Solved: ASA crypto ipsec counters

CCM-SCP · ‎02-27-2017

Hello,

On Cisco platforms other than ASA, it is possible when using the 'show crypto ipsec sa peer x.x.x.x' command to see all encaps/decaps packet counters since the counters were last cleared, even for tunnels that are not currently active.

I had found this very useful in the past when a client wanted to know how much traffic they were sending over the VPN for period of time. With the ASA, however, I cannot seem to find any way to display this output, as the same command only displays statistics for tunnels that are currently active. (Version 8.3(2))

Is there any other way to display these statistics on the ASA, or maybe to see when the last time a VPN peer was up?

Thank you,

CM

Philip D'Ath · ‎02-28-2017

You wont be able to get this from "show" commands on the ASA.

You could possibly send the ASA log to a syslog server for a week and leave a "debug crypto ikev1" running, and then extract out all the peer addresses that get talked to.

You could also grab the "show crypto ipsec sa" a couple of times a day for a week, and then note all the formed connects.

View solution in original post

Philip D'Ath · ‎02-27-2017

The command is the same on an ASA as on an IOS router.

CCM-SCP · ‎02-28-2017

Hi Philip, thank you for the response.

Yes, the syntax of the command is identical, but it's the output from the ASA that is different. On IOS devices, the output details every peer IP that is configured on the router... even if the tunnel is not in an Active state. So, I would be able to see all encaps/decaps traffic for each configured crypto map entry.

The ASA is only providing output for the tunnels that are currently Active.

Perhaps I should give reasoning for my question, because there could be another way to find out what I need. I am about to migrate to a newer ASA platform from the existing ASA, and I have been tasked with figuring out which configured peers are no longer being used. Some of these peers have been on the device for several years & the config hasn't been cleaned up.

My methodology was to clear the SA counters, then wait a couple of weeks and check to see which SA's had been utilized by issuing the command in question. However, since the ASA is only showing me the statistics from the tunnels that are currently up at that specific time, I have no way of seeing if a tunnel that is currently down might have been used over that 2 week period.

I'm sure that there is another way of figuring this out, either through CLI or ASDM, but my experience with ASA is limited and I am learning this as I go.

Any help would be greatly appreciated, and thank you again for your time!

Regards,

CM

Philip D'Ath · ‎02-28-2017

You wont be able to get this from "show" commands on the ASA.

You could possibly send the ASA log to a syslog server for a week and leave a "debug crypto ikev1" running, and then extract out all the peer addresses that get talked to.

You could also grab the "show crypto ipsec sa" a couple of times a day for a week, and then note all the formed connects.

CCM-SCP · ‎02-28-2017

Thank you Philip... I was afraid this would be the case :(

At any rate, I will do the periodic "show crypto IPsec sa" you suggested & try to nail it down best I can.

Thank you very much for your input!!!!

CM