CSR-1000V#sh crypto ikev2 sa detailed IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 /4500 /62274 none/none READY Encr: AES-CBC, keysize: 256, PRF: SHA384, Hash: SHA256, DH Grp:19, Auth sign: RSA, Auth verify: AnyConnect-EAP Life/Active Time: 86400/8 sec CE id: 1041, Session-id: 30 Status Description: Negotiation done Local spi: E68DD1AEC7CE6DD0 Remote spi: 60CEB6FD802A8EE8 Local id: cn=idcvpn.xxxx.com Remote id: idcvpn.xxxx.com Remote EAP id: t850879 Local req msg id: 0 Remote req msg id: 6 Local next msg id: 0 Remote next msg id: 6 Local req queued: 0 Remote req queued: 6 Local window: 5 Remote window: 1 DPD configured for 60 seconds, retry 2 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is detected outside Cisco Trust Security SGT is disabled Assigned host addr: 100.65.100.6 Initiator of SA : No IPv6 Crypto IKEv2 SA CSR-1000V#sh crypto ips sa detail interface: Virtual-Access2 Crypto map tag: Virtual-Access2-head-0, local addr protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (100.65.100.6/255.255.255.255/0/0) current_peer port 62274 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts tagged (send): 0, #pkts untagged (rcv): 0 #pkts not tagged (send): 0, #pkts not untagged (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: , remote crypto endpt.: plaintext mtu 9154, path mtu 9216, ip mtu 9216, ip mtu idb GigabitEthernet2.10 current outbound spi: 0x77ECB633(2012001843) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x61BB0748(1639647048) transform: esp-gcm 256 , in use settings ={Tunnel UDP-Encaps, } conn id: 2055, flow_id: CSR:55, sibling_flags FFFFFFFF80000048, crypto map: Virtual-Access2-head-0 sa timing: remaining key lifetime (k/sec): (4608000/3584) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x77ECB633(2012001843) transform: esp-gcm 256 , in use settings ={Tunnel UDP-Encaps, } conn id: 2056, flow_id: CSR:56, sibling_flags FFFFFFFF80000048, crypto map: Virtual-Access2-head-0 sa timing: remaining key lifetime (k/sec): (4608000/3584) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: CSR-1000V#show cry se detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, T - cTCP encapsulation X - IKE Extended Authentication, F - IKE Fragmentation R - IKE Auto Reconnect, U - IKE Dynamic Route Update S - SIP VPN Interface: Virtual-Access2 Profile: FlexVPN-Anyconnect-Profile Uptime: 00:00:29 Session status: UP-ACTIVE Peer: port 62274 fvrf: (none) ivrf: (none) Desc: Anyconnect EAP Profil Phase1_id: idcvpn.xxxx.com Session ID: 55 IKEv2 SA: local /4500 remote /62274 Active Capabilities:DN connid:1 lifetime:23:59:31 IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 100.65.100.6 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4608000/3571 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4608000/3571