How can I detect how long the IPSEC tunnel has been up on the router?

Unanswered Question
Apr 17th, 2009
User Badges:

How can I detect how long the IPSEC tunnel has been up on the router? Is there any similiar command such as "show vpn-sessiondb l2l" on the router?


Thanks,



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Fri, 04/17/2009 - 05:28
User Badges:
  • Purple, 4500 points or more

You can do:


sh crypt session detail


HTH,

John

yuhuiyao Fri, 04/17/2009 - 05:39
User Badges:

Thanks. Do you mean life time? It does not seem to be accurate. I have an ISP issue last night about 10 hour and 45 minutes ago, EIGRP provides the accurate information about the outage. However, I can not get the same information from show crypto session detail. See below:



Interface: Tunnel1000

Uptime: 1w2d

Session status: UP-ACTIVE

Peer: 38.96.183.104 port 4500 fvrf: (none) ivrf: (none)

Phase1_id: 192.168.20.104

Desc: (none)

IKE SA: local 192.168.10.104/4500 remote 38.96.183.104/4500 Active

Capabilities:N connid:1031 lifetime:07:24:02

IPSEC FLOW: permit 47 host 192.168.10.104 host 38.96.183.104

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 333824 drop 0 life (KB/Sec) 4585091/2335

Outbound: #pkts enc'ed 337190 drop 93 life (KB/Sec) 4585139/2335


Interface: Tunnel115

Uptime: 1w6d

Session status: UP-ACTIVE

Peer: 38.96.183.222 port 4500 fvrf: (none) ivrf: (none)

Phase1_id: 192.168.255.104

Desc: (none)

IKE SA: local 192.168.10.104/4500 remote 38.96.183.222/4500 Active

Capabilities:N connid:1032 lifetime:14:35:51

IPSEC FLOW: permit 47 host 192.168.10.104 host 38.96.183.222

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 257754 drop 0 life (KB/Sec) 4456450/749

Outbound: #pkts enc'ed 263821 drop 37 life (KB/Sec) 4456536/749


hsc-dr-rtr-01# show ip ei nei

IP-EIGRP neighbors for process 3

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

4 172.20.255.218 Tu115 11 10:45:06 76 1320 0 209

3 172.20.250.1 Tu1000 13 10:45:06 178 1320 0 15843


John Blakley Fri, 04/17/2009 - 05:44
User Badges:
  • Purple, 4500 points or more

It does look like you have a discrepancy, but I'm not sure it's the tunnel that went down or the eigrp process had a glitch. If your gre tunnels went down, they would show here. According to this they've been up for 1w2d and 1w6d respectively. (Uptime)


HTH,

John

Richard Burts Fri, 04/17/2009 - 09:43
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Since EIGRP sends hello messages quite frequently and will drop a neighbor when it misses 3 hello messages, EIGRP is pretty good at detecting failures on a link. Once the IPSec session gets established it may not send much traffic at some times. If the outage happened at a time when there was not much to go through the IPSec I believe that it is quite possible for the crypto session to be maintained over the outage and I am guessing that this is what happened in this instance.


HTH


Rick

Actions

This Discussion