ONTAP 9.12.1 commands

50←PDF
  • ONTAP 9.12.1 commands(CA08871-263en.pdf)
  • security ipsec show-ipsecsa

    Show IPsec SA Information

    Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

    Description

    The security ipsec show-ipsecsa command displays information about IPsec Security Associations (SA).

    Running the command with the -node parameter displays information relevant to IPsec SAs at the specified node.

    Running this command with the -vserver parameter displays information relevant to IPsec SAs associated with the specified vserver.

    Running this command with the -policy-name parameter displays information relevant to IPsec SAs created using the specified security policy.

    You can specify additional parameters to display only information matching those parameters. For example, to display IPsec SAs only about a certain local address, run the command with the -local-address parameter.

    Parameters

    { [-fields <fieldname>,…​]

    If you specify the -fields <fieldname>,…​ parameter, the command displays only the specified fields. Notice that key fields are always displayed.

    | [-instance ] }

    If you specify the -instance parameter, the command displays all fields of matching IPsec SAs.

    -node <nodename> - Node

    This required parameter specifies from which node the IPsec SA information will be collected and displayed.

    [-vserver <vserver name>] - Vserver Name

    Use this parameter to display the IPsec SAs associated with the specified Vserver.

    [-policy-name <text>] - Policy Name

    Use this parameter to display the IPsec SAs created based on the specified security policy.

    [-local-address <text>] - Local Address

    Use this parameter to display the IPsec SAs with the specified local endpoint IP address.

    [-remote-address <text>] - Remote Address

    Use this parameter to display the IPsec SAs with the specified remote endpoint IP address.

    [-inbound-spi <text>] - Inbound SPI

    Use this parameter to display the IPsec SA having the specified inbound Security Parameter Index (SPI).

    [-outbound-spi <text>] - Outbound SPI

    Use this parameter to display the IPsec SA having the specified outbound SPI.

    [-action <IPsec Action Type>] - IPsec Action

    Use this parameter to display IPsec SAs with the specified security action type, such as ESP_TRA for ESP transport mode protection or BYPASS to bypass IPsec, or DISCARD.

    [-state <text>] - IPsec SA State

    Use the parameter to display only the IPsec SAs that are in the specified state.

    [-cipher-suite <Cipher Suite Type>] - Cipher Suite

    Use this parameter to display the IPsec SAs that use the specified cipher-suite.

    [-ib-bytes <integer>] - Inbound Bytes Processed

    Use this parameter to display the IPsec SAs matching the processed inbound bytes. Notice that ib-bytes keeps changing as inbound packets are processed.

    [-ib-pkts <integer>] - Inbound Pkts Processed

    Use this parameter to display the IPsec SAs matching the processed inbound packets. Notice that ib-pkts keeps changing as inbound packets are processed.

    [-ob-bytes <integer>] - Outbound Bytes Processed

    Use this parameter to display the IPsec SAs matching the processed outbound bytes. Notice that ob-bytes keeps changing as outbound packets are processed.

    [-ob-pkts <integer>] - Outbound Pkts Processed

    Use this parameter to display the IPsec SAs matching the processed outbound packets. Notice that ob-pkts keeps changing as outbound packets are processed.

    [-lifetime <integer>] - IPsec SA Lifetime Seconds

    Use this parameter to display the IPsec SAs matching the remaining lifetime. Notice that lifetime keeps changing for the duration of the security association.

    Examples

    The this example displays all IPsec SAs for node cluster1-node1 :

    cluster-1::> security ipsec show-ipsecsa -node cluster1-node1
                Policy  Local           Remote          Inbound  Outbound
    Vserver     Name    Address         Address         SPI      SPI      State
    ----------- ------- --------------- --------------- -------- -------- ---------
    vs1         Policy1
                        192.186.10.1    192.186.10.2    c68de9db c84f913b INSTALLED
    vs2         Policy2
                        192.186.20.1    192.186.20.2    cbc01493 c6ee7424 INSTALLED
    2 entries were displayed.

    This example displays selected fields of all IPsec SAs for node cluster1-node1 :

    cluster-1::> security ipsec show-ipsecsa -node cluster1-node1 -fields local-address,remote-address,inbound-spi,outbound-spi
    node           vserver policy-name local-address  remote-address inbound-spi outbound-spi
    -------------- ------- ----------- -------------- -------------- ----------- ------------
    cluster1-node1 vs1     Policy1     192.186.10.1   192.186.10.2   c68de9db    c84f913b
    cluster1-node1 vs2     Policy2     192.186.20.1   192.186.20.2   cbc01493    c6ee7424
    2 entries were displayed.
    This example displays selected fields of all IPsec SAs associated with node ``_cluster1-node1_``:
    cluster-1::> security ipsec show-ipsecsa -node cluster1-node1 -fields ib-bytes,ib-pkts,ob-bytes,ob-pkts
    node           vserver policy-name local-address  remote-address inbound-spi ib-bytes ib-pkts ob-bytes ob-pkts
    -------------- ------- ----------- -------------- -------------- ----------- -------- ------- -------- -------
    cluster1-node1 vs1     Policy1     192.186.10.1   192.186.10.2   c68de9db    4704     56      6720     56
    cluster1-node1 vs2     Policy2     192.186.20.1   192.186.20.2   cbc01493    20434    115     23082    120
    2 entries were displayed.

    This example displays instance view (all fields) for all IPsec SAs associated with node cluster1-node1 , vserver vs1 and created using policy Policy1 :

    cluster-1::> security ipsec show-ipsecsa -node cluster1-node1 -vserver vs1 -policy-name Policy1 -instance
    Node: cluster1-node1
                 Vserver Name: vs1
                  Policy Name: Policy1
                  Inbound SPI: c68de9db
                 Outbound SPI: c84f913b
                Local Address: 192.168.10.1
               Remote Address: 192.168.10.2
                 IPsec Action: ESP_TRA
               IPsec SA State: INSTALLED
                 Cipher Suite: SUITEB_GCM256
      Inbound Bytes Processed: 4704
       Inbound Pkts Processed: 56
     Outbound Bytes Processed: 6720
      Outbound Pkts Processed: 56
    IPsec SA Lifetime Seconds: 1800
    Top of Page