04-17-2009 04:54 AM - edited 03-11-2019 08:20 AM
How can I detect how long the IPSEC tunnel has been up on the router? Is there any similiar command such as "show vpn-sessiondb l2l" on the router?
Thanks,
04-17-2009 05:28 AM
You can do:
sh crypt session detail
HTH,
John
04-17-2009 05:39 AM
Thanks. Do you mean life time? It does not seem to be accurate. I have an ISP issue last night about 10 hour and 45 minutes ago, EIGRP provides the accurate information about the outage. However, I can not get the same information from show crypto session detail. See below:
Interface: Tunnel1000
Uptime: 1w2d
Session status: UP-ACTIVE
Peer: 38.96.183.104 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.20.104
Desc: (none)
IKE SA: local 192.168.10.104/4500 remote 38.96.183.104/4500 Active
Capabilities:N connid:1031 lifetime:07:24:02
IPSEC FLOW: permit 47 host 192.168.10.104 host 38.96.183.104
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 333824 drop 0 life (KB/Sec) 4585091/2335
Outbound: #pkts enc'ed 337190 drop 93 life (KB/Sec) 4585139/2335
Interface: Tunnel115
Uptime: 1w6d
Session status: UP-ACTIVE
Peer: 38.96.183.222 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.255.104
Desc: (none)
IKE SA: local 192.168.10.104/4500 remote 38.96.183.222/4500 Active
Capabilities:N connid:1032 lifetime:14:35:51
IPSEC FLOW: permit 47 host 192.168.10.104 host 38.96.183.222
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 257754 drop 0 life (KB/Sec) 4456450/749
Outbound: #pkts enc'ed 263821 drop 37 life (KB/Sec) 4456536/749
hsc-dr-rtr-01# show ip ei nei
IP-EIGRP neighbors for process 3
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
4 172.20.255.218 Tu115 11 10:45:06 76 1320 0 209
3 172.20.250.1 Tu1000 13 10:45:06 178 1320 0 15843
04-17-2009 05:44 AM
It does look like you have a discrepancy, but I'm not sure it's the tunnel that went down or the eigrp process had a glitch. If your gre tunnels went down, they would show here. According to this they've been up for 1w2d and 1w6d respectively. (Uptime)
HTH,
John
04-17-2009 09:43 AM
Since EIGRP sends hello messages quite frequently and will drop a neighbor when it misses 3 hello messages, EIGRP is pretty good at detecting failures on a link. Once the IPSec session gets established it may not send much traffic at some times. If the outage happened at a time when there was not much to go through the IPSec I believe that it is quite possible for the crypto session to be maintained over the outage and I am guessing that this is what happened in this instance.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide