[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

How to determine Cisco 2811 VPN up time

Posted on 2011-09-12
24
Medium Priority
?
6,072 Views
Last Modified: 2012-05-12
How do I determine how long a VPN Tunnel has been up for on a Cisco 2811 router?  I have gone through the sh crypto commands but cannot find how to see how long the tunnels been up.  I'm troubleshooting what I suspect as an issue with the tunnel dropping periodically causing an issue.  It does auto connect, so it is up when I hear reports of a problem, but there's an application that crashes on the other end and I suspect it's due to this.  
0
Comment
Question by:B1izzard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
  • 4
  • +3
24 Comments
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36524190
if you set up a syslog, you can perfectly find out when a tunnel goes up or down
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36524194
Checking the log file (show log) should give you a principle idea ... if you have too many log entries, increase the log size (l"ogging buffered 65536") or send the logs to a syslog server ... no other "show" commands that would list the age of connection I'm aware of ...
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36524197
Also, you could enable snmp traps to an NMS for more instant notification when a tunnel goes down ...
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 17

Expert Comment

by:rochey2009
ID: 36526314
Hi,

show crypto session detail

will show you the tunnel uptime.
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36527157
rochey2009: if you're talking about the "lifetime" field on either your command or "show crypto isa sa detail":

Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 93.189.x.x port 500 fvrf: (none) ivrf: MINE
      Phase1_id: 93.189.x.x
      Desc: (none)
  IKE SA: local 195.8.x.x/500 remote 93.189.x.x/500 Active
          Capabilities:D connid:13 lifetime:02:31:26

Open in new window


you're wrong ... that's the remaining maximum time for that SA before the key is switched ... do the show command twice in a row, and you'll see it is counting down ...
0
 

Author Comment

by:B1izzard
ID: 36527488
Syslog is already setup.  I would prefer to not have to weed through logging to try to reconstruct how long it's been up.  I was hoping there was an easy way to find out this information from the console.   Perhaps SNMP makes sense if no other alternative exists.
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36527517
If you have the logs, and know the approximate time of the app crash, it should be rather easy to grep the area of the logs to find whether the VPN session had been down at that time or not. Of course if you had an NMS with a constant up-to-date state information on the tunnels, it would be a whole lot easier ;)
Anyway, have you checked into why the VPN is giving you problems to start off with? Are you running Cisco on the remote site too? Some boxes may disconnect VPN sessions if they run into a timeout due to low usage. Maybe looking at the logs at the time when it actually disconnects can help you not only pinpoint the app crash to the missing VPN, but rather find the reason WHY it is missing ... which appears to be even more important ;)
0
 
LVL 17

Expert Comment

by:Marius Gunnerud
ID: 36527610
The key lifetime is the best you will get. In essence it is the  life of the VPN tunnel. When the key expires the VPN tunnel is brought down and a new exchange takes place. Default is 24 hours.
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36527644
When the key expires, either due to time of life or amount of data transferred, the tunnel should not be dropped, at least not noticeably for any application apart from a short delay ... (though I guess a couple of UDP or ICMP packets might get dropped in that short interval). If your app uses TCP, it should handle anything that might occur ...
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36528021
No I wasn't talking about show "crypto isa sa detail"

The command I was talking about is:

show crypto session detail
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36528079
... which also only gives the remaining lifetime, as I stated above ...
0
 
LVL 3

Expert Comment

by:sameer_dubey
ID: 36528080
From CISCO-ENHANCED-IPSEC-FLOW-MIB, I guess monitoring ceipSecTunActiveTime object should get what you want?

If this MIB is not supported by your router, try similar objects from  CISCO-IPSEC-FLOW-MONITOR-MIB.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36528611
It show's as Uptime

show crypto session detail
    Crypto session current status
     
    Code: C - IKE Configuration mode, D - Dead Peer Detection
    K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
     
    Interface: Tunnel0
    Session status: DOWN-NEGOTIATING
    Peer: 144.232.148.30 port 500 fvrf: (none) ivrf: (none)
          Desc: (none)
          Phase1_id: (none)
      IKE SA: local 64.81.93.114/500 remote 144.232.148.30/500 Inactive
              Capabilities:(none) connid:0 lifetime:0
      IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
            Active SAs: 0, origin: crypto map
            Inbound:  #pkts dec'ed 92510 drop 0 life (KB/Sec) 0/0
            Outbound: #pkts enc'ed 150997 drop 0 life (KB/Sec) 0/0
     
    Interface: Tunnel1
    Uptime: 19:21:39
    Session status: UP-ACTIVE
    Peer: 65.60.116.66 port 500 fvrf: (none) ivrf: (none)
          Phase1_id: 65.60.116.66
          Desc: (none)
      IKE SA: local 64.81.93.114/500 remote 65.60.116.66/500 Active
              Capabilities:D connid:1003 lifetime:04:38:19
      IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
            Active SAs: 2, origin: crypto map
            Inbound:  #pkts dec'ed 54405 drop 0 life (KB/Sec) 4440500/3216
            Outbound: #pkts enc'ed 56689 drop 0 life (KB/Sec) 4440486/3216
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36528623
show crypto session brief or show crypto session detail

brief
      

(Optional) Provides brief information about the session, such as the peer IP address, interface, username, group name/phase1 ID, length of session uptime, and current session status (up/down).

detail
      

(Optional) Provides more detailed information about the session, such as the capability of the Internet Key Exchange (IKE) security association (SA), connection ID, remaining lifetime of the IKE SA, inbound or outbound encrypted or decrypted packet number of the IP security (IPsec) flow, dropped packet number, and kilobyte-per-second lifetime of the IPsec SA.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36528633
from cisco:

"show crypto session detail" has another field, uptime, which signifies the time elapsed since the first IPsec session was created.
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36528659
True, the "brief" option seems to show the uptime indeed, which I couldn't test/find, as all the boxes I have available do not have that option (couldn't find from which version IOS it's available) - but as you quote yourself for the "detail" option, the time shown is the "remaining lifetime" ...

So, yes, "show crypto session brief" is what B1izzard is looking for ...
0
 
LVL 17

Accepted Solution

by:
rochey2009 earned 700 total points
ID: 36528741
show crypto session brief, came with version 12.4(11)T
0
 
LVL 17

Assisted Solution

by:Marius Gunnerud
Marius Gunnerud earned 600 total points
ID: 36529199
The show crypto session brief command will only show the session uptime. that is to say how long traffic has been actively crossing the VPN. If there is no activity across the VPN for a while the session will be dropped and that counter will be set to zero again. To me it sounded like you wanted an uptime from when it was first configured? That you will not be able to find.

But as mentioned the show crypto session brief will show the uptime of the current session since traffic was last initiated.
0
 

Author Comment

by:B1izzard
ID: 36531093
I only have the following, but no 'brief'.  We're on 12.4(3c):
2811#sh crypto session ?
  detail   detailed output
  fvrf     Front-door VRF
  groups   show all connected groups usage
  ivrf     Inside VRF
  local    Show crypto sessions for a local crypto endpoint
  remote   Show crypto sessions for a remote IKE peer
  summary  show groups and their members
  |        Output modifiers
  <cr>
0
 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 700 total points
ID: 36531115
See above, you'd need a 12.4T train, or higher (not sure if 15.x is available for the aged 2600) ... so I reckon you're back to syslog after all ...
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 36531119
(or SNMP)
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 36532253
What's at the other end of the tunnel?
0
 

Author Comment

by:B1izzard
ID: 36539828
I believe it's a Cisco Concentrator, but I have no visibility into that network.  
0
 

Author Closing Comment

by:B1izzard
ID: 37133633
Thanks.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question