show vpn

show vpn

Syntax Description

Usage Guidelines

show vpn config Display

show vpn users Display

show vpn partners Display

show vpn statistics Display

Examples

show vpn users Example

show vpn partners Example

show vpn statistics Example

show vpn runtime Example

show vpn config Example

Related Commands

show vpn

The show vpn commands display information about the configured and runtime VPN parameters.

show vpn {statistics [verbose] |
config [VPN number] |
runtime [VPN number] |
users [verbose] [orphans] [group=name | user=name] |
partners [verbose] [orphans]}

config [VPN number]

Displays the VPN configuration parameters for all interfaces. VPN number only displays information about the VPN port specified.

Note If STEP configuration parameters have been set in the device, then you may issue either the show step config or the show vpn config command in order to display the STEP configuration. STEP is Cisco System's older, proprietary tunnel establishment protocol. STEP parameters are not recommended for new configurations, but if they have already been set in the device, they are supported.

users [verbose] [orphans] [group=name | user=name]

Displays information about currently active client connections.

verbose displays all available information for the connections.

orphans displays information about any orphaned connections. An orphaned connection is one that is taking up system resources, but that is dead. A connection might be orphaned because of a communications error or system error.

group=name only displays connections for users assigned to this group.

user=name only displays connections by the specified user.

partners [verbose] [orphans]

Displays information about currently active LAN-to-LAN tunnels.

verbose displays all available information about the connections.

orphans displays information about any orphan connections. An orphaned connection is one that is taking up system resources, but that is dead. A connection might be orphaned because of a communications error or system error.

statistics [verbose]

Displays VPN statistics. verbose displays additional statistics.

runtime [VPN number]

Displays the VPN parameters that are currently running in the device. VPN number only displays information about the VPN port specified.

Usage Guidelines

The following sections describe the display contents for each command.

show vpn config Display

The show vpn config display includes the following information. For modular models, the display includes a section for each module slot.

Note Columns other than Iface and Tunnel Partner are only used for interfaces that currently have an active connection.

Iface

This is the name of the interface described, such as VPN 1 through the maximum number of connections. For LAN-to-LAN VPN, this is the name of the VPN tunnel connection described.

Tunnel Partner or Client

This is the IP address of the client computer, which is typically an address assigned by an Internet Service Provider. For LAN-to-LAN VPN connections, this is the statically assigned IP address of the tunnel partner.

BindTo Port

This is the port to which the client has connected. For LAN-to-LAN VPN, this is the port to which the tunnel partner has connected. The BindTo Port determines the IP address to which the client or the tunnel partner connects.

Auth

On indicates that each packet is digitally signed to prevent false or modified packets from entering the devices at either end of the tunnel.

Encrypt

This shows whether or not the tunnel session is encrypted.

User

Shows the name of the user connected to this tunnel.

Iface	This is the name of the interface described, such as VPN 1 through the maximum number of connections. For LAN-to-LAN VPN, this is the name of the VPN tunnel connection described.
Tunnel Partner or Client	This is the IP address of the client computer, which is typically an address assigned by an Internet Service Provider. For LAN-to-LAN VPN connections, this is the statically assigned IP address of the tunnel partner.
BindTo Port	This is the port to which the client has connected. For LAN-to-LAN VPN, this is the port to which the tunnel partner has connected. The BindTo Port determines the IP address to which the client or the tunnel partner connects.
Auth	On indicates that each packet is digitally signed to prevent false or modified packets from entering the devices at either end of the tunnel.
Encrypt	This shows whether or not the tunnel session is encrypted.
User	Shows the name of the user connected to this tunnel.

show vpn users Display

The show vpn users display includes the following information. For modular models, the display includes a section for each module slot.

Port Number

The VPN port number to which the client is connected. You can use this port number with the reset vpn number command.

User

The name of the VPN user.

Group

The VPN group name.

Client Address

The IP address of the client computer, which is typically an address assigned by an Internet Service Provider.

Local Address

The tunnel IP address assigned to the user for routing on the destination network.

Connect Time

How long the user has been connected.

Port Number	The VPN port number to which the client is connected. You can use this port number with the reset vpn number command.
User	The name of the VPN user.
Group	The VPN group name.
Client Address	The IP address of the client computer, which is typically an address assigned by an Internet Service Provider.
Local Address	The tunnel IP address assigned to the user for routing on the destination network.
Connect Time	How long the user has been connected.

The verbose mode also includes the following information:

Auth/Encrypt

Shows the authentication protocol, for example, MD5 or SHA and the encryption protocol, for example, 3DES or DES.

Port

The UDP port for the connection.

IPX

The IPX network number assigned to the user.

User Auth

The method of authentication, for example, shared key or cert.

Start

The start time and date of the user session.

Managed

The time the connection was last managed by the concentrator.

State

The state of the connection. For example, rmnt_init means the connection is being initialize, while rmnt_maintenance means the connection is being maintained.

Auth/Encrypt	Shows the authentication protocol, for example, MD5 or SHA and the encryption protocol, for example, 3DES or DES.
Port	The UDP port for the connection.
IPX	The IPX network number assigned to the user.
User Auth	The method of authentication, for example, shared key or cert.
Start	The start time and date of the user session.
Managed	The time the connection was last managed by the concentrator.
State	The state of the connection. For example, rmnt_init means the connection is being initialize, while rmnt_maintenance means the connection is being maintained.

show vpn partners Display

The show vpn partners display includes the following information. For modular models, the display includes a section for each module slot.

Port Number

The VPN port number to which the peer is connected. You can use this port number with the reset vpn number command.

Partner Address

The tunnel peer's IP address.

Partner Port

The UDP port for the connection.

Default Partner

Indicates Yes if the tunnel peer is connected to this concentrator's Tunnel Partner Default section instead of a specific Tunnel Partner section.

Bindto Address

The IP address used as the local endpoint of the tunnel.

Connect Time

How long the partners have been connected.

Port Number	The VPN port number to which the peer is connected. You can use this port number with the reset vpn number command.
Partner Address	The tunnel peer's IP address.
Partner Port	The UDP port for the connection.
Default Partner	Indicates Yes if the tunnel peer is connected to this concentrator's Tunnel Partner Default section instead of a specific Tunnel Partner section.
Bindto Address	The IP address used as the local endpoint of the tunnel.
Connect Time	How long the partners have been connected.

The verbose mode also includes the following information:

Auth/Encrypt

Shows the authentication protocol, for example, MD5 or SHA and the encryption protocol, for example, 3DES or DES.

User Auth

The method of authentication, for example, shared key or cert.

Access

Static indicates that the tunnel is a standard IPSec tunnel using compatibility settings. A compatibility tunnel allows traffic to and from only one network. In this case, the display includes:

Local IP network

Peer IP network

Dynamic indicates that the tunnel is a VPN 5000-proprietary IPSec tunnel, which allows dynamic routing protocols, and therefore access to the entire LAN on both sides.

Start

The start time and date of the user session.

Managed

The time the connection was last managed by the concentrator.

State

The state of the connection. For example, rmnt_init means the connection is being initialize, while rmnt_maintenance means the connection is being maintained.

Auth/Encrypt	Shows the authentication protocol, for example, MD5 or SHA and the encryption protocol, for example, 3DES or DES.
User Auth	The method of authentication, for example, shared key or cert.
Access	Static indicates that the tunnel is a standard IPSec tunnel using compatibility settings. A compatibility tunnel allows traffic to and from only one network. In this case, the display includes: Local IP network Peer IP network Dynamic indicates that the tunnel is a VPN 5000-proprietary IPSec tunnel, which allows dynamic routing protocols, and therefore access to the entire LAN on both sides.
Start	The start time and date of the user session.
Managed	The time the connection was last managed by the concentrator.
State	The state of the connection. For example, rmnt_init means the connection is being initialize, while rmnt_maintenance means the connection is being maintained.

show vpn statistics Display

The show vpn statistics display includes the following information for Users, Partners, and the Total for both. For modular models, the display includes a section for each module slot.

Current Active

The current active connections.

In Negot

The currently negotiating connections.

High Water

The highest number of concurrent active connections since the last reboot.

Running Total

The total number of successful connections since the last reboot.

Tunnel Starts

The number of tunnel starts.

Tunnel OK

The number of tunnels for which there were no errors.

Tunnel Error

The number of tunnels with errors.

Current Active	The current active connections.
In Negot	The currently negotiating connections.
High Water	The highest number of concurrent active connections since the last reboot.
Running Total	The total number of successful connections since the last reboot.
Tunnel Starts	The number of tunnel starts.
Tunnel OK	The number of tunnels for which there were no errors.
Tunnel Error	The number of tunnels with errors.

For verbose mode, the display includes ISAKMP negotiation statistics, and the following active connection statistics:

Wrapped

The total number of packets encapsulated. For the VPN 5000 concentrator, this is the number of packets sent to the client computer. For LAN-to-LAN VPN, this is the number of packets sent to the tunnel partner.

Unwrapped

The total number of packets de-encapsulated. For the VPN 5000 concentrator, this is the number of packets received by the VPN 5000 concentrator from the client computer. For LAN-to-LAN VPN, this is the number of packets received by the local device from the tunnel partner.

BadEncap

The number of packets found with bad encapsulation. This error is very unusual and probably indicates a version mismatch or perhaps deliberate misuse.

BadAuth

The number of packets where authentication failed. This usually indicates that the shared authentication secret is incorrect on one end of the tunnel.

BadEncrypt

The number of packets where encryption failed. This usually indicates that the shared encryption secret is incorrect on one end of the tunnel.

rx IP

The number of IP packets received.

rx IPX

The number of IPX packets received.

rx Apple

The number of AppleTalk packets received.

rx Other

The number of other packets received.

rx Err

The number of packets with errors received. This error is very unusual and probably indicates a version mismatch or perhaps deliberate misuse.

tx IP

The number of IP packets transmitted.

tx IPX

The number of IPX packets transmitted.

tx Apple

The number of AppleTalk packets transmitted.

tx Other

The number of other packets transmitted.

tx Err

The number of packets which could not be transmitted as IPSec packets. This error is very unusual and probably indicates a bad VPN configuration or possibly a problem with the device software.

IKE rekey

Reserved for future use.

Wrapped	The total number of packets encapsulated. For the VPN 5000 concentrator, this is the number of packets sent to the client computer. For LAN-to-LAN VPN, this is the number of packets sent to the tunnel partner.
Unwrapped	The total number of packets de-encapsulated. For the VPN 5000 concentrator, this is the number of packets received by the VPN 5000 concentrator from the client computer. For LAN-to-LAN VPN, this is the number of packets received by the local device from the tunnel partner.
BadEncap	The number of packets found with bad encapsulation. This error is very unusual and probably indicates a version mismatch or perhaps deliberate misuse.
BadAuth	The number of packets where authentication failed. This usually indicates that the shared authentication secret is incorrect on one end of the tunnel.
BadEncrypt	The number of packets where encryption failed. This usually indicates that the shared encryption secret is incorrect on one end of the tunnel.
rx IP	The number of IP packets received.
rx IPX	The number of IPX packets received.
rx Apple	The number of AppleTalk packets received.
rx Other	The number of other packets received.
rx Err	The number of packets with errors received. This error is very unusual and probably indicates a version mismatch or perhaps deliberate misuse.
tx IP	The number of IP packets transmitted.
tx IPX	The number of IPX packets transmitted.
tx Apple	The number of AppleTalk packets transmitted.
tx Other	The number of other packets transmitted.
tx Err	The number of packets which could not be transmitted as IPSec packets. This error is very unusual and probably indicates a bad VPN configuration or possibly a problem with the device software.
IKE rekey	Reserved for future use.

Examples

The following sections show an example for each command.

show vpn users Example

The following example displays are for the show vpn users command:

> show vpn users
 
I/F  User            Group           Client          Local           Connect
                                     Address         Address         Time
----------------------------------------------------------------------------
61   marin           bikes           10.16.0.3       10.16.224.1     00:21:23:29
62   dynastar        skis            10.38.16.18     10.16.240.2     00:21:22:45
63   tua             skis            10.38.16.18     10.16.240.4     00:21:13:12
64   mercian         bikes           10.38.16.18     10.16.224.3     00:17:25:29
 
IOP slot 1:
 
I/F  User            Group           Client          Local           Connect
                                     Address         Address         Time
----------------------------------------------------------------------------
61   dynastar        skis            10.38.16.18     10.16.240.1     00:21:22:45
62   tua             skis            10.38.16.18     10.16.240.3     00:21:13:13
63   mercian         bikes           10.38.16.18     10.16.224.2     00:17:25:30
64   mercian         bikes           10.38.16.18     10.16.224.4     00:17:25:29
 
 
> show vpn users verbose group = bikes
 
I/F  User            Group           Client          Local           Connect
                                     Address         Address         Time
----------------------------------------------------------------------------
61   marin           bikes           10.16.0.3       10.16.224.1     00:21:20:51
     Auth/Encrypt:SHAe/DES Port:32769  Ipx:0      User Auth: Shared Key
     Start:5/16/2000-13:38:44 Managed:5/17/2000-10:58:44 State:imnt_maintenance
 
64   mercian         bikes           10.38.16.18     10.16.224.3     00:17:22:51
     Auth/Encrypt:SHAe/DES Port:1110   Ipx:0      User Auth: Shared Key
     Start:5/16/2000-17:36:44 Managed:5/17/2000-10:56:44 State:imnt_maintenance
 
 
IOP slot 1:
 
I/F  User            Group           Client          Local           Connect
                                     Address         Address         Time
----------------------------------------------------------------------------
63   mercian         bikes           10.38.16.18     10.16.224.2     00:17:22:52
     Auth/Encrypt:SHAe/DES Port:1109   Ipx:0      User Auth: Shared Key
     Start:5/16/2000-17:36:43 Managed:5/17/2000-10:56:43 State:imnt_maintenance
 
64   mercian         bikes           10.38.16.18     10.16.224.4     00:17:22:51
     Auth/Encrypt:SHAe/DES Port:1111   Ipx:0      User Auth: Shared Key
     Start:5/16/2000-17:36:44 Managed:5/17/2000-10:56:44 State:imnt_maintenance
 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

show vpn partners Example

The following example displays are for the show vpn partners command:

> show vpn partners
 
I/F  Partner         Partner  Default  Bindto          Connect
     Address         Port     Partner  Address         Time
--------------------------------------------------------------
59   10.16.0.2       500      Yes      10.16.0.4       00:20:58:47
60   10.16.0.2       500      Yes      10.16.0.4       00:20:58:47
 
IOP slot 1:
 
I/F  Partner         Partner  Default  Bindto          Connect
     Address         Port     Partner  Address         Time
--------------------------------------------------------------
59   10.16.0.2       500      Yes      10.16.0.4       00:20:58:48
60   10.16.0.2       500      Yes      10.16.0.4       00:20:58:48
 
 
> show vpn partners verbose
 
I/F  Partner         Partner  Default  Bindto          Connect
     Address         Port     Partner  Address         Time
--------------------------------------------------------------
59   10.16.0.2       500      Yes      10.16.0.4       00:20:59:19
     Auth/Encrypt: SHAe/DES  User Auth: Shared Key
     Access: Dynamic 
     Start:5/16/2000-14:04:38 Managed:5/17/2000-11:03:38 State:rmnt_maintenance
 
60   10.16.0.2       500      Yes      10.16.0.4       00:20:59:19
     Auth/Encrypt: SHAe/DES  User Auth: Shared Key
     Access: Dynamic 
     Start:5/16/2000-14:04:38 Managed:5/17/2000-11:03:38 State:rmnt_maintenance
 
 
IOP slot 1:
 
I/F  Partner         Partner  Default  Bindto          Connect
     Address         Port     Partner  Address         Time
--------------------------------------------------------------
59   10.16.0.2       500      Yes      10.16.0.4       00:20:59:19
     Auth/Encrypt: SHAe/DES  User Auth: Shared Key
     Access: Dynamic 
     Start:5/16/2000-14:04:37 Managed:5/17/2000-11:03:37 State:rmnt_maintenance
 
60   10.16.0.2       500      Yes      10.16.0.4       00:20:59:19
     Auth/Encrypt: SHAe/DES  User Auth: Shared Key
     Access: Dynamic 
     Start:5/16/2000-14:04:37 Managed:5/17/2000-11:03:37 State:rmnt_maintenance
 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

show vpn statistics Example

The following example displays are for the show vpn statistics command:

CRC IPC> show vpn statistics
          Current  In       High     Running  Script   Script   Script  
          Active   Negot    Water    Total    Starts   OK       Error   
          --------------------------------------------------------------
Users     4        0        4        4        4        0        0        
Partners  2        0        2        6        6        4        0        
Total     6        0        6        10       10       4        0        
 
IOP slot 1:
          Current  In       High     Running  Script   Script   Script  
          Active   Negot    Water    Total    Starts   OK       Error   
          --------------------------------------------------------------
Users     4        0        4        4        4        0        0        
Partners  2        0        2        6        6        4        0        
Total     6        0        6        10       10       4        0        
 
> show vpn stats verbose
        Current  In       High     Running  Script   Script  
Script  
          Active   Negot    Water    Total    Starts   OK      
Error   
 
--------------------------------------------------------------
Users     0        0        0        0        0        0       
0        
Partners  2        0        2        2        2        0       
0        
Total     2        0        2        2        2        0       
0        
 
Stats             VPN1:0      VPN1:1
Wrapped                0           0
Unwrapped           1392        1392
BadEncap               0           0
BadAuth                0           0
BadEncrypt             0           0
rx IP               1392        1392
rx IPX                 0           0
rx Other               0           0
tx IP                  0           0
tx IPX                 0           0
tx Other               0           0
IKE rekey              0           0
 
Input VPN pkts dropped due to no SA: 2
 
Input VPN pkts dropped due to no free queue entries: 0
 
ISAKMP Negotiation stats
Admin packets in        2794
Fastswitch packets in   2018
No cookie found         0
Can't insert cookie     0
Inserted cookie         4
Forwarded to RP         0
Forwarded to IOP        0
Bad UDP checksum        0
Not fastswitched        0
Bad negotiation packet  0

show vpn runtime Example

The following is the output from a show vpn runtime command:

Iface  Tunnel                BindTo   Auth  Encrypt User
       Partner               Port
VPN0  192.168.22.33         Ether0   On    None    Harold
VPN1  10.123.234.98         Ether0   On    Fixed   Maude
VPN2  Waiting for Client Connection
VPN3  Waiting for Client Connection
VPN4  Waiting for Client Connection
VPN5  Waiting for Client Connection
VPN6  Waiting for Client Connection
VPN7  Waiting for Client Connection

show vpn config Example

The following is the output from the show vpn config command:

Iface  Client                  
       		                      
VPN0  192.168.22.33            
VPN1  10.123.234.98           
VPN2  Waiting for Client Connection
VPN3  Waiting for Client Connection
VPN4  Waiting for Client Connection
VPN5  Waiting for Client Connection
VPN6  Waiting for Client Connection
VPN7  Waiting for Client Connection

Related Commands

Command Description

configure VPN Group

Configures the VPN group parameters

edit config VPN Users

Creates a user list for VPN authentication

Command	Description
configure VPN Group	Configures the VPN group parameters
edit config VPN Users	Creates a user list for VPN authentication

Table of Contents