cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1566
Views
5
Helpful
5
Replies

Site to Site VPN on IOS router and logging granularity

Ruterford
Level 1
Level 1

Hi All,

I used to deal with ASA based IPSEC VPN Site2Site mostly and now I have a couple of IOS based routers to configure.

My problem is that I don't get much logging on why tunnel got down and why it got up, like I had on the ASA.

Currently I have only "crypto logging session"

but it only says

"May  3 11:50:36.151: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.  Peer xxxxxxx:500       Id: xxxxxxxx"

and no reason why it got down.

Is there any option to enable this stuff to be more informative on that?

Thanks!

5 Replies 5

Ruterford
Level 1
Level 1

No logging on router?

olpeleri
Cisco Employee
Cisco Employee

Hello,

Unfortunately, it's something IOS does not do at this stage. Only ISAKMP debugs would tell what has happened [ killed by DPD or simply rekey failure]

Cheers,

Olpeleri,

thanks for the clarifictaion.

Shoudl I keep debug crypto isakmp sa forever?

Can you provide some typical debug lines?

Is it normal to keep debugs always up on a production router ?

Thanks

The only reactive place where we keep information is in the flowmib

R100#sh crypto mib ike flowmib failure 

vrf Global

  Index:                       1                     

  Reason:                      Operator request             

  Failure time since reset:    00:04:12

  Local type:                  ID_IPV4_ADDR       

  Local Address:               10.10.10.254

  Local  value:                10.10.10.254

  Remote type:                 ID_IPV4_ADDR       

  Remote Address:              10.10.10.6

  Remote Value:                10.10.10.6

  Index:                       2                     

  Reason:                      Peer delete request          

  Failure time since reset:    00:05:52

  Local type:                  ID_IPV4_ADDR       

  Local Address:               10.10.10.254

  Local  value:                10.10.10.254

  Remote type:                 ID_IPV4_ADDR       

  Remote Address:              10.10.10.6

  Remote Value:                10.10.10.6

R100#sh crypto mib ipsec flowmib failure 

vrf Global

  Index:                       1                     

  Reason:                      Operation request            

  Failure time since reset:    00:04:11

  Src address:                 10.10.10.254

  Destination address:         10.10.10.6

  Index:                       2                     

  Reason:                      Peer delete request          

  Failure time since reset:    00:05:52

  Src address:                 10.10.10.254

  Destination address:         10.10.10.6

Alex Pfeil
Level 7
Level 7

If you type show crypto isakmp sa and the connection says idle that means its good. Keeping a debug on is not a good idea. There may not always be traffic flowing to another site and the VPN will negotiate the tunnel as necessary. Somebody please correct me if I'm wrong.

Thanks Alex

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: