Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ADSM stats versus "sho ipsec SA summary"

Ok- I am confused and I hate it when that happens!

When I look at our ASA CLI with a "sho ipsec SA summary" I get this:

Current IPSec SA's:

IPSec : 54

IPSec over UDP : 702

IPSec over NAT-T : 64

IPSec over TCP : 908

IPSec VPN LB : 0

Total : 1728

However, at this same exact moment in time, the ADSM reports 862 IPSec sessions

What am I missing here? why are these numbers so different? Seems like the total number of IPSec sessions should be the sum of the TCP, UDP and NAT-T sessions..

Thanks to anyone who can sort this out!


New Member

Re: ADSM stats versus "sho ipsec SA summary"

Use show failover command to troubleshoot your issues. The show failover command displays the dynamic failover information, interface status, and Stateful Failover statistics. The Stateful Failover Logical Update Statistics output appears only when Stateful Failover is enabled. The "xerr" and "rerr" values do not indicate errors in failover, but rather the number of packet transmit or receive errors.

New Member

Re: ADSM stats versus "sho ipsec SA summary"

M.singer - I think you replied to the wrong case.

Your comments have nothing to do with the question I raised.


Hall of Fame Super Silver

Re: ADSM stats versus "sho ipsec SA summary"


I believe that I have an explanation that comes pretty close. In the figures that are in your original post the total number of IPSec SAs is 1728. When you consider that an IPSec SA is unidirectional there are 2 SAs for each IPSec session. So divide the number of SAs (1728) by 2 and you get 864.

Given the difficulty of truly executing 2 commands at the exact same instant I believe that it is reasonable that 2 sessions may have stopped (or 2 sessions started) between execution of the first command and execution of the second command which would explain the 864 from one command and 862 from the other.



New Member

Re: ADSM stats versus "sho ipsec SA summary"

Thanks Rick - I'll buy that explaination.

That makes perfect sense, and I agree that with so many sessions my two reports could be off by one or two.

I really appreciate your response-- I do like to understand what it is I am looking at.

Thanks again-Lynne