[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6262
  • Last Modified:

How to determine Cisco 2811 VPN up time

How do I determine how long a VPN Tunnel has been up for on a Cisco 2811 router?  I have gone through the sh crypto commands but cannot find how to see how long the tunnels been up.  I'm troubleshooting what I suspect as an issue with the tunnel dropping periodically causing an issue.  It does auto connect, so it is up when I hear reports of a problem, but there's an application that crashes on the other end and I suspect it's due to this.  
0
B1izzard
Asked:
B1izzard
  • 9
  • 7
  • 4
  • +3
3 Solutions
 
warddhoogheCommented:
if you set up a syslog, you can perfectly find out when a tunnel goes up or down
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Checking the log file (show log) should give you a principle idea ... if you have too many log entries, increase the log size (l"ogging buffered 65536") or send the logs to a syslog server ... no other "show" commands that would list the age of connection I'm aware of ...
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Also, you could enable snmp traps to an NMS for more instant notification when a tunnel goes down ...
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
rochey2009Commented:
Hi,

show crypto session detail

will show you the tunnel uptime.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
rochey2009: if you're talking about the "lifetime" field on either your command or "show crypto isa sa detail":

Interface: GigabitEthernet0/0
Session status: UP-ACTIVE
Peer: 93.189.x.x port 500 fvrf: (none) ivrf: MINE
      Phase1_id: 93.189.x.x
      Desc: (none)
  IKE SA: local 195.8.x.x/500 remote 93.189.x.x/500 Active
          Capabilities:D connid:13 lifetime:02:31:26

Open in new window


you're wrong ... that's the remaining maximum time for that SA before the key is switched ... do the show command twice in a row, and you'll see it is counting down ...
0
 
B1izzardAuthor Commented:
Syslog is already setup.  I would prefer to not have to weed through logging to try to reconstruct how long it's been up.  I was hoping there was an easy way to find out this information from the console.   Perhaps SNMP makes sense if no other alternative exists.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
If you have the logs, and know the approximate time of the app crash, it should be rather easy to grep the area of the logs to find whether the VPN session had been down at that time or not. Of course if you had an NMS with a constant up-to-date state information on the tunnels, it would be a whole lot easier ;)
Anyway, have you checked into why the VPN is giving you problems to start off with? Are you running Cisco on the remote site too? Some boxes may disconnect VPN sessions if they run into a timeout due to low usage. Maybe looking at the logs at the time when it actually disconnects can help you not only pinpoint the app crash to the missing VPN, but rather find the reason WHY it is missing ... which appears to be even more important ;)
0
 
Marius GunnerudSenior Systems EngineerCommented:
The key lifetime is the best you will get. In essence it is the  life of the VPN tunnel. When the key expires the VPN tunnel is brought down and a new exchange takes place. Default is 24 hours.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
When the key expires, either due to time of life or amount of data transferred, the tunnel should not be dropped, at least not noticeably for any application apart from a short delay ... (though I guess a couple of UDP or ICMP packets might get dropped in that short interval). If your app uses TCP, it should handle anything that might occur ...
0
 
rochey2009Commented:
No I wasn't talking about show "crypto isa sa detail"

The command I was talking about is:

show crypto session detail
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
... which also only gives the remaining lifetime, as I stated above ...
0
 
sameer_dubeyCommented:
From CISCO-ENHANCED-IPSEC-FLOW-MIB, I guess monitoring ceipSecTunActiveTime object should get what you want?

If this MIB is not supported by your router, try similar objects from  CISCO-IPSEC-FLOW-MONITOR-MIB.
0
 
rochey2009Commented:
It show's as Uptime

show crypto session detail
    Crypto session current status
     
    Code: C - IKE Configuration mode, D - Dead Peer Detection
    K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
     
    Interface: Tunnel0
    Session status: DOWN-NEGOTIATING
    Peer: 144.232.148.30 port 500 fvrf: (none) ivrf: (none)
          Desc: (none)
          Phase1_id: (none)
      IKE SA: local 64.81.93.114/500 remote 144.232.148.30/500 Inactive
              Capabilities:(none) connid:0 lifetime:0
      IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
            Active SAs: 0, origin: crypto map
            Inbound:  #pkts dec'ed 92510 drop 0 life (KB/Sec) 0/0
            Outbound: #pkts enc'ed 150997 drop 0 life (KB/Sec) 0/0
     
    Interface: Tunnel1
    Uptime: 19:21:39
    Session status: UP-ACTIVE
    Peer: 65.60.116.66 port 500 fvrf: (none) ivrf: (none)
          Phase1_id: 65.60.116.66
          Desc: (none)
      IKE SA: local 64.81.93.114/500 remote 65.60.116.66/500 Active
              Capabilities:D connid:1003 lifetime:04:38:19
      IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
            Active SAs: 2, origin: crypto map
            Inbound:  #pkts dec'ed 54405 drop 0 life (KB/Sec) 4440500/3216
            Outbound: #pkts enc'ed 56689 drop 0 life (KB/Sec) 4440486/3216
0
 
rochey2009Commented:
show crypto session brief or show crypto session detail

brief
      

(Optional) Provides brief information about the session, such as the peer IP address, interface, username, group name/phase1 ID, length of session uptime, and current session status (up/down).

detail
      

(Optional) Provides more detailed information about the session, such as the capability of the Internet Key Exchange (IKE) security association (SA), connection ID, remaining lifetime of the IKE SA, inbound or outbound encrypted or decrypted packet number of the IP security (IPsec) flow, dropped packet number, and kilobyte-per-second lifetime of the IPsec SA.
0
 
rochey2009Commented:
from cisco:

"show crypto session detail" has another field, uptime, which signifies the time elapsed since the first IPsec session was created.
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
True, the "brief" option seems to show the uptime indeed, which I couldn't test/find, as all the boxes I have available do not have that option (couldn't find from which version IOS it's available) - but as you quote yourself for the "detail" option, the time shown is the "remaining lifetime" ...

So, yes, "show crypto session brief" is what B1izzard is looking for ...
0
 
rochey2009Commented:
show crypto session brief, came with version 12.4(11)T
0
 
Marius GunnerudSenior Systems EngineerCommented:
The show crypto session brief command will only show the session uptime. that is to say how long traffic has been actively crossing the VPN. If there is no activity across the VPN for a while the session will be dropped and that counter will be set to zero again. To me it sounded like you wanted an uptime from when it was first configured? That you will not be able to find.

But as mentioned the show crypto session brief will show the uptime of the current session since traffic was last initiated.
0
 
B1izzardAuthor Commented:
I only have the following, but no 'brief'.  We're on 12.4(3c):
2811#sh crypto session ?
  detail   detailed output
  fvrf     Front-door VRF
  groups   show all connected groups usage
  ivrf     Inside VRF
  local    Show crypto sessions for a local crypto endpoint
  remote   Show crypto sessions for a remote IKE peer
  summary  show groups and their members
  |        Output modifiers
  <cr>
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
See above, you'd need a 12.4T train, or higher (not sure if 15.x is available for the aged 2600) ... so I reckon you're back to syslog after all ...
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
(or SNMP)
0
 
rochey2009Commented:
What's at the other end of the tunnel?
0
 
B1izzardAuthor Commented:
I believe it's a Cisco Concentrator, but I have no visibility into that network.  
0
 
B1izzardAuthor Commented:
Thanks.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 9
  • 7
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now