00e88bbc: 0x0010318c

0x00e88bb8-0x00e88bb4: 0x00322f8b

0x00e88bb0: 0x00000074

0x00e88bac: 0x00000001

0x00e88ba8: 0x00e88bd8

0x00e88ba4: 0x00e88c20

0x00e88ba0: 0x00000000

0x00e88b9c: 0x004f20c4

0x00e88b98: 0x000000ff

0x00e88b94: 0x001031f2

0x00e88b90: 0x00e88c20

0x00e88b8c: 0xffffffff

0x00e88b88: 0x00e88cb0

0x00e88b84: 0x00320032

0x00e88b80: 0x37303133

0x00e88b7c: 0x312f6574

0x00e88b78: 0x6972772f

0x00e88b74: 0x342f7665

0x00e88b70: 0x64736666

0x00e88b6c: 0x00020000

0x00e88b68: 0x00000010

0x00e88b64: 0x00000001

0x00e88b60: 0x123456cd

0x00e88b5c: 0x00000000

0x00e88b58: 0x00000008

Cisco XXX Firewall Version X.X

Cisco XXX Device Manager Version X.X

Compiled on Fri 15-Nov-04 14:35 by root

hostname up 10 days 0 hours

Hardware:   XXX-XXX, 64 MB RAM, CPU Pentium 200 MHz

Flash i28F640J5 @ 0x300, 16MB

BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 0003.e300.73fd, irq 10

1: ethernet1: address is 0003.e300.73fe, irq 7

2: ethernet2: address is 00d0.b7c8.139e, irq 9

Licensed Features:

Failover:           Disabled

VPN-DES:            Enabled

VPN-3DES-AES:       Disabled

Maximum Interfaces: 3

Cut-through Proxy:  Enabled

Guards:             Enabled

URL-filtering:      Enabled

Inside Hosts:       Unlimited

Throughput:         Unlimited

IKE peers:          Unlimited

This XXX has a Restricted (R) license.

Serial Number: 480430455 (0x1ca2c977)

Running Activation Key: 0xc2e94182 0xc21d8206 0x15353200 0x633f6734 

Configuration last modified by enable_15 at 13:49:42.148 UTC Wed Nov 20 2004

------------------ show clock ------------------

15:34:28.129 UTC Sun Nov 24 2004

------------------ show memory ------------------

Free memory:        50444824 bytes

Used memory:        16664040 bytes

-------------     ----------------

Total memory:       67108864 bytes

------------------ show conn count ------------------

0 in use, 0 most used

------------------ show xlate count ------------------

0 in use, 0 most used

------------------ show vpn-sessiondb summary ------------------

Active Session Summary

Sessions:

                           Active : Cumulative : Peak Concurrent : Inactive

  SSL VPN               :       2 :          2 :               2

    Clientless only     :       0 :          0 :               0

    With client         :       2 :          2 :               2 :        0

  Email Proxy           :       0 :          0 :               0

  IPsec LAN-to-LAN      :       1 :          1 :               1

  IPsec Remote Access   :       0 :          0 :               0

  VPN Load Balancing    :       0 :          0 :               0

  Totals                :       3 :          3

License Information:

  Shared VPN License Information:

    SSL VPN                    :     1500

      Allocated to this device :       50

      Allocated in network     :       50

      Device limit             :      750

  IPsec   :    750    Configured :    750    Active :      1    Load :   0%

  SSL VPN :     52    Configured :     52    Active :      2    Load :   4%

                            Active : Cumulative : Peak Concurrent

  IPsec               :          1 :          1 :               1

  SSL VPN             :          2 :         10 :               2

    AnyConnect Mobile :          0 :          0 :               0

    Linksys Phone     :          0 :          0 :               0

  Totals              :          3 :         11

Tunnels:

                    Active : Cumulative : Peak Concurrent

  IKE         :          1 :          1 :               1

  IPsec       :          1 :          1 :               1

  Clientless  :          2 :          2 :               2

  SSL-Tunnel  :          2 :          2 :               2

  DTLS-Tunnel :          2 :          2 :               2

  Totals      :          8 :          8

------------------ show blocks ------------------

  SIZE    MAX    LOW    CNT

     4   1600   1600   1600

    80    400    400    400

   256    500    499    500

  1550   1188    795    927

------------------ show interface ------------------

interface ethernet0 "outside" is up, line protocol is up

  Hardware is i82559 ethernet, address is 0003.e300.73fd

  IP address 172.23.59.232, subnet mask 255.255.0.0

  MTU 1500 bytes, BW 10000 Kbit half duplex

        6139 packets input, 830375 bytes, 0 no buffer

        Received 5990 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        90 packets output, 6160 bytes, 0 underruns

        0 output errors, 13 collisions, 0 interface resets

        0 babbles, 0 late collisions, 47 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (5/128) software (0/2)

        output queue (curr/max blocks): hardware (0/1) software (0/1)

interface ethernet1 "inside" is up, line protocol is down

  Hardware is i82559 ethernet, address is 0003.e300.73fe

  IP address 10.1.1.1, subnet mask 255.255.255.0

  MTU 1500 bytes, BW 10000 Kbit half duplex

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        1 packets output, 60 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        1 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (128/128) software (0/0)

        output queue (curr/max blocks): hardware (0/1) software (0/1)

interface ethernet2 "intf2" is administratively down, line protocol is down

  Hardware is i82559 ethernet, address is 00d0.b7c8.139e

  IP address 127.0.0.1, subnet mask 255.255.255.255

  MTU 1500 bytes, BW 10000 Kbit half duplex

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 packets output, 0 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max blocks): hardware (128/128) software (0/0)

        output queue (curr/max blocks): hardware (0/0) software (0/0)

------------------ show cpu usage ------------------

CPU utilization for 5 seconds = 0%; 1 minute: 0%; 5 minutes: 0%

------------------ show process ------------------

    PC       SP       STATE       Runtime    SBASE     Stack Process

Hsi 001e3329 00763e7c 0053e5c8          0 00762ef4 3784/4096 arp_timer

Lsi 001e80e9 00807074 0053e5c8          0 008060fc 3792/4096 FragDBGC

Lwe 00117e3a 009dc2e4 00541d18          0 009db46c 3704/4096 dbgtrace

Lwe 003cee95 009de464 00537718          0 009dc51c 8008/8192 Logger

Hwe 003d2d18 009e155c 005379c8          0 009df5e4 8008/8192 tcp_fast

Hwe 003d2c91 009e360c 005379c8          0 009e1694 8008/8192 tcp_slow

Lsi 002ec97d 00b1a464 0053e5c8          0 00b194dc 3928/4096 xlate clean

Lsi 002ec88b 00b1b504 0053e5c8          0 00b1a58c 3888/4096 uxlate clean

Mrd 002e3a17 00c8f8d4 0053e600          0 00c8d93c 7908/8192 tcp_intercept_times

Lsi 00423dd5 00d3a22c 0053e5c8          0 00d392a4 3900/4096 route_process

Hsi 002d59fc 00d3b2bc 0053e5c8          0 00d3a354 3780/4096 PIX Garbage Collecr

Hwe 0020e301 00d5957c 0053e5c8          0 00d55614 16048/16384 isakmp_time_keepr

Lsi 002d377c 00d7292c 0053e5c8          0 00d719a4 3928/4096 perfmon

Hwe 0020bd07 00d9c12c 0050bb90          0 00d9b1c4 3944/4096 IPsec

Mwe 00205e25 00d9e1ec 0053e5c8          0 00d9c274 7860/8192 IPsec timer handler

Hwe 003864e3 00db26bc 00557920          0 00db0764 6904/8192 qos_metric_daemon

Mwe 00255a65 00dc9244 0053e5c8          0 00dc8adc 1436/2048 IP Background

Lwe 002e450e 00e7bb94 00552c30          0 00e7ad1c 3704/4096 pix/trace

Lwe 002e471e 00e7cc44 00553368          0 00e7bdcc 3704/4096 pix/tconsole

Hwe 001e5368 00e7ed44 00730674          0 00e7ce9c 7228/8192 pix/intf0

Hwe 001e5368 00e80e14 007305d4          0 00e7ef6c 7228/8192 pix/intf1

Hwe 001e5368 00e82ee4 00730534       2470 00e8103c 4892/8192 pix/intf2

H*  001a6ff5 0009ff2c 0053e5b0       4820 00e8511c 12860/16384 ci/console

Csi 002dd8ab 00e8a124 0053e5c8          0 00e891cc 3396/4096 update_cpu_usage

Hwe 002cb4d1 00f2bfbc 0051e360          0 00f2a134 7692/8192 uauth_in

Hwe 003d17d1 00f2e0bc 00828cf0          0 00f2c1e4 7896/8192 uauth_thread

Hwe 003e71d4 00f2f20c 00537d20          0 00f2e294 3960/4096 udp_timer

Hsi 001db3ca 00f30fc4 0053e5c8          0 00f3004c 3784/4096 557mcfix

Crd 001db37f 00f32084 0053ea40  508286220 00f310fc 3688/4096 557poll

Lsi 001db435 00f33124 0053e5c8          0 00f321ac 3700/4096 557timer

Hwe 001e5398 00f441dc 008121e0          0 00f43294 3912/4096 fover_ip0

Cwe 001dcdad 00f4523c 00872b48        120 00f44344 3528/4096 ip/0:0

Hwe 001e5398 00f4633c 008121bc         10 00f453f4 3532/4096 icmp0

Hwe 001e5398 00f47404 00812198          0 00f464cc 3896/4096 udp_thread/0

Hwe 001e5398 00f4849c 00812174          0 00f475a4 3456/4096 tcp_thread/0

Hwe 001e5398 00f495bc 00812150          0 00f48674 3912/4096 fover_ip1

Cwe 001dcdad 00f4a61c 008ea850          0 00f49724 3832/4096 ip/1:1

Hwe 001e5398 00f4b71c 0081212c          0 00f4a7d4 3912/4096 icmp1

Hwe 001e5398 00f4c7e4 00812108          0 00f4b8ac 3896/4096 udp_thread/1

Hwe 001e5398 00f4d87c 008120e4          0 00f4c984 3832/4096 tcp_thread/1

Hwe 001e5398 00f4e99c 008120c0          0 00f4da54 3912/4096 fover_ip2

Cwe 001e542d 00f4fa6c 00730534          0 00f4eb04 3944/4096 ip/2:2

Hwe 001e5398 00f50afc 0081209c          0 00f4fbb4 3912/4096 icmp2

Hwe 001e5398 00f51bc4 00812078          0 00f50c8c 3896/4096 udp_thread/2

Hwe 001e5398 00f52c5c 00812054          0 00f51d64 3832/4096 tcp_thread/2

Hwe 003d1a65 00f78284 008140f8          0 00f77fdc  300/1024 listen/http1

Mwe 0035cafa 00f7a63c 0053e5c8          0 00f786c4 7640/8192 Crypto CA

------------------ show failover ------------------

No license for Failover

------------------ show traffic ------------------

outside:

        received (in 865565.090 secs):

                6139 packets    830375 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 865565.090 secs):

                90 packets      6160 bytes

                0 pkts/sec      0 bytes/sec

inside:

        received (in 865565.090 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 865565.090 secs):

                1 packets       60 bytes

                0 pkts/sec      0 bytes/sec

intf2:

        received (in 865565.090 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

        transmitted (in 865565.090 secs):

                0 packets       0 bytes

                0 pkts/sec      0 bytes/sec

------------------ show perfmon ------------------

PERFMON STATS:    Current      Average

Xlates               0/s          0/s

Connections          0/s          0/s

TCP Conns            0/s          0/s

UDP Conns            0/s          0/s

URL Access           0/s          0/s

URL Server Req       0/s          0/s

TCP Fixup            0/s          0/s

TCPIntercept         0/s          0/s

HTTP Fixup           0/s          0/s

FTP Fixup            0/s          0/s

AAA Authen           0/s          0/s

AAA Author           0/s          0/s

AAA Account          0/s          0/s

: End_Test_Crash

Related Commands

Command
Description

clear crashinfo

Deletes the contents of the crash file.

crashinfo force

Forces a crash of the ASA.

crashinfo save disable

Disables crash information from writing to flash memory.

crashinfo test

Tests the ability of the ASA to save crash information to a file in flash memory.


show crashinfo console

To display the configuration setting of the crashinfo console command, enter the show crashinfo console command.

show crashinfo console

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(4)

This command was introduced.


Usage Guidelines

Compliance with FIPS 140-2 prohibits the distribution of Critical Secu rity Parameters (keys, passwords, etc.) outside of the crypto boundary (chassis). When the device crashes, due to an assert or checkheaps failure, it is possible that the stack or memory regions dumped to the console contain sensitive data. This output must be suppressed in FIPS-mode.

Examples 

sw8-5520(config)# show crashinfo console

crashinfo console enable

Related Commands

Command
Description

clear configure fips

Clears the system or module FIPS configuration information stored in NVRAM.

crashinfo console disable

Disables the reading, writing and configuration of crash write info to flash.

fips enable

Enables or disablea policy-checking to enforce FIPS compliance on the system or module.

show running-config fips

Displays the FIPS configuration that is running on the ASA.


show crypto accelerator statistics

To display the global and accelerator-specific statistics from the hardware crypto accelerator MIB, use the show crypto accelerator statistics command in global configuration or privileged EXEC mode.

show crypto accelerator statistics

Syntax Description

This command has no keywords or variables.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

9.0(1)

This command was introduced.


Usage Guidelines

The output statistics are defined as follows:

Accelerator 0 shows statistics for the software-based crypto engine.

Accelerator 1 shows statistics for the hardware-based crypto engine.

RSA statistics show RSA operations for 2048-bit keys, which are executed in software by default. This means that when you have a 2048-bit key, IKE/SSL VPN performs RSA operations in software during the IPsec/SSL negotiation phase. Actual IPsec/SSL traffic is still processed using hardware. This may cause high CPU if there are many simultaneous sessions starting at the same time, which may result in multiple RSA key operations and high CPU. If you run into a high CPU condition because of this, then you should use a 1024-bit key to process RSA key operations in hardware. To do so, you must reenroll the identity certificate. In releases 8.3(2) or later, you can also use the crypto engine large-mod-accel command on the 5510-5550 platforms to perform these operations in hardware.

If you are using a 2048-bit RSA key and the RSA processing is performed in software, you can use CPU profiling to determine which functions are causing high CPU usage. Generally, the bn_* and BN_* functions are math operations on the large data sets used for RSA, and are the most useful when examining CPU usage during an RSA operation in software. For example: 

@@@@@@@@@@@@@@@@@@................................ 36.50% : _bn_mul_add_words

@@@@@@@@@......................................... 19.75% : _bn_sqr_comba8

Diffie-Hellman statistics show that any crypto operation with a modulus size greater than 1024 is performed in software (for example, DH5 (Diffie-Hellman group 5 uses 1536)). If so, a 2048-bit key certificate will be processed in software, which can result in high CPU usage when a lot of sessions are running.

Note The ASA 5505 (with a Cavium CN505 processor) only supports Diffie-Hellman Groups 1 and 2 for hardware-accelerated, 768-bit and 1024-bit key generation. Diffie-Hellman Group 5 (1536-bit key generation) is performed in software.

A single crypto engine in the adaptive security appliance performs the IPsec and SSL operations. To display the versions of crypto (Cavium) microcode that are loaded into the hardware crypto accelerator at boot time, enter the show version command. For example: 

hostname(config) show version

Cisco Adaptive Security Appliance Software Version 8.0(4)8

Device Manager Version 6.1(5)

Compiled on Wed 15-Oct-09 17:27 by builders

System image file is "disk0:/interim/asa804-8-k8.bin"

Config file at boot was "startup-config"

asa up 5 days 17 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 512MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                              Boot microcode   : CN1000-MC-BOOT-2.00

                              SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                              IPsec microcode  : CNlite-MC-IPSECm-MAIN-2.05

DSA statistics show key generation in two phases. The first phase is a choice of algorithm parameters, which may be shared between different users of the system. The second phase computes private and public keys for a single user.

SSL statistics show records for the processor-intensive public key encryption algorithms involved in SSL transactions to the hardware crypto accelerator.

RNG statistics show records for a sender and receiver, which can generate the same set of random numbers automatically to use as keys.

Examples

The following example, entered in global configuration mode, shows global crypto accelerator statistics: 

hostname # show crypto accelerator statistics

Crypto Accelerator Status

-------------------------

[Capacity]

   Supports hardware crypto: True

   Supports modular hardware crypto: False

   Max accelerators: 1

   Max crypto throughput: 100 Mbps

   Max crypto connections: 750

[Global Statistics]

   Number of active accelerators: 1

   Number of non-operational accelerators: 0

   Input packets: 700

   Input bytes: 753488

   Output packets: 700

   Output error packets: 0

   Output bytes: 767496

[Accelerator 0]

   Status: Active

   Software crypto engine

   Slot: 0

   Active time: 167 seconds

   Total crypto transforms: 7

   Total dropped packets: 0

   [Input statistics]

      Input packets: 0

      Input bytes: 0

      Input hashed packets: 0

      Input hashed bytes: 0

      Decrypted packets: 0

      Decrypted bytes: 0

   [Output statistics]

      Output packets: 0

      Output bad packets: 0

      Output bytes: 0

      Output hashed packets: 0

      Output hashed bytes: 0

      Encrypted packets: 0

      Encrypted bytes: 0

   [Diffie-Hellman statistics]

      Keys generated: 0

      Secret keys derived: 0

   [RSA statistics]

      Keys generated: 0

      Signatures: 0

      Verifications: 0

      Encrypted packets: 0

      Encrypted bytes: 0

      Decrypted packets: 0

      Decrypted bytes: 0

   [DSA statistics]

      Keys generated: 0

      Signatures: 0

      Verifications: 0

   [SSL statistics]

      Outbound records: 0

      Inbound records: 0

   [RNG statistics]

      Random number requests: 98

      Random number request failures: 0

[Accelerator 1]

   Status: Active

   Encryption hardware device : Cisco ASA-55x0 on-board accelerator 

(revision 0x0)

                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2

                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

                             IPsec microcode  : CNlite-MC-IPSECm-MAIN-2.03

   Slot: 1

   Active time: 170 seconds

   Total crypto transforms: 1534

   Total dropped packets: 0

   [Input statistics]

      Input packets: 700

      Input bytes: 753544

      Input hashed packets: 700

      Input hashed bytes: 736400

      Decrypted packets: 700

      Decrypted bytes: 719944

   [Output statistics]

      Output packets: 700

      Output bad packets: 0

      Output bytes: 767552

      Output hashed packets: 700

      Output hashed bytes: 744800

      Encrypted packets: 700

      Encrypted bytes: 728352

   [Diffie-Hellman statistics]

      Keys generated: 97

      Secret keys derived: 1

   [RSA statistics]

      Keys generated: 0

      Signatures: 0

      Verifications: 0

      Encrypted packets: 0

      Encrypted bytes: 0

      Decrypted packets: 0

      Decrypted bytes: 0

   [DSA statistics]

      Keys generated: 0

      Signatures: 0

      Verifications: 0

   [SSL statistics]

      Outbound records: 0

      Inbound records: 0

   [RNG statistics]

      Random number requests: 1

      Random number request failures: 0

The following table describes what the output entries indicates.

Output  
Decription  

Capacity

This section pertains to the crypto acceleration that the ASA can support.

Supports hardware crypto

(True/False) The ASA can support hardware crypto acceleration.

Supports modular hardware crypto

(True/False) Any supported hardware crypto accelerator can be inserted as a separate plug-in card or module.

Max accelerators

The maximum number of hardware crypto accelerators that the ASA supports.

Mac crypto throughput

The maximum rated VPN throughput for the ASA.

Max crypto connections

The maximum number of supported VPN tunnels for the ASA.

Global Statistics

This section pertains to the combined hardware crypto accelerators in the ASA.

Number of active accelerators

The number of active hardware accelerators. An active hardware accelerator has been initialized and is avaialble to process crypto commands.

Number of non-operational accelerators

The number of inactive hardware accelerators. An inactive hardware accelerator has been detected, but either has not completed initialization or has failed and is no longer usable.

Input packets

The number of inbound packets processed by all hardware crypto accelerators.

Input bytes

The number of bytes of data in the processed inbound packets.

Output packets

The number of outbound packets processed by all hardware crypto accelerators.

Output error packets

The number of outbound packets processed processed by all hardware crypto accelerators in which an error has been detected.

Output bytes

The number of bytes of data in the processed outbound packets.

Accelerator 0

Each of these sections pertains to a crypto accelerator. The first one (Accelerator 0) is always the software crypto engine. Although not a hardware accelerator, the ASA uses it to perform specific crypto tasks, and its statistics appear here. Accelerators 1 and higher are always hardware crypto accelerators.

Status

The status of the accelerator, which indicates whether the accelerator is being initialized, is active, or has failed.

Software crypto engine

The type of accelerator and firmware version (if applicable).

Slot

The slot number of the accelerator (if applicable).

Active time

The length of time that the accelerator has been in the active state.

Total crypto transforms

The total number of crypto commands that were performed by the accelerator.

Total dropped packets

The total number of packets that were dropped by the accelerator because of errors.

Input statistics

This section pertains to input traffic that was processed by the accelerator. Input traffic is considered to be ciphertext that must be decrypted and/or authenticated.

Input packets

The number of input packets that have been processed by the accelerator.

Input bytes

The number of input bytes that have been processed by the accelerator

Input hashed packets

The number of packets for which the accelerator has performed hash operations.

Input hashed bytes

The number of bytes over which the accelerator has performed hash operations.

Decrypted packets

The number of packets for which the accelerator has performed symmetric decryption operations.

Decrypted bytes

The number of bytes over which the accelerator has performed symmetric decryption operations.

Output statistics

This section pertains to output traffic that has been processed by the accelerator. Input traffic is considered clear text that must be encrypted and/or hashed.

Output packets

The number of output packets that have been processed by the accelerator.

Output bad packets

The number of output packets that have been processed by the accelerator in which an error has been detected.

Output bytes

The number of output bytes that have been processed by the accelerator.

Output hashed packets

The number of packets for which the accelerator has performed outbound hash operations.

Output hashed bytes

The number of bytes over which the accelerator has performed outbound hash operations.

Encyrpted packets

The number of packets for which the accelerator has performed symmetric encryption operations.

Encyrpted bytes

The number of bytes over which the accelerator has performed symmetric encryption operations.

Diffie-Hellman statistics

This section pertains to Diffie-Hellman key exchange operations.

Keys generated

The number of Diffie-Hellman key sets that have been generated by the accelerator.

Secret keys derived

The number of Diffie-Hellman shared secrets that have been derived by the accelerator.

RSA statistics

This section pertains to RSA crypto operations.

Keys generated

The number of RSA key sets that have been generated by the accelerator.

Signatures

The number of RSA signature operations that have been performed by the accelerator.

Verifications

The number of RSA signature verifications that have been performed by the accelerator.

Encrypted packets

The number of packets for which the accelerator has performed RSA encryption operations.

Decrypted packets

The number of packets for which the accelerator has performed RSA decryption operations.

Decrypted bytes

The number of bytes of data over which the accelerator has performed RSA decryption operations.

DSA statistics

This section pertains to DSA operations. Note that DSA is not supported as of Version 8.2, so these statistics are no longer displayed.

Keys generated

The number of DSA key sets that have been generated by the accelerator.

Signatures

The number of DSA signature operations that have been performed by the accelerator.

Verifications

The number of DSA signature verifications that have been performed by the accelerator.

SSL statistics

This section pertains to SSL record processing operations.

Outbound records

The number of SSL records that have been encrypted and authenticated by the accelerator.

Inbound records

The number of SSL records that have been decrypted and authenticated by the accelerator.

RNG statistics

This section pertains to random number generation.

Random number requests

The number of requests to the accelerator for a random number.

Random number request failures

The number of randum number requests to the accelerator that did not succeed.


Related Commands

Command
Description

clear crypto accelerator statistics

Clears the global and accelerator-specific statistics in the crypto accelerator MIB.

clear crypto protocol statistics

Clears the protocol-specific statistics in the crypto accelerator MIB.

show crypto protocol statistics

Displays the protocol-specific statistics from the crypto accelerator MIB.


show crypto ca certificates

To display the certificates associated with a specific trustpoint or to display all the certificates installed on the system, use the show crypto ca certificates command in global configuration or privileged EXEC mode.

show crypto ca certificates [trustpointname]

Syntax Description

trustpointname

(Optional) The name of a trustpoint. If you do not specify a name, this command displays all certificates installed on the ASA.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

9.0(1)

This command was introduced.


Examples

The following is sample output from the show crypto ca certificates command: 

hostname(config)# show crypto ca certificates tp1

CA Certificate

Status: Available

Certificate Serial Number 2957A3FF296EF854FD0D6732FE25B45

Certificate Usage: Signature

Issuer:

CN = ms-root-sha-06-2004

OU = rootou

O = cisco

L = franklin

ST - massachusetts

C = US

EA = a@b.con

Subject: 

CN = ms-root-sha-06-2004

OU = rootou

O = cisco

L = franklin

ST = massachusetts

C = US

EA = example.com

CRL Distribution Point

ldap://w2kadvancedsrv/CertEnroll/ms-root-sha-06-2004.crl

Validity Date:

start date: 14:11:40 UTC Jun 26 2004

end date: 14:01:30 UTC Jun 4 2022

Associated Trustpoints: tp2 tp1

hostname(config)#

Related Commands

Command
Description

crypto ca authenticate

Obtains a CA certificate for a specified trustpoint.

crypto ca crl request

Requests a CRL based on the configuration parameters of a specified trustpoint.

crypto ca enroll

Initiates the enrollment process with a CA.

crypto ca import

Imports a certificate to a specified trustpoint.

crypto ca trustpoint

Enters trustpoint configuration mode for a specified trustpoint.


show crypto ca crl

To display all cached CRLs or to display all CRLs cached for a specified trustpoint, use the show crypto ca crl command in global configuration or privileged EXEC mode.

show crypto ca crl [trustpool | trustpoint <trustpointname>]

Syntax Description

trustpointname

(Optional) The name of a trustpoint. If you do not specify a name, this command displays all CRLs cached on the ASA.

trustpool

tbd?


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

 

Privileged EXEC

 

Command History

Release
Modification

9.0(1)

This command was introduced.


Examples

The following is sample output from the show crypto ca crl command: 

hostname(config)# show crypto ca crl tp1

CRL Issuer Name:

    cn=ms-sub1-ca-5-2004,ou=Franklin DevTest,o=Cisco

Systems,l=Franklin,st=MA,c=US,ea=user@example.com

    LastUpdate: 19:45:53 UTC Dec 24 2004

    NextUpdate: 08:05:53 UTC Jan 1 2005

    Retrieved from CRL Distribution Point:

      http://win2k-ad2.frk-ms-pki.cisco.com/CertEnroll/ms-sub1-ca-5-2004.crl

    Associated Trustpoints: tp1

hostname(config)#

Related Commands

Command
Description

crypto ca authenticate

Obtains a CA certificate for a specified trustpoint.

crypto ca crl request

Requests a CRL based on the configuration parameters of a specified trustpoint.

crypto ca enroll

Initiates the enrollment process with a CA.

crypto ca import

Imports a certificate to a specified trustpoint.

crypto ca trustpoint

Enters trustpoint configuration mode for a specified trustpoint.


show crypto ca server

To display the status of the local CA configuration on the ASA, use the show crypto ca server command in ca server configuration, global configuration, or privileged EXEC mode.

show crypto ca server

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Ca server configuration

Global configuration

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Examples

The following is sample output from the show crypto ca server command: 

hostname# show crypto ca server

#Certificate Server LOCAL-CA-SERVER:

    Status: disabled

    State: disabled

    Server's configuration is unlocked (enter "no shutdown" to lock it)

    Issuer name: CN=asa1.cisco.com

    CA cert fingerprint: -Not found-

    Last certificate issued serial number: 0x0

    CA certificate expiration timer: 00:00:00 UTC Jan 1 2009

    CRL not present.

    Current primary storage dir: nvram:

hostname#

Related Commands

Command
Description

crypto ca server

Provides access to the ca server configuration mode CLI command set, which allows you to configure and manage the local CA.

debug crypto ca server

Shows debugging messages when you configure the local CA server.

show crypto ca server certificate

Displays the certificate of the local CA in base64 format.

show crypto ca server crl

Displays the lifetime of the local CA CRL.


show crypto ca server cert-db

To display all or a subset of local CA server certificates, including those issued to a specific user, use the show crypto ca server cert-db command in ca server configuration, global configuration, or privileged EXEC mode.

show crypto ca server cert-db [username username | allowed | enrolled | expired | on-hold]
[serial certificate-serial-number]

Syntax Description

allowed

Specifies that users who are allowed to enroll appear, regardless of the status of their certificate.

enrolled

Specifies that users with valid certificates appear.

expired

Specifies that users holding expired certificates appear.

on-hold

Specifies that users who have not yet enrolled appear.

serial certificate-serial-number

Specifies the serial number of a specific certificate that displays. The serial number must be in hexadecimal format.

username username

Specifies the certificate owner. The username may be a username or an e-mail address. For e-mail addresses, it is the e-mail address used to contact and deliver the one-time password (OTP) to the end user. An e-mail address is required to enable e-mail notifications for the end user.


Defaults

By default, if no username or certificate serial number is specified, the entire database of issued certificates appears.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Ca server configuration

Global configuration

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

The show crypto ca server cert-db command displays a list of the user certificates that are issued by the local CA server. You can display a subset of the certificate database by specifying a specific username with one or more of the optional certificate-type keywords, and/or with an optional certificate serial number.

If you specify a username without a keyword or a serial number, all of the certificates issued for that user appear. For each user, the output shows the username, e-mail address, domain name, the time period for which enrollment is allowed, and the number of times that the user has been notified with an enrollment invitation.

In addition, the following information appears in the output:

The NOTIFIED field is required to support multiple reminders. It tracks when a user needs to be notified of the OTP for enrollment and the reminder notification attempts. This field is set to 0 initially. It is incremented to 1 when the user entry is marked as being allowed to enroll. At this time, the initial OTP notification is generated.

The NOTIFY field is incremented each time a reminder is sent. Three notifications are sent before the OTP is due to expire. A notification is sent when the user is allowed to enroll, at the mid-point of the expiration, and when ¾ of the expiration time has passed. This field is used only for administrator-initiated enrollments. For automatic certificate renewals, the NOTIFYfield in the certificate database is used.

Each certificate displays the certificate serial number, the issued and expired dates, and the certificate status (Revoked/Not Revoked).

Examples

The following example requests the display of all of the certificates issued for asa by the CA server: 

hostname# show crypto ca server cert-db username asa

Username: asa

Renewal allowed until: Not Allowed

Number of times user notified: 0

PKCS12 file stored until: 10:28:05 UTC Wed Sep 25 2013

Certificates Issued:

serial:   0x2

issued:   10:28:04 UTC Tue Sep 24 2013

expired:  10:28:04 UTC Thu Sep 26 2013

status:   Not Revoked

The following example requests the display of all the certificates issued by the local CA server with a serial number of 0x2:

hostname# show crypto ca server cert-db serial 2 

Username:asa

Renewal allowed until: Not Allowed

Number of times user notified: 0

PKCS12 file stored until: 10:28:05 UTC Wed Sep 25 2013

Certificates Issued:

serial:   0x2

issued:   10:28:04 UTC Tue Sep 24 2013

expired:  10:28:04 UTC Thu Sep 26 2013

status:   Not Revoked

The following example requests the display of all of the certificates issued by the local CA server: 

hostname# show crypto ca server cert-db

Username: asa

Renewal allowed until: Not Allowed

Number of times user notified: 0

PKCS12 file stored until: 10:28:05 UTC Wed Sep 25 2013

Certificates Issued:

serial:   0x2

issued:   10:28:04 UTC Tue Sep 24 2013

expired:  10:28:04 UTC Thu Sep 26 2013

status:   Not Revoked

Related Commands

Command
Description

crypto ca server

Provides access to the ca server configuration mode CLI command set, which allows you to configure and manage the local CA.

crypto ca server revoke

Marks a certificate issued by the local CA server as revoked in both the certificate database and CRL.

lifetime crl

Specifies the lifetime of the CRL.


show crypto ca server certificate

To display the certificate for the local CA server in base64 format, use the show crypto ca server certificate command in ca server configuration, global configuration, or privileged EXEC mode.

show crypto ca server certificate

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Ca server configuration

Global configuration

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Usage Guidelines

The show crypto ca server certificate command displays the local CA server certificate in base64 format. This display allows you to cut and paste a certificate while exporting it to other devices that need to trust the local CA server.

Examples

The following is sample output from the show crypto ca server certificate command: 

hostname# show crypto ca server certificate

The base64 encoded local CA certificate follows:

MIIXlwIBAzCCF1EGCSqGSIb3DQEHAaCCF0IEghc+MIIXOjCCFzYGCSqGSIb3DQEHBqCCFycwghcjAgEAMIIXHAYJKo
ZIhvcNAQcBMBsGCiqGSIb3DQEMAQMwDQQIjph4SxJoyTgCAQGAghbw3v4bFy+GGG2dJnB4OLphsUM+IG3SDOiDwZG9
n1SvtMieoxd7Hxknxbum06JDrujWKtHBIqkrm+td34qlNE1iGeP2YC94/NQ2z+4kS+uZzwcRhl1KEZTS1E4L0fSaC3
uMTxJq2NUHYWmoc8pi4CIeLj3h7VVMy6qbx2AC8I+q57+QG5vG5l5Hi5imwtYfaWwPEdPQxaWZPrzoG1J8BFqdPa1j
BGhAzzuSmElm3j/2dQ3Atro1G9nIsRHgV39fcBgwz4fEabHG7/Vanb+fj81d5nlOiJjDYYbP86tvbZ2yOVZR6aKFVI
0b2AfCr6PbwfC9U8Z/aF3BCyM2sN2xPJrXva94CaYrqyotZdAkSYA5KWScyEcgdqmuBeGDKOncTknfgy0XM+fG5rb3
qAXy1GkjyFI5Bm9Do6RUROoG1DSrQrKeq/hj....

hostname#

Related Commands

Command
Description

crypto ca server

Provides access to the ca server configuration mode CLI command set, which allows you to configure and manage a local CA.

issuer-name

Specifies the subject-name DN of the certificate authority certificate.

keysize

Specifies the size of the public and private keys generated at user certificate enrollment.

lifetime

Specifies the lifetime of the CA certificate and issued certificates.

show crypto ca server

Displays the local CA configuration in ASCII text format.


show crypto ca server crl

To display the current CRL of the local CA, use the show crypto ca server crl command in ca server configuration, global configuration, or privileged EXEC mode.

show crypto ca server crl

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Ca server configuration

Global configuration

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Examples

The following is sample output from the show crypto ca server crl command: 

hostname# show crypto ca server crl

asa5540(config)# sh cry ca ser crl  

Certificate Revocation List:

    Issuer: cn=asa5540.frqa.cisco.com

    This Update: 07:32:27 UTC Oct 16 2006

    Next Update: 13:32:27 UTC Oct 16 2006

    Number of CRL entries: 0

    CRL size: 232 bytes

asa5540(config)#

hostname#

Related Commands

Command
Description

cdp-url

Specifies the CRL distribution point (CDP) to be included in the certificates issued by the CA.

crypto ca server

Provides access to the ca server configuration mode CLI command set, which allows you to configure and manage the local CA.

crypto ca server revoke

Marks a certificate issued by the local CA server as revoked in the certificate database and CRL.

lifetime crl

Specifies the lifetime of the CRL.

show crypto ca server

Displays the status of the CA configuration.


show crypto ca server user-db

To display users included in the local CA server user database, use the show crypto ca server user-db command in ca server configuration, global configuration, or privileged EXEC mode.

show crypto ca server user-db [ expired | allowed | on-hold | enrolled]

Syntax Description

allowed

(Optional) Specifies that users who are allowed to enroll display, regardless of the status of their certificate.

enrolled

(Optional) Specifies that users with valid certificates display.

expired

(Optional) Specifies that users holding expired certificates display.

on-hold

(Optional) Specifies that users who have not enrolled yet display.


Defaults

By default, all users in the database display if no keywords are entered.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Ca server configuration

Global configuration

Privileged EXEC


Command History

Release
Modification

8.0(2)

This command was introduced.


Examples

The following example displays currently enrolled users: 

hostname# show crypto ca server user-db enrolled

Username			DN					Certificate issued						Certificate expiration

exampleuser		cn=Example User,o=...					5/31/2009							5/31/2010

hostname#

Related Commands

Command
Description

crypto ca server user-db add

Adds a user to the CA server user database.

crypto ca server user-db allow

Allows a specific user or a subset of users in the CA server database to enroll with the local CA.

crypto ca server user-db remove

Removes a user from the CA server user database.

crypto ca server user-db write

Writes user information configured in the local CA database to storage.

show crypto ca server cert-db

Displays all certificates issued by the local CA.


show crypto ca trustpool

To display the certificates that constitute the trustpool, use the show crypto ca trustpool command in privileged EXEC mode.

show crypto ca trustpool [detail]

Syntax Description

This command has no arguments or keywords.

Defaults

This command shows an abbreviated display of all the trustpool certificates. When the "detail" option is specified, more information is included.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

9.0(1)

This command was introduced.


Usage Guidelines

The output of the show crypto ca trustpool command includes the fingerprint value of each certificate. These values are required for removal operation.

Examples 

hostname# show crypto ca trustpool

CA Certificate

Status: Available

Certificate Serial Number: 6c386c409f4ff4944154635da520ed4c

Certificate Usage: Signature

Public Key Type: RSA (2048 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name: cn=bxb2008-root

dc=bdb2008

dc=mycompany

dc=com

Subject Name:

cn=bxb2008-root

dc=bxb2008

dc=cisco

dc=com

Validity Date:

start date:17:21:06 EST Jan 14 2009

end date:17:31:06 EST Jan 14 2024

CA Certificate

Status: Available

Certificate Serial Number: 58d1c756000000000059

Certificate Usage: Signature

Public Key Type: RSA (2048 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

cn=bxb2008-root

dc=bxb2008

dc=mycompany

dc=com

Subject Name:

cn=BXB2008SUB1-CA

dc=bxb2008

dc=cisco

dc=com

OCSP AIA:

URL: http://bxb2008-1.bxb2008.mycompany.com/ocsp

CRL Distribution Points:

(1) http://bxb2008-1.bxb2008.mycompany.com/CertEnroll/bxb2008-root.crl

Validity Date:

start date:11:54:34 EST May 18 2009

end date:12:04:34 EST May 18 2011

Related Commands

Command
Description

clear crypto ca trustpool

Removes all certificates from the trustpool.

crypto ca trustpool import

Imports certificates that constitute the PKI trustpool.

crypto ca trustpool remove

Removes a single specified certificate from the trustpool.


show crypto ca trustpool policy

To display the configured trustpool policy and process any applied certificate maps to show how those impact the policy, use the show crypto ca trustpool policy command in privileged EXEC mode.

show crypto ca trustpool policy

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

9.0(1)

This command was introduced.


Examples 

hostname(config)# sh run cry ca cert map

crypto ca certificate map map1 1

issuer-name eq cn = mycompany manufacturing ca

issuer-name eq cn = mycompany ca

crypto ca certificate map map 2 1

issuer-name eq cn = mycompany manufacturing ca

issuer-name eq cn = mycompany ca2

ciscoasa(config)#

hostname(config)# sh run crypto ca trustpool policy

crypto ca trustpool policy

revocation-check none

match certificate map2 allow expired-certificate

match certificate map1 skip revocation-check

crl cache-time 123

ciscoasa(config)#

hostname# show crypto ca trustpool policy

800 trustpool certificates installed

Trustpool Policy

Trustpool revocation checking is disabled

CRL cache time: 123 seconds

CRL next update field: required and forced

Policy overrides:

map: map1

match:issuer-name eq cn=Mycompany Manufacturing CA

match:issuer-name eq cn=Mycompany CA

action:skip revocation-check

map: map2

match: issuer-name eq cn=mycompany Manufacturing CA

match: issuer-name eq cn=mycompany CA2

action: allowed expired certificates

hostname(config)#

Related Commands

Command
Description

crypto ca trustpool policy

Enters a submode that provides the commands that define the trustpool policy.


show crypto debug-condition

To display the currently configured filters, the unmatched states, and the error states for IPsec and ISAKMP debugging messages, use the show crypto debug-condition command in global configuration mode.

show crypto debug-condition

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

8.0(2)

This command was introduced.

9.0(1)

Support for multiple context mode was added.


Examples

The following example shows the filtering conditions: 

hostname(config)# show crypto debug-condition

Crypto conditional debug is turned ON

IKE debug context unmatched flag:  OFF

IPsec debug context unmatched flag:  ON

IKE peer IP address filters:

1.1.1.0/24   2.2.2.2

IKE user name filters:

my_user

Related Commands

Command
Description

debug crypto condition

Sets filtering conditions for IPsec and ISAKMP debugging messages.

debug crypto condition error

Shows debugging messages whether or not filtering conditions have been specified.

debug crypto condition unmatched

Shows debugging messages for IPsec and ISAKMP that do not include sufficient context information for filtering.


show crypto ikev1 sa

To display the IKEv1 runtime SA database, use the show crypto ikev1 sa command in global configuration mode or privileged EXEC mode.

show crypto ikev1 sa [detail]

Syntax Description

detail

Displays detailed output about the SA database.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

8.4(1)

This command command was introduced.

9.0(1)

Support for multiple context mode was added.


Usage Guidelines

The output from this command includes the following fields:

IKE Peer

Type

Dir

Rky

State

209.165.200.225

L2L

Init

No

MM_Active


Detail not specified.

IKE Peer

Type

Dir

Rky

State

Encrypt

Hash

Auth

Lifetime

209.165.200.225

L2L

Init

No

MM_Active

3des

md5

preshrd

86400


Detail specified.

Examples

The following example, entered in global configuration mode, displays detailed information about the SA database: 

hostname(config)# show crypto ikev1 sa detail

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

1 209.165.200.225 User  Resp  No   AM_Active  3des    SHA   preshrd 86400

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

2 209.165.200.226 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

3 209.165.200.227 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

4 209.165.200.228 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400

hostname(config)#

Related Commands

Command
Description

show crypto ikev2 sa

Displays the IKEv2 runtime SA database.

show running-config crypto isakmp

Displays all the active ISAKMP configuration.


show crypto ikev2 sa

To display the IKEv2 runtime SA database, use the show crypto ikev2 sa command in global configuration mode or privileged EXEC mode.

show crypto ikev2 sa [detail]

Syntax Description

detail

Displays detailed output about the SA database.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

8.4(1)

This command command was introduced.

9.0(1)

Support for multiple context mode was added.


Usage Guidelines

The output from this command includes the following fields:

IKE Peer

Type

Dir

Rky

State

209.165.200.225

L2L

Init

No

MM_Active


Detail not specified.

IKE Peer

Type

Dir

Rky

State

Encrypt

Hash

Auth

Lifetime

209.165.200.225

L2L

Init

No

MM_Active

3des

md5

preshrd

86400


Detail specified.

Examples

The following example, entered in global configuration mode, displays detailed information about the SA database: 

asa(config)# show crypto ikev2 sa detail 

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role

671069399 							10.0.0.0/500 10.255.255.255/500      READY    INITIATOR

      Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:20, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/188 sec

      Session-id: 1

      Status Description: Negotiation done

      Local spi: 80173A0373C2D403       Remote spi: AE8AEFA1B97DBB22

      Local id: asa

      Remote id: asa1

      Local req mess id: 8              Remote req mess id: 7

      Local next mess id: 8             Remote next mess id: 7

      Local req queued: 8               Remote req queued: 7

      Local window: 1                   Remote window: 1

      DPD configured for 10 seconds, retry 2

      NAT-T is not detected  

Child sa: local selector  0.0.0.0/0 - 255.255.255.255/65535

          remote selector 0.0.0.0/0 - 255.255.255.255/65535

          ESP spi in/out: 0x242a3da5/0xe6262034  

          AH spi in/out: 0x0/0x0  

          CPI in/out: 0x0/0x0  

          Encr: AES-GCM, keysize: 128, esp_hmac: N/A

          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

Related Commands

Command
Description

show crypto ikev1 sa

Displays the IKEv1 runtime SA database.

show running-config crypto isakmp

Displays all the active ISAKMP configuration.


show crypto ipsec df-bit

To display the IPsec DF-bit policy for IPsec packets for a specified interface, use the show crypto ipsec df-bit command in global configuration mode and privileged EXEC mode.

show crypto ipsec df-bit interface

Syntax Description

interface

Specifies an interface name.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

9.0(1)

This command was introduced.


Examples

The following example displays the IPsec DF-bit policy for interface named inside: 

hostname(config)# show crypto ipsec df-bit inside

df-bit inside copy

hostname(config)#

Related Commands

Command
Description

crypto ipsec df-bit

Configures the IPsec DF-bit policy for IPsec packets.

crypto ipsec fragmentation

Configures the fragmentation policy for IPsec packets.

show crypto ipsec fragmentation

Displays the fragmentation policy for IPsec packets.


show crypto ipsec fragmentation

To display the fragmentation policy for IPsec packets, use the show crypto ipsec fragmentation command in global configuration or privileged EXEC mode.

show crypto ipsec fragmentation interface

Syntax Description

interface

Specifies an interface name.


Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

9.0(1)

This command was introduced.


Examples

The following example, entered in global configuration mode, displays the IPsec fragmentation policy for an interface named inside: 

hostname(config)# show crypto ipsec fragmentation inside

fragmentation inside before-encryption

hostname(config)#

Related Commands

Command
Description

crypto ipsec fragmentation

Configures the fragmentation policy for IPsec packets.

crypto ipsec df-bit

Configures the DF-bit policy for IPsec packets.

show crypto ipsec df-bit

Displays the DF-bit policy for a specified interface.


show crypto ipsec policy

To display IPsec secure socket API (SS API) security policy information provided by OSPFv3, use the show crypto ipsec policy command in global configuration or privileged EXEC mode. You can also use the alternate form of this command: show ipsec policy.

show crypto ipsec policy [name]

Syntax Description

name

Specifies a policy name.


Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

9.0(1)

This command was introduced.


Examples

The following example, entered in global configuration mode, displays the crypto secure socket API installed policy information for a policy named CSSU-UTF: 

hostname(config)# show crypto ipsec policy

Crypto IPsec client security policy data

       Policy name:      CSSU-UTF

       Policy refcount:  0

       Inbound  ESP SPI:        1031 (0x407)

       Outbound ESP SPI:        1031 (0x407)

       Inbound  ESP Auth Key:   0123456789abcdef

       Outbound ESP Auth Key:   0123456789abcdef

       Inbound  ESP Cipher Key:

       Outbound ESP Cipher Key:

       Transform set:    esp-sha-hmac

Related Commands

Command
Description

show crypto ipsec fragmentation

Displays the fragmentation policy for IPsec packets.

show crypto ipsec sa

Displays a list of IPsec SA.

show crypto ipsec df-bit

Displays the DF-bit policy for a specified interface.

show crypto sockets

Displays crypto secure sockets and the socket state.


show crypto ipsec sa

To display a list of IPsec SAs, use the show crypto ipsec sa command in global configuration mode or privileged EXEC mode. You can also use the alternate form of this command: show ipsec sa.

show crypto ipsec sa [entry | identity | map map-name | peer peer-addr] [detail]

Syntax Description

detail

(Optional) Displays detailed error information on what is displayed.

entry

(Optional) Displays IPsec SAs sorted by peer address

identity

(Optional) Displays IPsec SAs for sorted by identity, not including ESPs. This is a condensed form.

map map-name

(Optional) Displays IPsec SAs for the specified crypto map.

peer peer-addr

(Optional) Displays IPsec SAs for specified peer IP addresses.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.

9.0(1)

Added support for OSPFv3, multipe context mode, Suite B algorithm in the transform and IV size portion, and ESPV3 IPsec output.


Examples

The following example, entered in global configuration mode, displays IPsec SAs that include a tunnel identified as OSPFv3. 

hostname(config)# show crypto ipsec sa

interface: outside2

    Crypto map tag: def, local addr: 10.132.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (172.20.0.21/255.255.255.255/0/0)

      current_peer: 172.20.0.21

      dynamic allocated peer ip: 10.135.1.5

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1145, #pkts decrypt: 1145, #pkts verify: 1145

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 2, #pre-frag failures: 1, #fragments created: 10

      #PMTUs sent: 5, #PMTUs rcvd: 2, #decapstulated frags needing reassembly: 1

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.132.0.17, remote crypto endpt.: 172.20.0.21

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: DC15BF68

    inbound esp sas:

      spi: 0x1E8246FC (511854332)

         transform: esp-3des esp-md5-hmac

         in use settings ={L2L, Transport, Manual key, (OSPFv3), }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 548

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xDC15BF68 (3692412776)

         transform: esp-3des esp-md5-hmac

         in use settings ={L2L, Transport, Manual key, (OSPFv3), }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 548

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: def, local addr: 10.132.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

hostname(config)#

Note Fragmentation statistics are pre-fragmentation statistics if the IPsec SA policy states that fragmentation occurs before IPsec processing. Post-fragmentation statistics appear if the SA policy states that fragmentation occurs after IPsec processing.

The following example, entered in global configuration mode, displays IPsec SAs for a crypto map named def. 

hostname(config)# show crypto ipsec sa map def

cryptomap: def

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)

      current_peer: 10.132.0.21

      dynamic allocated peer ip: 90.135.1.5

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1146, #pkts decrypt: 1146, #pkts verify: 1146

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: DC15BF68

    inbound esp sas:

      spi: 0x1E8246FC (511854332)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 480

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xDC15BF68 (3692412776)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 480

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)

      current_peer: 10.135.1.8

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 73672, #pkts encrypt: 73672, #pkts digest: 73672

      #pkts decaps: 78824, #pkts decrypt: 78824, #pkts verify: 78824

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 73672, #pkts comp failed: 0, #pkts decomp failed: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: 3B6F6A35

    inbound esp sas:

      spi: 0xB32CF0BD (3006066877)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 4, crypto-map: def

         sa timing: remaining key lifetime (sec): 263

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x3B6F6A35 (997157429)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 4, crypto-map: def

         sa timing: remaining key lifetime (sec): 263

         IV size: 8 bytes

         replay detection support: Y

hostname(config)#

The following example, entered in global configuration mode, shows IPsec SAs for the keyword entry. 

hostname(config)# show crypto ipsec sa entry

peer address: 10.132.0.21

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)

      current_peer: 10.132.0.21

      dynamic allocated peer ip: 90.135.1.5

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: DC15BF68

    inbound esp sas:

      spi: 0x1E8246FC (511854332)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 429

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xDC15BF68 (3692412776)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 429

         IV size: 8 bytes

         replay detection support: Y

peer address: 10.135.1.8

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)

      current_peer: 10.135.1.8

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 73723, #pkts encrypt: 73723, #pkts digest: 73723

      #pkts decaps: 78878, #pkts decrypt: 78878, #pkts verify: 78878

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 73723, #pkts comp failed: 0, #pkts decomp failed: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: 3B6F6A35

    inbound esp sas:

      spi: 0xB32CF0BD (3006066877)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 4, crypto-map: def

         sa timing: remaining key lifetime (sec): 212

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x3B6F6A35 (997157429)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 4, crypto-map: def

         sa timing: remaining key lifetime (sec): 212

         IV size: 8 bytes

         replay detection support: Y

hostname(config)#

The following example, entered in global configuration mode, shows IPsec SAs with the keywords entry detail. 

hostname(config)# show crypto ipsec sa entry detail

peer address: 10.132.0.21

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)

      current_peer: 10.132.0.21

      dynamic allocated peer ip: 90.135.1.5

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1148, #pkts decrypt: 1148, #pkts verify: 1148

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0

      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

      #pkts invalid prot (rcv): 0, #pkts verify failed: 0

      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

      #pkts replay failed (rcv): 0

      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: DC15BF68

    inbound esp sas:

      spi: 0x1E8246FC (511854332)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 322

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xDC15BF68 (3692412776)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 3, crypto-map: def

         sa timing: remaining key lifetime (sec): 322

         IV size: 8 bytes

         replay detection support: Y

peer address: 10.135.1.8

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)

      current_peer: 10.135.1.8

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 73831, #pkts encrypt: 73831, #pkts digest: 73831

      #pkts decaps: 78989, #pkts decrypt: 78989, #pkts verify: 78989

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 73831, #pkts comp failed: 0, #pkts decomp failed: 0

      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0

      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

      #pkts invalid prot (rcv): 0, #pkts verify failed: 0

      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

      #pkts replay failed (rcv): 0

      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: 3B6F6A35

    inbound esp sas:

      spi: 0xB32CF0BD (3006066877)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 4, crypto-map: def

         sa timing: remaining key lifetime (sec): 104

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x3B6F6A35 (997157429)

         transform: esp-3des esp-md5-hmac

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 4, crypto-map: def

         sa timing: remaining key lifetime (sec): 104

         IV size: 8 bytes

         replay detection support: Y

hostname(config)#

The following example shows IPsec SAs with the keyword identity. 

hostname(config)# show crypto ipsec sa identity

interface: outside2

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)

      current_peer: 10.132.0.21

      dynamic allocated peer ip: 90.135.1.5

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: DC15BF68

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)

      current_peer: 10.135.1.8

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 73756, #pkts encrypt: 73756, #pkts digest: 73756

      #pkts decaps: 78911, #pkts decrypt: 78911, #pkts verify: 78911

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 73756, #pkts comp failed: 0, #pkts decomp failed: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: 3B6F6A35

The following example shows IPsec SAs with the keywords identity and detail. 

hostname(config)# show crypto ipsec sa identity detail

interface: outside2

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.132.0.21/255.255.255.255/0/0)

      current_peer: 10.132.0.21

      dynamic allocated peer ip: 90.135.1.5

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0

      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

      #pkts invalid prot (rcv): 0, #pkts verify failed: 0

      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

      #pkts replay failed (rcv): 0

      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.132.0.21

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: DC15BF68

    Crypto map tag: def, local addr: 172.20.0.17

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.132.0/255.255.255.0/0/0)

      current_peer: 10.135.1.8

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 73771, #pkts encrypt: 73771, #pkts digest: 73771

      #pkts decaps: 78926, #pkts decrypt: 78926, #pkts verify: 78926

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 73771, #pkts comp failed: 0, #pkts decomp failed: 0

      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0

      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

      #pkts invalid prot (rcv): 0, #pkts verify failed: 0

      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

      #pkts replay failed (rcv): 0

      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 172.20.0.17, remote crypto endpt.: 10.135.1.8

      path mtu 1500, ipsec overhead 60, media mtu 1500

      current outbound spi: 3B6F6A35

Related Commands

Command
Description

clear configure isakmp

Clears all the ISAKMP configuration.

clear configure isakmp policy

Clears all ISAKMP policy configuration.

clear isakmp sa

Clears the IKE runtime SA database.

isakmp enable

Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA.

show running-config isakmp

Displays all the active ISAKMP configuration.


show crypto ipsec stats

To display a list of IPsec statistics, use the show crypto ipsec stats command in global configuration mode or privileged EXEC mode.

show crypto ipsec stats

Syntax Description

This command has no keywords or variables.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

9.0(1)

This command was introduced.


Examples

The following example, entered in global configuration mode, displays IPsec statistics: 

hostname(config)# show crypto ipsec stats

IPsec Global Statistics

-----------------------

Active tunnels: 2

Previous tunnels: 9

Inbound

    Bytes: 4933013

    Decompressed bytes: 4933013

    Packets: 80348

    Dropped packets: 0

    Replay failures: 0

    Authentications: 80348

    Authentication failures: 0

    Decryptions: 80348

    Decryption failures: 0

    Decapsulated fragments needing reassembly: 0

Outbound

    Bytes: 4441740

    Uncompressed bytes: 4441740

    Packets: 74029

    Dropped packets: 0

    Authentications: 74029

    Authentication failures: 0

    Encryptions: 74029

    Encryption failures: 0

	Fragmentation successes: 3

		Pre-fragmentation successes:2

		Post-fragmentation successes: 1

	Fragmentation failures: 2

		Pre-fragmentation failures:1

		Post-fragmentation failures: 1

	Fragments created: 10

	PMTUs sent: 1

	PMTUs recvd: 2

Protocol failures: 0

Missing SA failures: 0

System capacity failures: 0

hostname(config)#

Related Commands

Command
Description

clear ipsec sa

Clears IPsec SAs or counters based on specified parameters.

crypto ipsec transform-set

Defines a transform set.

show ipsec sa

Displays IPsec SAs based on specified parameters.

show ipsec sa summary

Displays a summary of IPsec SAs.


Examples

The following example, issued in global configuration mode, displays ISAKMP statistics: 

hostname(config)# show crypto isakmp stats

Global IKE Statistics

Active Tunnels: 132

Previous Tunnels: 132

In Octets: 195471

In Packets: 1854

In Drop Packets: 925

In Notifys: 0

In P2 Exchanges: 132

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 0

Out Octets: 119029

Out Packets: 796

Out Drop Packets: 0

Out Notifys: 264

Out P2 Exchanges: 0

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 0

Initiator Tunnels: 0

Initiator Fails: 0

Responder Fails: 0

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

hostname(config)#

Related Commands

Command
Description

clear configure crypto isakmp

Clears all the ISAKMP configuration.

clear configure crypto isakmp policy

Clears all ISAKMP policy configuration.

clear crypto isakmp sa

Clears the IKE runtime SA database.

crypto isakmp enable

Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA.

show running-config crypto isakmp

Displays all the active ISAKMP configuration.


show crypto isakmp sa

To display the IKE runtime SA database, use the show crypto isakmp sa command in global configuration mode or privileged EXEC mode.

show crypto isakmp sa [detail]

Syntax Description

detail

Displays detailed output about the SA database.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

7.0(1)

The show isakmp sa command was introduced.

7.2(1)

This command was deprecated. The show crypto isakmp sa command replaces it.

9.0(1)

Support for multiple context mode was added.


Usage Guidelines

The output from this command includes the following fields:

IKE Peer

Type

Dir

Rky

State

209.165.200.225

L2L

Init

No

MM_Active


Detail not specified.

IKE Peer

Type

Dir

Rky

State

Encrypt

Hash

Auth

Lifetime

209.165.200.225

L2L

Init

No

MM_Active

3des

md5

preshrd

86400


Detail specified.

Examples

The following example, entered in global configuration mode, displays detailed information about the SA database: 

hostname(config)# show crypto isakmp sa detail

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

1 209.165.200.225 User  Resp  No   AM_Active  3des    SHA   preshrd 86400

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

2 209.165.200.226 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

3 209.165.200.227 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400

IKE Peer	  Type  Dir   Rky  State      Encrypt Hash  Auth    Lifetime

4 209.165.200.228 User  Resp  No   AM_ACTIVE  3des    SHA   preshrd 86400

hostname(config)#

Related Commands

Command
Description

clear configure crypto isakmp

Clears all the ISAKMP configuration.

clear configure crypto isakmp policy

Clears all ISAKMP policy configuration.

clear crypto isakmp sa

Clears the IKE runtime SA database.

crypto isakmp enable

Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA.

show running-config crypto isakmp

Displays all the active ISAKMP configuration.


show crypto isakmp stats

To display runtime statistics, use the show crypto isakmp stats command in global configuration mode or privileged EXEC mode.

show crypto isakmp stats

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

9.0(1)

The show isakmp stats command was introduced.

7.2(1)

The show isakmp stats command was deprecated. The show crypto isakmp stats command replaces it.


Usage Guidelines

The output from this command includes the following fields:

Global IKE Statistics

Active Tunnels

In Octets

In Packets

In Drop Packets

In Notifys

In P2 Exchanges

In P2 Exchange Invalids

In P2 Exchange Rejects

In P2 Sa Delete Requests

Out Octets

Out Packets

Out Drop Packets

Out Notifys

Out P2 Exchanges

Out P2 Exchange Invalids

Out P2 Exchange Rejects

Out P2 Sa Delete Requests

Initiator Tunnels

Initiator Fails

Responder Fails

System Capacity Fails

Auth Fails

Decrypt Fails

Hash Valid Fails

No Sa Fails

Examples

The following example, issued in global configuration mode, displays ISAKMP statistics: 

hostname(config)# show crypto isakmp stats

Global IKE Statistics

Active Tunnels: 132

Previous Tunnels: 132

In Octets: 195471

In Packets: 1854

In Drop Packets: 925

In Notifys: 0

In P2 Exchanges: 132

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 0

Out Octets: 119029

Out Packets: 796

Out Drop Packets: 0

Out Notifys: 264

Out P2 Exchanges: 0

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 0

Initiator Tunnels: 0

Initiator Fails: 0

Responder Fails: 0

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

hostname(config)#

Related Commands

Command
Description

clear configure crypto isakmp

Clears all the ISAKMP configuration.

clear configure crypto isakmp policy

Clears all ISAKMP policy configuration.

clear crypto isakmp sa

Clears the IKE runtime SA database.

crypto isakmp enable

Enables ISAKMP negotiation on the interface on which the IPsec peer communicates with the ASA.

show running-config crypto isakmp

Displays all the active ISAKMP configuration.


show crypto key mypubkey

To display the key name, usage, and elliptic curve size for ECDSA keys, use the show crypto key mypubkey command in global configuration mode or privileged EXEC mode.

show crypto key mypubkey dsa | rsa

Syntax Description

dsa

Specifies the key name.

rsa

Specifies the key name.


Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

9.0(1)

The show crypto key mypubkey command was introduced.


show crypto protocol statistics

To display the protocol-specific statistics in the crypto accelerator MIB, use the show crypto protocol statistics command in global configuration or privileged EXEC mode.

show crypto protocol statistics protocol

Syntax Description

protocol

Specifies the name of the protocol for which to display statistics. Protocol choices are as follows:

ikev1—Internet Key Exchange version 1.

ipsec—IP Security Phase-2 protocols.

ssl—Secure Sockets Layer.

other—Reserved for new protocols.

all—All protocols currently supported.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

9.0(1)

This command was introduced.


Examples

The following examples entered in global configuration mode, display crypto accelerator statistics for specified protocols: 

hostname # show crypto protocol statistics ikev1

[IKEv1 statistics]

   Encrypt packet requests: 39

   Encapsulate packet requests: 39

   Decrypt packet requests: 35

   Decapsulate packet requests: 35

   HMAC calculation requests: 84

   SA creation requests: 1

   SA rekey requests: 3

   SA deletion requests: 2

   Next phase key allocation requests: 2

   Random number generation requests: 0

   Failed requests: 0



hostname # show crypto protocol statistics ipsec

[IPsec statistics]

   Encrypt packet requests: 700

   Encapsulate packet requests: 700

   Decrypt packet requests: 700

   Decapsulate packet requests: 700

   HMAC calculation requests: 1400

   SA creation requests: 2

   SA rekey requests: 0

   SA deletion requests: 0

   Next phase key allocation requests: 0

   Random number generation requests: 0

   Failed requests: 0

hostname # show crypto protocol statistics ssl 

[SSL statistics]

   Encrypt packet requests: 0

   Encapsulate packet requests: 0

   Decrypt packet requests: 0

   Decapsulate packet requests: 0

   HMAC calculation requests: 0

   SA creation requests: 0

   SA rekey requests: 0

   SA deletion requests: 0

   Next phase key allocation requests: 0

   Random number generation requests: 0

   Failed requests: 0

hostname # show crypto protocol statistics other

[Other statistics]

   Encrypt packet requests: 0

   Encapsulate packet requests: 0

   Decrypt packet requests: 0

   Decapsulate packet requests: 0

   HMAC calculation requests: 0

   SA creation requests: 0

   SA rekey requests: 0

   SA deletion requests: 0

   Next phase key allocation requests: 0

   Random number generation requests: 99

   Failed requests: 0

hostname # show crypto protocol statistics all 

[IKEv1 statistics]

   Encrypt packet requests: 46

   Encapsulate packet requests: 46

   Decrypt packet requests: 40

   Decapsulate packet requests: 40

   HMAC calculation requests: 91

   SA creation requests: 1

   SA rekey requests: 3

   SA deletion requests: 3

   Next phase key allocation requests: 2

   Random number generation requests: 0

   Failed requests: 0

[IKEv2 statistics]

   Encrypt packet requests: 0

   Encapsulate packet requests: 0

   Decrypt packet requests: 0

   Decapsulate packet requests: 0

   HMAC calculation requests: 0

   SA creation requests: 0

   SA rekey requests: 0

   SA deletion requests: 0

   Next phase key allocation requests: 0

   Random number generation requests: 0

   Failed requests: 0

[IPsec statistics]

   Encrypt packet requests: 700

   Encapsulate packet requests: 700

   Decrypt packet requests: 700

   Decapsulate packet requests: 700

   HMAC calculation requests: 1400

   SA creation requests: 2

   SA rekey requests: 0

   SA deletion requests: 0

   Next phase key allocation requests: 0

   Random number generation requests: 0

   Failed requests: 0

[SSL statistics]

   Encrypt packet requests: 0

   Encapsulate packet requests: 0

   Decrypt packet requests: 0

   Decapsulate packet requests: 0

   HMAC calculation requests: 0

   SA creation requests: 0

   SA rekey requests: 0

   SA deletion requests: 0

   Next phase key allocation requests: 0

   Random number generation requests: 0

   Failed requests: 0

[SSH statistics are not supported]

[SRTP statistics are not supported]

[Other statistics]

   Encrypt packet requests: 0

   Encapsulate packet requests: 0

   Decrypt packet requests: 0

   Decapsulate packet requests: 0

   HMAC calculation requests: 0

   SA creation requests: 0

   SA rekey requests: 0

   SA deletion requests: 0

   Next phase key allocation requests: 0

   Random number generation requests: 99

   Failed requests: 0

hostname #

Related Commands

Command
Description

clear crypto accelerator statistics

Clears the global and accelerator-specific statistics in the crypto accelerator MIB.

clear crypto protocol statistics

Clears the protocol-specific statistics in the crypto accelerator MIB.

show crypto accelerator statistics

Displays the global and accelerator-specific statistics from the crypto accelerator MIB.


show crypto sockets

To display crypto secure socket information, use the show crypto sockets command in global configuration mode or privileged EXEC mode.

show crypto sockets

Syntax Description

This command has no keywords or variables.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC


Command History

Release
Modification

9.0(1)

This command was introduced.


Examples

The following example, entered in global configuration mode, displays crypto secure socket information: 

hostname(config)# show crypto sockets

Number of Crypto Socket connections 1

       Gi0/1  Peers: (local): 2001:1::1

                     (remote): ::

              Local Ident (addr/plen/port/prot): (2001:1::1/64/0/89)

              Remote Ident (addr/plen/port/prot): (::/0/0/89)

              IPsec Profile: "CSSU-UTF"

              Socket State: Open

              Client: "CSSU_App(UTF)" (Client State: Active)

       Crypto Sockets in Listen state:

The following table describes the fields in the show crypto sockets command output.

Field
Description

Number of Crypto Socket connections

Number of crypto sockets in the system.

Socket State

This state can be Open, which means that active IPsec security associations (SAs) exist, or it can be Closed, which means that no active IPsec SAs exist.

Client

Application name and its state.

Flags

If this field says "shared," the socket is shared with more than one tunnel interface.

Crypto Sockets in Listen state

Name of the crypto IPsec profile.


Related Commands

Command
Description

show crypto ipsec policy

Displays the crypto secure socket API installed policy information.


show csc node-count

To display the number of nodes for which the CSC SSM scanned traffic, use the show csc node-count command in privileged EXEC mode:

show csc node-count [yesterday]

Syntax Description

yesterday

(Optional) Shows the number of nodes for which the CSC SSM scanned traffic in the preceding 24-hour period, from midnight to midnight.


Defaults

By default, the node count displayed is the number of nodes scanned since midnight.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

A node is any distinct source IP address or the address of a device that is on a network protected by the ASA. The ASA keeps track of a daily node count and communicates this to the CSC SSM for user license enforcement.

Examples

The following is sample output of the show csc node-count command, which displays the number of nodes for which the CSC SSM has scanned traffic since midnight: 

hostname# show csc node-count

Current node count is 1

The following is sample output of the show csc node-count command, which displays the number of nodes for which the CSC SSM scanned traffic in the preceding 24-hour period, from midnight to midnight: 

hostname(config)# show csc node-count yesterday

Yesterday's node count is 2

Related Commands

csc

Sends network traffic to the CSC SSM for scanning of FTP, HTTP, POP3, and SMTP, as configured on the CSC SSM.

show running-config class-map

Shows current class map configuration.

show running-config policy-map

Shows the current policy map configuration.

show running-config service-policy

Shows the current service policy configuration.


show ctiqbe

To display information about CTIQBE sessions established across the ASA, use the show ctiqbe command in privileged EXEC mode.

show ctiqbe

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0(1)

This command was introduced.


Usage Guidelines

The show ctiqbe command displays information of CTIQBE sessions established across the ASA. Along with debug ctiqbe and show local-host, this command is used for troubleshooting CTIQBE inspection engine issues.

Note We recommend that you have the pager command configured before using the show ctiqbe command. If there are a lot of CTIQBE sessions and the pager command is not configured, it can take a while for the show ctiqbe command output to reach the end.

Examples

The following is sample output from the show ctiqbe command under the following conditions. There is only one active CTIQBE session setup across the ASA. It is established between an internal CTI device (for example, a Cisco IP SoftPhone) at local address 10.0.0.99 and an external Cisco Call Manager at 172.29.1.77, where TCP port 2748 is the Cisco CallManager. The heartbeat interval for the session is 120 seconds. 

hostname# | show ctiqbe

Total: 1

 | LOCAL | FOREIGN | STATE | HEARTBEAT

---------------------------------------------------------------

1 | 10.0.0.99/1117  172.29.1.77/2748 | 1 | 120

 | RTP/RTCP: PAT xlates: mapped to 172.29.1.99(1028 | 1029)

 | MEDIA: Device ID 27 | Call ID 0

 | Foreign 172.29.1.99 | (1028 | 1029)

 | Local | 172.29.1.88 | (26822 | 26823)

 | ----------------------------------------------

The CTI device has already registered with the CallManager. The device internal address and RTP listening port is PATed to 172.29.1.99 UDP port 1028. Its RTCP listening port is PATed to UDP 1029.

The line beginning with hostname# appears only if an internal CTI device has registered with an external CallManager and the CTI device address and ports are PATed to that external interface. This line does not appear if the CallManager is located on an internal interface, or if the internal CTI device address and ports are NATed to the same external interface that is used by the CallManager.

The output indicates a call has been established between this CTI device and another phone at 172.29.1.88. The RTP and RTCP listening ports of the other phone are UDP 26822 and 26823. The other phone locates on the same interface as the CallManager because the ASA does not maintain a CTIQBE session record associated with the second phone and CallManager. The active call leg on the CTI device side can be identified with Device ID 27 and Call ID 0.

The following is the xlate information for these CTIBQE connections: 

hostname# show xlate debug

3 in use, 3 most used

Flags: D | DNS, d | dump, I | identity, i | inside, n | no random,

 | o | outside, r | portmap, s | static

TCP PAT from inside:10.0.0.99/1117 to outside:172.29.1.99/1025 flags ri idle 0:00:22 
timeout 0:00:30

UDP PAT from inside:10.0.0.99/16908 to outside:172.29.1.99/1028 flags ri idle 0:00:00 
timeout 0:04:10

UDP PAT from inside:10.0.0.99/16909 to outside:172.29.1.99/1029 flags ri idle 0:00:23 
timeout 0:04:10

hostname#

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

inspect ctiqbe

Enables CTIQBE application inspection.

service-policy

Applies a policy map to one or more interfaces.

show conn

Displays the connection state for different connection types.

timeout

Sets the maximum idle time duration for different protocols and session types.


show ctl-file

To show the contents of the CTL file used by the phone proxy, use the show ctl-file command in global configuration mode.

show ctl-file filename [parsed]

Syntax Description 

filename

Displays the phones capable of secure mode stored in the database.

parsed

(Optional) Displays detailed information from the CTL file specified.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History 

Release
Modification

8.2(1)

The command was introduced.


Usage Guidelines

When specifying the filename of the CTL file stored in Flash memory, specify the disk number, filename, and extension; for example: asa5540(config)# sh cry ca ser crl . Using the show ctl-file command is useful for debugging when configuring the phone proxy instance.

Examples

The following example shows the use of the show ctl-file command to show general information about the CTL file: 

hostname# show ctl-file disk0:/ctlfile.tlv 

Total Number of Records: 1

CTL Record Number 1

  Subject Name:

     serialNumber=JMX1215L2TX+hostname=ciscoasa

  Issuer Name:

     serialNumber=JMX1215L2TX+hostname=ciscoasa

  Function:

     cucm

  IP Address:

     192.168.52.102

  Associated Trustpoint:

     cucm_primary

The following example shows the use of the show ctl-file command to show detailed information 
about the CTL file:

hostname# show ctl-file disk0:/ctlfile.tlv parsed 

TAG 0x01: Version: Maj 1, Min 2

TAG 0x02: Header Len: Len 288

TAG 0x03: Signer ID: Len 103

TAG 0x04: Signer Name: Len 45 Name: <cn=_internal_myctl_SAST_0,ou=STG,o=Cisco Inc>

TAG 0x05: Cert SN: Len 4 SN: c43c9048

TAG 0x06: CA Name: Len 45 Name: <cn=_internal_myctl_SAST_0,ou=STG,o=Cisco Inc>

TAG 0x07: Signature: Len 15

TAG 0x08: Digest Alg: Len 1 Name: SHA-1

TAG 0x09: Sig Alg Info: Len 8

TAG 0x0A: Sig Alg: Len 1 Name: RSA

TAG 0x0B: Modulus: Len 1 Name: 1024

TAG 0x0C: Sig Block: Len 128 Signature: 

    521debcf b7a77ea8 94eba5f7 f3c8b0d8 3337a9fa 267ce1a7 202b2c8b 2ac980d3 

    9608f64d e7cd82df e205e5bf 74a1d9c4 fae20f90 f3d2746a e90f439e ef93fca7 

    d4925551 72daa414 2c55f249 ef7e6dc2 bcb9f9b5 39be8238 5011eecb ce37e4d1 

    866e6550 6779c3fd 25c8bab0 6e9be32c 7f79fe34 5575e3af ea039145 45ce3158 

TAG 0x0E: File Name: Len 12 Name: <CTLFile.tlv>

TAG 0x0F: Timestamp: Len 4 Timestamp: 48903cc6

 ### CTL RECORD No. 1 ###

TAG 0x01: Rcd Len: Len 731

TAG 0x03: Sub Name: Len 43 Sub Name: <serialNumber=JMX1215L2TX+hostname=ciscoasa>

TAG 0x04: Function: Len 2 Func: CCM

TAG 0x05: Cert Issuer: Len 43 Issuer Name: <serialNumber=JMX1215L2TX+hostname=ciscoasa>

TAG 0x06: Cert SN: Len 4 Cert SN: 15379048

TAG 0x07: Pub Key: Len 140 Pub Key: 

    30818902 818100ad a752b4e6 89769a49 13115e52 1209b3ef 96a179af 728c29d7 

    af7fed4e c759d0ea cebd7587 dd4f7c4c 322da86b 3a677c08 ce39ce60 2525f6d2 

    50fe87cf 2aea60a5 690ec985 10706e5a 30ad26db e6fdb243 159758ed bb487525 

    f901ef4a 658445de 29981546 3867d2d1 ce519ee4 62c7be32 51037c3c 751c0ad6 

    040bedbb 3e984502 03010001 

TAG 0x09: Cert: Len 469 X.509v3 Cert: 

    308201d1 3082013a a0030201 02020415 37904830 0d06092a 864886f7 0d010104 

    0500302d 312b3012 06035504 05130b4a 4d583132 31354c32 54583015 06092a86 

    4886f70d 01090216 08636973 636f6173 61301e17 0d303830 37333030 39343033 

    375a170d 31383037 32383039 34303337 5a302d31 2b301206 03550405 130b4a4d 

    58313231 354c3254 58301506 092a8648 86f70d01 09021608 63697363 6f617361 

    30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00ada752 

    b4e68976 9a491311 5e521209 b3ef96a1 79af728c 29d7af7f ed4ec759 d0eacebd 

    7587dd4f 7c4c322d a86b3a67 7c08ce39 ce602525 f6d250fe 87cf2aea 60a5690e 

    c9851070 6e5a30ad 26dbe6fd b2431597 58edbb48 7525f901 ef4a6584 45de2998 

    15463867 d2d1ce51 9ee462c7 be325103 7c3c751c 0ad6040b edbb3e98 45020301 

    0001300d 06092a86 4886f70d 01010405 00038181 005d82b7 ac45dbf8 bd911d4d 

    a330454a a2784a4b 5ef898b1 482e0bbf 4a86ed86 9019820b 00e80361 fd7b2518 

    9efa746c b98b1e23 fcc0793c de48de6d 6b1a4998 cd6f4e66 ba661d3a d200739a 

    ae679c7c 94f550fb a6381b94 1eae389e a9ec4b11 30ba31f3 33cd184e 25647174 

    ce00231d 102d5db3 c9c111a6 df37eb43 66f3d2d5 46

TAG 0x0A: IP Addr: Len 4 IP Addr: 192.168.52.102

Related Commands 

Command
Description

ctl-file (global)

Specifies the CTL instance to create for the phone proxy or parses the CTL file stored in Flash memory.

ctl-file (phone-proxy)

Specifies the CTL instance to use when configuring the phone proxy.

phone proxy

Configures the Phone Proxy instance.


show cts environment-data

To show the health and status of the environment data refresh operation on the ASA for Cisco TrustSec, use the show cts environment-data command in privileged EXEC mode.

show cts environment-data

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

9.0(1)

This command was introduced.


Usage Guidelines

This command is not supported on a standby device in a failover configuration. If you enter this command on a standby device, the following error message appears: 

ERROR: This command is only permitted on the active device.

This command is only supported on the master unit in a clustering configuration. If you enter this command on a slave unit, the following error message appears: 

This command is only permitted on the master device.

Examples

The following is sample output from the show cts environment-data command 

hostname# show cts environment-data

CTS Environment Data

====================

Status:                    Active

Last download attempt:     Successful

Environment Data Lifetime: 1200 secs

Last update time:          18:12:07 EST Feb 27 2012

Env-data expires in:       0:00:12:24 (dd:hr:mm:sec)

Env-data refreshes in:     0:00:02:24 (dd:hr:mm:sec)

Related Commands

Commands
Description

show running-config cts

Shows the SXP connections for the running configuration.

show cts pac

Shows the components on the PAC.


show cts environment-data sg-table

To show the resident security group table on the ASA for Cisco TrustSec, use the show cts environment-data sg-table command in privileged EXEC mode.

show cts environment-data sg-table

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

9.0(1)

This command was introduced.


Usage Guidelines

This command is not supported on a standby device in a failover configuration. If you enter this command on a standby device, the following error message appears: 

ERROR: This command is only permitted on the active device.

This command is only supported on the master unit in a clustering configuration. If you enter this command on a slave unit, the following error message appears: 

This command is only permitted on the master device.

Examples

The following is sample output from the show cts environment-data sg-table command 

hostname# show cts environment-data sg-table

Security Group Table:

Valid until: 18:32:07 EST Feb 27 2012

Showing 9 of 9 entries

SG Name                          SG Tag     Type

-------                          ------     -------------

ANY                               65535     unicast

ExampleSG1                            2     unicast

ExampleSG13                          14     unicast

ExampleSG14                          15     unicast

ExampleSG15                          16     unicast

ExampleSG16                          17     unicast

ExampleSG17                          18     unicast

ExampleSG18                          19     unicast

Unknown                               0     unicast

Related Commands

Commands
Description

show running-config cts

Shows the SXP connections for the running configuration.

show cts pac

Shows the components on the PAC.


show cts pac

To show the components of the Protected Access Credential (PAC) on the ASA for Cisco TrustSec, use the show cts pac command in privileged EXEC mode.

show cts pac

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

9.0(1)

This command was introduced.


Usage Guidelines

The show cts pac command displays PAC information, including the expiration time. The expiration time is important because the ASA cannot retrieve security group table updates after the PAC lifetime lapses. The administrator must request and install a new PAC before the old one expires to maintain synchronization with the security group table on the Identity Services Engine.

This command is not supported on a standby device in a failover configuration. If you enter this command on a standby device, the following error message appears: 

ERROR: This command is only permitted on the active device.

This command is only supported on the master unit in a clustering configuration. If you enter this command on a slave unit, the following error message appears: 

This command is only permitted on the master device.

Examples

The following is sample output from the show cts pac command 

hostname# show cts pac

PAC-Info:

    Valid until: Jul 28 2012 08:03:23

    AID:         6499578bc0240a3d8bd6591127ab270c

    I-ID:        BrianASA36

    A-ID-Info:   Identity Services Engine

    PAC-type:    Cisco Trustsec

  PAC-Opaque:

    000200b000030001000400106499578bc0240a3d8bd6591127ab270c00060094000301

    00d75a3f2293ff3b1310803b9967540ff7000000134e2d2deb00093a803d227383e2b9

    7db59ed2eeac4e469fcb1eeb0ac2dd84e76e13342a4c2f1081c06d493e192616d43611

    8ff93d2af9b9135bb95127e8b9989db36cf1667b4fe6c284e220c11e1f7dbab91721d1

    00e9f47231078288dab83a342ce176ed2410f1249780882a147cc087942f52238fc9b4

    09100e1758

Related Commands

Commands
Description

show running-config cts

Shows the SXP connections for the running configuration.

show cts environment

Shows the health and status of the environment data refresh operation.


show cts sgt-map

To show the IP address-security group table manager entries in the control path, use the show cts sgt-map command in privileged EXEC mode.

show cts sgt-map [sgt sgt] [address ipv4 | address ipv6 [/prefix] | ipv4 | ipv6] [name] [brief | detail]

Syntax Description 

address ipv4/ipv6 /prefix

Shows only IP address-security group table mapping for the specific IPv4 or IPv6 address or subnet.

brief

Shows the IP address-security group table mapping summary.

detail

Shows the IP address-security group table mapping.

ipv4

Shows the IPv4 address-security group table mapping. By default, only the IPv4 address-security group table mapping is displayed.

ipv6

Shows the IPv6 address-security group table mapping.

name

Shows IP address-security group table mapping with the matched security group name.

sgt sgt

Shows only IP address-security group table mapping with the matched security group table.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History 

Release
Modification

9.01)

The command was introduced.


Usage Guidelines

This command displays the IP address-security group table manager entries in the control path.

Examples

The following is sample output from the show cts sgt-map ipv6 command: 

hostname# show cts sgt-map ipv6

Active IP-SGT Bindings Information

IP Address                              SGT     Source

============================================================

3330::1                                 17      SXP

FE80::A8BB:CCFF:FE00:110                17      SXP

IP-SGT Active Bindings Summary

============================================

Total number of SXP    bindings = 2

Total number of active   bindings = 2

The following is sample output from the show cts sgt-map ipv6 detail command: 

hostname# show cts sgt-map ipv6 detail

Active IP-SGT Bindings Information

IP Address                 Security Group                          Source

=========================================================================

3330::1                     2345                                    SXP

1280::A8BB:CCFF:FE00:110    Security Tech Business Unit(12345)      SXP

IP-SGT Active Bindings Summary

===================================

Total number of SXP bindings    = 2

Total number of active bindings = 2

The following is sample output from the show cts sgt-map ipv6 brief command: 

hostname# show cts sgt-map ipv6 brief

Active IP-SGT Bindings Information

IP-SGT Active Bindings Summary

====================================

Total number of SXP bindings    = 2

Total number of active bindings = 2

The following is sample output from the show cts sgt-map address command: 

hostname# show cts sgt-map address 10.10.10.5 mask 255.255.255.255

Active IP-SGT Bindings Information

IP Address              SGT     Source

============================================================

10.10.10.5              1234    SXP

IP-SGT Active Bindings Summary

============================================

Total number of SXP    bindings = 1

Total number of active   bindings = 1

Related Commands 

Command
Description

show running-config cts

Shows the SXP connections for the running configuration.

show cts environment

Shows the health and status of the environment data refresh operation.


show cts sxp connections

To show the Security eXchange Protocol (SXP) connections on the ASA, use the show cts sxp connections command in privileged EXEC mode.

show cts sxp connections [peer peer addr] [local local addr] [ipv4 | ipv6] [status {on | off | delete-hold-down | pending-on}] [mode {speaker | listener}] [brief]

Syntax Description 

brief

(Optional) Shows the SXP connection summary.

delete-hold-down

(Optional) The TCP connection was terminated (TCP is down) when it was in the ON state. Only an ASA configured in listener mode can be in this state.

ipv4

(Optional) Shows SXP connections with IPv4 addresses.

ipv6

(Optional) Shows SXP connections with IPv6 addresses.

listener

(Optional) Shows the ASA configured in listener mode.

local local addr

(Optional) Shows SXP connections with the matched local IP addresses.

mode

(Optional) Shows SXP connections with the matched mode.

off

(Optional) The TCP connection has not been initiated. The ASA retries the TCP connection only in this state.

on

(Optional) An SXP OPEN or SXP OPEN RESP message has been received. The SXP connection has been successfully established. The ASA only exchanges SXP messages in this state.

peer peer addr

(Optional) Shows SXP connections with the matched peer IP addresses.

pending-on

(Optional) An SXP OPEN message has been sent to the peer; the response from the peer is being awaited.

speaker

(Optional) Shows the ASA configured in speaker mode.

status

(Optional) Shows SXP connections with the matched status.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Provileged EXEC


Command History 

Release
Modification

9.0(1)

The command was introduced.


Usage Guidelines

The SXP states change under the following conditions:

If the SXP listener drops its SXP connection because its peer unconfigures SXP or disables SXP, then the SXP listener moves to the OFF state.

If the SXP listener drops its SXP connection because its peer crashes or has the interface shut down, then the SXP listener moves to the DELETE_HOLD_DOWN state.

The SXP speaker moves to the OFF state when either of the first two conditions occurs.

This command is not supported on a standby device in a failover configuration. If you enter this command on a standby device, the following error message appears: 

ERROR: This command is only permitted on the active device.

This command is only supported on the master unit in a clustering configuration. If you enter this command on a slave unit, the following error message appears: 

This command is only permitted on the master device.

Examples

The following is sample output from the show cts sxp connections command: 

hostname# show cts sxp connections

SXP               : Enabled

Highest version   : 2

Default password  : Set

Default local IP  : Not Set

Reconcile period  : 120 secs

Retry open period : 10 secs

Retry open timer  : Not Running

Total number of SXP connections : 3

Total number of SXP connection shown : 3

----------------------------------------------

Peer IP           : 2.2.2.1

Local IP          : 2.2.2.2

Conn status       : On

Local mode        : Listener

Ins number        : 1

TCP conn password : Default

Delete hold down timer : Not Running

Reconciliation timer   : Not Running

Duration since last state change: 0:00:01:25 (dd:hr:mm:sec)

----------------------------------------------

Peer IP           : 3.3.3.1

Local IP          : 3.3.3.2

Conn status       : On

Local mode        : Listener

Ins number        : 2

TCP conn password : None 

Delete hold down timer : Not Running

Reconciliation timer   : Not Running

Duration since last state change: 0:01:02:20 (dd:hr:mm:sec)

----------------------------------------------

Peer IP           : 4.4.4.1

Local IP          : 4.4.4.2

Conn status       : On

Local mode        : Speaker

Ins number        : 1

TCP conn password : Set 

Delete hold down timer : Not Running

Reconciliation timer   : Not Running

Duration since last state change: 0:03:01:20 (dd:hr:mm:sec)

Related Commands 

Command
Description

show running-config cts

Shows the SXP connections for the running configuration.

show cts environment

Shows the health and status of the environment data refresh operation.


show cts sxp sgt-map

To show the current IP address-security group table mapping database entries in the Security eXchange Protocol (SXP) module on the ASA for Cisco TrustSec, use the show cts sxp sgt-map command in privileged EXEC mode.

show cts sxp sgt-map [peer peer_addr] [sgt sgt] [address ipv4 | address ipv6 [/prefix] | ipv4 | ipv6] [name] [brief | detail] [status]

Syntax Description 

address ipv4/ipv6 /prefix

Shows only IP address-security group table mapping for the specific IPv4 or IPv6 address or subnet.

brief

Shows the IP address-security group table mapping summary.

detail

Shows the security group table information. If a security group name is not available, only the security group table value is displayed without the bracket.

ipv4

Shows the IP address-security group table mapping with IPv4 addresses. By default, only the IP address-security group table mapping with IPv4 addresses is displayed.

ipv6

Shows the IP address-security group table mapping with IPv6 addresses.

name

Shows IP address-security group table mapping with the matched security group name.

peer peer addr

Shows only IP address-security group table mapping with the matched peer IP address.

sgt sgt

Shows only IP address-security group table mapping with the matched security group table.

status

Shows active or inactive mapped entries.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History 

Release
Modification

9.01)

The command was introduced.


Usage Guidelines

This command displays the active IP address-security group table mapped entries consolidated from SXP.

This command is not supported on a standby device in a failover configuration. If you enter this command on a standby device, the following error message appears: 

ERROR: This command is only permitted on the active device.

This command is only supported on the master unit in a clustering configuration. If you enter this command on a slave unit, the following error message appears: 

This command is only permitted on the master device.

Examples

The following is sample output from the show cts sxp sgt-map command: 

hostname# show cts sxp sgt-map

Total number of IP-SGT mappings : 3 

SGT        : 7

IPv4       : 2.2.2.1

Peer IP    : 2.2.2.1

Ins Num    : 1

SGT        : 7

IPv4       : 2.2.2.0

Peer IP    : 3.3.3.1

Ins Num    : 1

SGT        : 7

IPv6       : FE80::A8BB:CCFF:FE00:110                

Peer IP    : 2.2.2.1

Ins Num    : 1

The following is sample output from the show cts sxp sgt-map detail command: 

hostname# show cts sxp sgt-map detail

Total number of IP-SGT mappings : 3 

SGT        : STBU(7)

IPv4       : 2.2.2.1

Peer IP    : 2.2.2.1

Ins Num    : 1

Status     : Active

SGT        : STBU(7) 

IPv4       : 2.2.2.0

Peer IP    : 3.3.3.1

Ins Num    : 1

Status     : Inactive

SGT        : 6

IPv6       : 1234::A8BB:CCFF:FE00:110                

Peer IP    : 2.2.2.1

Ins Num    : 1

Status     : Active

The following is sample output from the show cts sxp sgt-map brief command: 

hostname# show cts sxp sgt-map brief

Total number of IP-SGT mappings : 3

SGT, IPv4: 7, 2.2.2.1

SGT, IPv4: 7, 3.3.3.0

SGT, IPv6: 7, FE80::A8BB:CCFF:FE00:110

Related Commands 

Command
Description

show running-config cts

Shows the SXP connections for the running configuration.

show cts environment

Shows the health and status of the environment data refresh operation.


show curpriv

To display the current user privileges, use the show curpriv command:

show curpriv

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration

Privileged EXEC

User EXEC


Command History

Release
Modification

7.0(1)

Modified to conform to CLI guidelines.


Usage Guidelines

The show curpriv command displays the current privilege level. Lower privilege level numbers indicate lower privilege levels.

Examples

These examples show output from the show curpriv command when a user named enable_15 is at different privilege levels. The username indicates the name that the user entered when the user logged in. P_PRIV indicates that the user has entered the enable command. P_CONF indicates that the user has entered the config terminal command. 

hostname(config)# show curpriv

Username : enable_15

Current privilege level : 15

Current Mode/s : P_PRIV P_CONF

hostname(config)# exit

hostname(config)# show curpriv

Username : enable_15

Current privilege level : 15

Current Mode/s : P_PRIV

hostname(config)# exit

hostname(config)# show curpriv

Username : enable_1

Current privilege level : 1

Current Mode/s : P_UNPR

hostname(config)#

The following example shows a known behavior. When you are in enable mode, then enter disable mode, the initial logged-in username is replaced with enable_1: 

hostname(config)# show curpriv

Username : enable_15

Current privilege level : 15

Current Mode/s : P_PRIV P_CONF

hostname(config)# exit

hostname# show curpriv

Username : enable_15

Current privilege level : 15

Current Mode/s : P_PRIV

hostname# exit

Logoff

Type help or '?' for a list of available commands.

hostname# show curpriv

Username : enable_1

Current privilege level : 1

Current Mode/s : P_UNPR

hostname#

Related Commands

Command
Description

clear configure privilege

Remove privilege command statements from the configuration.

show running-config privilege

Display privilege levels for commands.