12-15-2013 09:13 PM
Hi.
Is there any way to show connect by Easy VPN users?
12-15-2013 10:28 PM
yea type this command
sh cry ipse sa
this command shows you all detail destination IP and username as well
Example
asa# sh cry ipse sa
interface: outside
Crypto map tag: Outside_dyn_map, seq num: 10, local addr: x.x.x.x
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.50.3.0/255.255.255.255/0/0)
current_peer: x.x.x.x, username: User1 <--------------------------here is user name
dynamic allocated peer ip: 10.50.253.10
You can also see peer;
sh cry isa sa
12-15-2013 11:21 PM
Thanks but it doesn't contain user in my output:
#show crypto ipsec sa interface gigabitEthernet 0/0 detail
interface: GigabitEthernet0/0
Crypto map tag: clientmap, local addr x.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.11.52/255.255.255.255/0/0)
current_peer x.x.x.x port 8202
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 329, #pkts decrypt: 329, #pkts verify: 329
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x14ACEAD4(346876628)
inbound esp sas:
spi: 0x7940C6C7(2034288327)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3078, flow_id: NETGX:78, crypto map: clientmap
sa timing: remaining key lifetime (k/sec): (4493592/3469)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x14ACEAD4(346876628)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3006, flow_id: NETGX:6, crypto map: clientmap
sa timing: remaining key lifetime (k/sec): (4493672/3469)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
12-16-2013 10:28 AM
I am not seeing this command on my 5510 ASA
asa# show crypto ipsec sa ?
assigned-address Show IPsec SAs for an assigned address
detail Show IPsec SA detail
entry Show IPsec SAs by entry
identity Show IPsec SAs by flow
map Show IPsec SAs by map
peer Show IPsec SAs for a peer
spi Show IPsec SAs for an SPI
summary Show IPsec SAs summary by types
user Show IPsec SAs for a user
| Output modifiers
12-16-2013 10:31 AM
if you are using router then try these commands
show crypto engine connections active—Shows the encrypted and decrypted packets.
•show crypto ipsec sa—Shows the phase 2 IPSec security associations for the hub.
•show crypto ipsec client ezvpn—Shows the phase 2 IPSec security associations for the EzVPN client.
•show crypto isakmp sa—Shows the phase 1 ISAKMP security associations.
12-16-2013 10:33 AM
Verification Command List :
12-17-2013 12:00 PM
Yes, I use router. I will check it tomorrow and will answer.
Thank you)
12-18-2013 07:43 AM
I checked this commands. No one has shown me the name of client.
12-18-2013 09:50 AM
Here you go Finally I have found that command.
sh crypto session
you can see all detail.
12-19-2013 10:45 AM
Yes, but even with key "detailed" we don't see user name:
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: x.x.x.x port 65393 fvrf: (none) ivrf: (none)
Phase1_id: vpnclient (the group name)
Desc: (none)
IKE SA: local x.x.x.x/4500 remote x.x.x.x/65393 Active
Capabilities:CXN connid:672 lifetime:23:59:21
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 172.16.11.56
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 41 drop 0 life (KB/Sec) 4478264/3568
Outbound: #pkts enc'ed 41 drop 0 life (KB/Sec) 4478262/3568
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide