Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
442
Views
0
Helpful
4
Replies

How can I detect how long the IPSEC tunnel has been up on the router?

yuhuiyao
Level 1
Level 1

‎04-17-2009 04:54 AM - edited ‎03-11-2019 08:20 AM

How can I detect how long the IPSEC tunnel has been up on the router? Is there any similiar command such as "show vpn-sessiondb l2l" on the router?

Thanks,

Labels:
0 Helpful
4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

‎04-17-2009 05:28 AM

You can do:

sh crypt session detail

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

yuhuiyao
Level 1
Level 1
In response to John Blakley

‎04-17-2009 05:39 AM

Thanks. Do you mean life time? It does not seem to be accurate. I have an ISP issue last night about 10 hour and 45 minutes ago, EIGRP provides the accurate information about the outage. However, I can not get the same information from show crypto session detail. See below:

Interface: Tunnel1000

Uptime: 1w2d

Session status: UP-ACTIVE

Peer: 38.96.183.104 port 4500 fvrf: (none) ivrf: (none)

Phase1_id: 192.168.20.104

Desc: (none)

IKE SA: local 192.168.10.104/4500 remote 38.96.183.104/4500 Active

Capabilities:N connid:1031 lifetime:07:24:02

IPSEC FLOW: permit 47 host 192.168.10.104 host 38.96.183.104

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 333824 drop 0 life (KB/Sec) 4585091/2335

Outbound: #pkts enc'ed 337190 drop 93 life (KB/Sec) 4585139/2335

Interface: Tunnel115

Uptime: 1w6d

Session status: UP-ACTIVE

Peer: 38.96.183.222 port 4500 fvrf: (none) ivrf: (none)

Phase1_id: 192.168.255.104

Desc: (none)

IKE SA: local 192.168.10.104/4500 remote 38.96.183.222/4500 Active

Capabilities:N connid:1032 lifetime:14:35:51

IPSEC FLOW: permit 47 host 192.168.10.104 host 38.96.183.222

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 257754 drop 0 life (KB/Sec) 4456450/749

Outbound: #pkts enc'ed 263821 drop 37 life (KB/Sec) 4456536/749

hsc-dr-rtr-01# show ip ei nei

IP-EIGRP neighbors for process 3

H Address Interface Hold Uptime SRTT RTO Q Seq

(sec) (ms) Cnt Num

4 172.20.255.218 Tu115 11 10:45:06 76 1320 0 209

3 172.20.250.1 Tu1000 13 10:45:06 178 1320 0 15843

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to yuhuiyao

‎04-17-2009 05:44 AM

It does look like you have a discrepancy, but I'm not sure it's the tunnel that went down or the eigrp process had a glitch. If your gre tunnels went down, they would show here. According to this they've been up for 1w2d and 1w6d respectively. (Uptime)

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to John Blakley

‎04-17-2009 09:43 AM

Since EIGRP sends hello messages quite frequently and will drop a neighbor when it misses 3 hello messages, EIGRP is pretty good at detecting failures on a link. Once the IPSec session gets established it may not send much traffic at some times. If the outage happened at a time when there was not much to go through the IPSec I believe that it is quite possible for the crypto session to be maintained over the outage and I am guessing that this is what happened in this instance.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card