Solved

How to determine Cisco 2811 VPN up time

Posted on 2011-09-12
24
4,957 Views
Last Modified: 2012-05-12
How do I determine how long a VPN Tunnel has been up for on a Cisco 2811 router?  I have gone through the sh crypto commands but cannot find how to see how long the tunnels been up.  I'm troubleshooting what I suspect as an issue with the tunnel dropping periodically causing an issue.  It does auto connect, so it is up when I hear reports of a problem, but there's an application that crashes on the other end and I suspect it's due to this.  
0
Comment
Question by:B1izzard
  • 9
  • 7
  • 4
  • +3
24 Comments
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36524190
if you set up a syslog, you can perfectly find out when a tunnel goes up or down
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36524194
Checking the log file (show log) should give you a principle idea ... if you have too many log entries, increase the log size (l"ogging buffered 65536") or send the logs to a syslog server ... no other "show" commands that would list the age of connection I'm aware of ...
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36524197
Also, you could enable snmp traps to an NMS for more instant notification when a tunnel goes down ...
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36526314
Hi,

show crypto session detail

will show you the tunnel uptime.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36527157
rochey2009: if you're talking about the "lifetime" field on either your command or "show crypto isa sa detail":

Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 93.189.x.x port 500 fvrf: (none) ivrf: MINE
      Phase1_id: 93.189.x.x
      Desc: (none)
  IKE SA: local 195.8.x.x/500 remote 93.189.x.x/500 Active
          Capabilities:D connid:13 lifetime:02:31:26

Open in new window


you're wrong ... that's the remaining maximum time for that SA before the key is switched ... do the show command twice in a row, and you'll see it is counting down ...
0
 

Author Comment

by:B1izzard
ID: 36527488
Syslog is already setup.  I would prefer to not have to weed through logging to try to reconstruct how long it's been up.  I was hoping there was an easy way to find out this information from the console.   Perhaps SNMP makes sense if no other alternative exists.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36527517
If you have the logs, and know the approximate time of the app crash, it should be rather easy to grep the area of the logs to find whether the VPN session had been down at that time or not. Of course if you had an NMS with a constant up-to-date state information on the tunnels, it would be a whole lot easier ;)
Anyway, have you checked into why the VPN is giving you problems to start off with? Are you running Cisco on the remote site too? Some boxes may disconnect VPN sessions if they run into a timeout due to low usage. Maybe looking at the logs at the time when it actually disconnects can help you not only pinpoint the app crash to the missing VPN, but rather find the reason WHY it is missing ... which appears to be even more important ;)
0
 
LVL 17

Expert Comment

by:MAG03
ID: 36527610
The key lifetime is the best you will get. In essence it is the  life of the VPN tunnel. When the key expires the VPN tunnel is brought down and a new exchange takes place. Default is 24 hours.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36527644
When the key expires, either due to time of life or amount of data transferred, the tunnel should not be dropped, at least not noticeably for any application apart from a short delay ... (though I guess a couple of UDP or ICMP packets might get dropped in that short interval). If your app uses TCP, it should handle anything that might occur ...
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36528021
No I wasn't talking about show "crypto isa sa detail"

The command I was talking about is:

show crypto session detail
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36528079
... which also only gives the remaining lifetime, as I stated above ...
0
 
LVL 3

Expert Comment

by:sameer_dubey
ID: 36528080
From CISCO-ENHANCED-IPSEC-FLOW-MIB, I guess monitoring ceipSecTunActiveTime object should get what you want?

If this MIB is not supported by your router, try similar objects from  CISCO-IPSEC-FLOW-MONITOR-MIB.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 17

Expert Comment

by:rochey2009
ID: 36528611
It show's as Uptime

show crypto session detail
    Crypto session current status
     
    Code: C - IKE Configuration mode, D - Dead Peer Detection
    K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
     
    Interface: Tunnel0
    Session status: DOWN-NEGOTIATING
    Peer: 144.232.148.30 port 500 fvrf: (none) ivrf: (none)
          Desc: (none)
          Phase1_id: (none)
      IKE SA: local 64.81.93.114/500 remote 144.232.148.30/500 Inactive
              Capabilities:(none) connid:0 lifetime:0
      IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
            Active SAs: 0, origin: crypto map
            Inbound:  #pkts dec'ed 92510 drop 0 life (KB/Sec) 0/0
            Outbound: #pkts enc'ed 150997 drop 0 life (KB/Sec) 0/0
     
    Interface: Tunnel1
    Uptime: 19:21:39
    Session status: UP-ACTIVE
    Peer: 65.60.116.66 port 500 fvrf: (none) ivrf: (none)
          Phase1_id: 65.60.116.66
          Desc: (none)
      IKE SA: local 64.81.93.114/500 remote 65.60.116.66/500 Active
              Capabilities:D connid:1003 lifetime:04:38:19
      IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
            Active SAs: 2, origin: crypto map
            Inbound:  #pkts dec'ed 54405 drop 0 life (KB/Sec) 4440500/3216
            Outbound: #pkts enc'ed 56689 drop 0 life (KB/Sec) 4440486/3216
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36528623
show crypto session brief or show crypto session detail

brief
      

(Optional) Provides brief information about the session, such as the peer IP address, interface, username, group name/phase1 ID, length of session uptime, and current session status (up/down).

detail
      

(Optional) Provides more detailed information about the session, such as the capability of the Internet Key Exchange (IKE) security association (SA), connection ID, remaining lifetime of the IKE SA, inbound or outbound encrypted or decrypted packet number of the IP security (IPsec) flow, dropped packet number, and kilobyte-per-second lifetime of the IPsec SA.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36528633
from cisco:

"show crypto session detail" has another field, uptime, which signifies the time elapsed since the first IPsec session was created.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36528659
True, the "brief" option seems to show the uptime indeed, which I couldn't test/find, as all the boxes I have available do not have that option (couldn't find from which version IOS it's available) - but as you quote yourself for the "detail" option, the time shown is the "remaining lifetime" ...

So, yes, "show crypto session brief" is what B1izzard is looking for ...
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 175 total points
ID: 36528741
show crypto session brief, came with version 12.4(11)T
0
 
LVL 17

Assisted Solution

by:MAG03
MAG03 earned 150 total points
ID: 36529199
The show crypto session brief command will only show the session uptime. that is to say how long traffic has been actively crossing the VPN. If there is no activity across the VPN for a while the session will be dropped and that counter will be set to zero again. To me it sounded like you wanted an uptime from when it was first configured? That you will not be able to find.

But as mentioned the show crypto session brief will show the uptime of the current session since traffic was last initiated.
0
 

Author Comment

by:B1izzard
ID: 36531093
I only have the following, but no 'brief'.  We're on 12.4(3c):
2811#sh crypto session ?
  detail   detailed output
  fvrf     Front-door VRF
  groups   show all connected groups usage
  ivrf     Inside VRF
  local    Show crypto sessions for a local crypto endpoint
  remote   Show crypto sessions for a remote IKE peer
  summary  show groups and their members
  |        Output modifiers
  <cr>
0
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 175 total points
ID: 36531115
See above, you'd need a 12.4T train, or higher (not sure if 15.x is available for the aged 2600) ... so I reckon you're back to syslog after all ...
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 36531119
(or SNMP)
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36532253
What's at the other end of the tunnel?
0
 

Author Comment

by:B1izzard
ID: 36539828
I believe it's a Cisco Concentrator, but I have no visibility into that network.  
0
 

Author Closing Comment

by:B1izzard
ID: 37133633
Thanks.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now