Displays configuration information about current IP security (IPsec) security associations (SAs).

show ipsec sa
show ipsec sa address { ip-address | ipv6-address } [ detail ]
show ipsec sa detail
show ipsec sa identity address { ip-address | ipv6-address }
show ipsec sa identity dn dn-name
show ipsec sa identity email email-address
show ipsec sa identity fqdn fqdn-name
show ipsec sa identity key-id key-id
show ipsec sa interface tunnel-port [ detail ]
show ipsec sa ipv4
show ipsec sa ipv6
show ipsec sa peer { ip-address | ipv6-address } [ detail ]
ip-address
Specifies the IPv4 address of the SA.
ipv6-address
Specifies the IPv6 address of the SA.
detail
Specifies detailed information.
identity
Specifies the remote identity of the SA.
dn dn-name
Specifies a Distinguished Name (DN).
email email-address
Specifies an email address.
fqdn fqdn-name
Specifies a fully qualified domain name (FQDN).
key-id key-id
Specifies a key ID.
interface tunnel-port
Specifies a tunnel port number.
ipv4
Specifies the IPv4 IPsec SA database.
ipv6
Specifies the IPv6 IPsec SA database.
peer
Specifies the peer address of the SA.

User EXEC mode

This command may be entered in all configuration modes.

When the detail option is omitted, only the basic SA information is displayed.

The show ipsec sa command display the following information (when the detail option is specified).

Output field Description
interface The IPsec tunnel interface ID.
Local address The source address of the IPsec SA.
Remote address The destination address of the IPsec SA.
Inner VRF The base VRF of the IPsec tunnel interface.
Local Identity The total traffic selector.
Remote Identity The received traffic selector.
DF-bit The "Don't fragment" bit that indicates if fragmentation is enabled or disabled.
Profile-name The name of the IPsec profile that is used by this IPsec SA.
DH group The Diffie-Hellman group that is used by this IPsec SA.
Direction The direction of the IPsec SA. Possible values are INBOUND or OUTBOUND.
Mode The encapsulation type.
Protocol The transform type.
ICV size The integrity check value (ICV) size.
lifetime(sec) The rekey time for this IPsec SA.
Anti-replay service The anti-replay service configuration. Possible values are Enable or Disable.
ESN The Extended Sequence Number (ESN) configuration. Possible values are Enable or Disable.
Status The state of the IPsec SA.
Worry Metric The rekey time for the IKEv2 SA.

The following example displays basic information about the IPsec SA database.


device# show ipsec sa

IPSEC Security Association Database is empty.
SPDID(vrf:if) Dir Encap SPI        Destination   AuthAlg  EncryptAlg
IPSEC Security Association Database(child SA pair:4)
0:tnl 18    OUT IPSEC_ 0x00007935 10.18.3.4      Null     aes-gcm-256
0:tnl 18    IN  IPSEC_ 0x0000b278 10.18.3.5      Null     aes-gcm-256
0:tnl 22    OUT IPSEC_ 0x000064b2 10.22.3.4      Null     aes-gcm-256
0:tnl 22    IN  IPSEC_ 0x00008dea 10.22.3.5      Null     aes-gcm-256
0:tnl 19    OUT IPSEC_ 0x00006018 10.19.3.4      Null     aes-gcm-256
0:tnl 19    IN  IPSEC_ 0x000062df 10.19.3.5      Null     aes-gcm-256
0:tnl 20    OUT IPSEC_ 0x0000de58 10.20.3.4      Null     aes-gcm-256
0:tnl 20    IN  IPSEC_ 0x0000acff 10.20.3.5      Null     aes-gcm-256  

The following example displays detailed information for an IPsec SA by specifying the local IP address of the SA.


device# show ipsec sa address 10.19.3.4 detail

IPSEC Security Association Database(child SA pair:0)
    interface           : tnl 19
    Local address: 10.3.3.4/500, Remote address: 10.19.3.5/500
    Inner VRF           : vrf1
     Local Identity (addr/mask/prot/port): address(0.0.0.0/0/0/0)
     Remote Identity(addr/mask/prot/port): address(0.0.0.0/0/0/0)
    DF-bit              : clear
    Profile-name        : 19
    DH group            : none
    Direction           : outbound, SPI: 0x6018
    Mode                : tunnel,
    Protocol            : IPSEC_ESP , Encryption : aes-gcm-256 , Authentication : Null
    ICV size            : 16 bytes
    lifetime(sec)       : Expiring in 243 secs
    Anti-replay service : Disable
    ESN                 : Disable
    Status              : ACTIVE
    Worry Metric        :0 

The following example displays IPsec SA information, including information about IPv6 connections.

device# show ipsec sa

IPSEC Security Association Database(child SA pair:7)

SPDID(vrf:if) Dir   Encap        SPI    Destination       AuthAlg   EncryptAlg   
  0:tnl 8     OUT IPSEC_ESP  0x000056c1 2220::1           NULL      aes-gcm-256
  0:tnl 8     IN  IPSEC_ESP  0x00004b95 5002::2           NULL      aes-gcm-256
  0:tnl 7     OUT IPSEC_ESP  0x00001489 1110::1           NULL      aes-gcm-256
  0:tnl 7     IN  IPSEC_ESP  0x000000a3 5002::2           NULL      aes-gcm-256
  0:tnl 1     OUT IPSEC_ESP  0x0000e1c1 1000::1           NULL      aes-gcm-256
  0:tnl 1     IN  IPSEC_ESP  0x00007eb2 1004::2           NULL      aes-gcm-256
  0:tnl 4     OUT IPSEC_ESP  0x00001044 120.1.1.          NULL      aes-gcm-256
  0:tnl 4     IN  IPSEC_ESP  0x00009dd5 110.1.1.1         NULL      aes-gcm-256
  0:tnl 11    OUT IPSEC_ESP  0x00000682 1000::1           NULL      aes-gcm-256
  0:tnl 11    IN  IPSEC_ESP  0x00001c49 1003::2           NULL      aes-gcm-256
  0:tnl 9     OUT IPSEC_ESP  0x0000f369 3330::1           NULL      aes-gcm-256
  0:tnl 9     IN  IPSEC_ESP  0x00005f22 5002::2           NULL      aes-gcm-256
  0:tnl 3     OUT IPSEC_ESP  0x0000f948 100.1.1.1         NULL      aes-gcm-256
  0:tnl 3     IN  IPSEC_ESP  0x000043dc 104.1.1.2         NULL      aes-gcm-256
      
Release version Command history
08.0.50 This command was introduced.
08.0.70 Support was added for IPv6.