logging for cisco 1811

mmitgroup · ‎04-06-2010

Hi all,

My office is using cisco1811 and has a site to site vpn to another regional office.

How do i run logging or is there anything i can do on my cisco 1811 to verify that the vpn connection to my regional office is fine?

Thks in advance.

Jennifer Halim · ‎04-06-2010

You can check the output of the following command:

-- show crypto isa sa --> if the status is QM_IDLE, that means Phase 1 is UP.

-- show crypto ipsec sa --> if you see the encrypted and decrypted counters are increasing, that means the VPN tunnel is up and passing traffic.

Hope that helps.

mmitgroup · ‎04-06-2010

hi halijenn,

Below is the output after i run "show crypto ipsec sa"

How can i troubleshoot on the 63 and 399 errors detected?

interface: FastEthernet0
Crypto map tag: local addr x.x.x.x

   protected vrf: (none)
   local ident (addr/mask/prot/port): (x.x.x.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (x.0.0.0/255.0.0.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1802458, #pkts encrypt: 1802458, #pkts digest: 1802458
    #pkts decaps: 2028301, #pkts decrypt: 2028301, #pkts verify: 2028301
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 63, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x27BBB83(41663363)

     inbound esp sas:
      spi: 0xEE759D4D(4000685389)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 37, flow_id: Motorola SEC 2.0:37, crypto map:
        sa timing: remaining key lifetime (k/sec): (4410520/21809)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x27BBB83(41663363)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 40, flow_id: Motorola SEC 2.0:40, crypto map: x
        sa timing: remaining key lifetime (k/sec): (4410636/21780)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

   protected vrf: (none)
   local ident (addr/mask/prot/port): (x.x.x.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (x.0.0.0/255.0.0.0/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 80663318, #pkts encrypt: 80663318, #pkts digest: 80663318
    #pkts decaps: 81484352, #pkts decrypt: 81484352, #pkts verify: 81484352
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 399, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x26DF483(40760451)

     inbound esp sas:
      spi: 0x5A54B1D(94718749)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 33, flow_id: Motorola SEC 2.0:33, crypto map:
        sa timing: remaining key lifetime (k/sec): (4176383/21742)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x26DF483(40760451)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 36, flow_id: Motorola SEC 2.0:36, crypto map:
        sa timing: remaining key lifetime (k/sec): (4437132/21737)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Jennifer Halim · ‎04-07-2010

That is very small percentage of errors compared to the number of packets that have been encrypted and decrypted.

Are you seeing any specific problem with traffic going through the VPN tunnel?

mciszek · ‎04-06-2010

wenbin,

You could setup a syslog server on a windows box and run Kiwi syslog to do the logging.

Kiwi which is now part of SolarWinds a company that has a bunch of tools for doing monitoring of just about any network device.

You could use something like Quick Ping Monitor which will allow you to setup a ping monitor of a device on the remote end.

You might want to write your own script to do the pings and check the status and send the alerts using blat when the vpn goes down.

Hope this helps,

Mike

tsasbrink_2 · ‎04-07-2010

Hi,

I have seen those kind of errors before, In my case they came from a mask difference in the sa with Checkpoint R65.

Checkpoint does not need an exact matching mask but the ios box does. This ment only being able to initiate a tunnel for only some traffic in one direction.

So you might wat to check the confiured SA or received sa's for differences.