Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN on IOS router and logging granularity

Hi All,

I used to deal with ASA based IPSEC VPN Site2Site mostly and now I have a couple of IOS based routers to configure.

My problem is that I don't get much logging on why tunnel got down and why it got up, like I had on the ASA.

Currently I have only "crypto logging session"

but it only says

"May  3 11:50:36.151: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.  Peer xxxxxxx:500       Id: xxxxxxxx"

and no reason why it got down.

Is there any option to enable this stuff to be more informative on that?

Thanks!

5 REPLIES
New Member

Site to Site VPN on IOS router and logging granularity

No logging on router?

Cisco Employee

Site to Site VPN on IOS router and logging granularity

Hello,

Unfortunately, it's something IOS does not do at this stage. Only ISAKMP debugs would tell what has happened [ killed by DPD or simply rekey failure]

Cheers,

New Member

Site to Site VPN on IOS router and logging granularity

Olpeleri,

thanks for the clarifictaion.

Shoudl I keep debug crypto isakmp sa forever?

Can you provide some typical debug lines?

Is it normal to keep debugs always up on a production router ?

Thanks

Cisco Employee

Re: Site to Site VPN on IOS router and logging granularity

The only reactive place where we keep information is in the flowmib

R100#sh crypto mib ike flowmib failure 

vrf Global

  Index:                       1                     

  Reason:                      Operator request             

  Failure time since reset:    00:04:12

  Local type:                  ID_IPV4_ADDR       

  Local Address:               10.10.10.254

  Local  value:                10.10.10.254

  Remote type:                 ID_IPV4_ADDR       

  Remote Address:              10.10.10.6

  Remote Value:                10.10.10.6

  Index:                       2                     

  Reason:                      Peer delete request          

  Failure time since reset:    00:05:52

  Local type:                  ID_IPV4_ADDR       

  Local Address:               10.10.10.254

  Local  value:                10.10.10.254

  Remote type:                 ID_IPV4_ADDR       

  Remote Address:              10.10.10.6

  Remote Value:                10.10.10.6

R100#sh crypto mib ipsec flowmib failure 

vrf Global

  Index:                       1                     

  Reason:                      Operation request            

  Failure time since reset:    00:04:11

  Src address:                 10.10.10.254

  Destination address:         10.10.10.6

  Index:                       2                     

  Reason:                      Peer delete request          

  Failure time since reset:    00:05:52

  Src address:                 10.10.10.254

  Destination address:         10.10.10.6

New Member

Re: Site to Site VPN on IOS router and logging granularity

If you type show crypto isakmp sa and the connection says idle that means its good. Keeping a debug on is not a good idea. There may not always be traffic flowing to another site and the VPN will negotiate the tunnel as necessary. Somebody please correct me if I'm wrong.

Thanks Alex

Sent from Cisco Technical Support iPhone App

1016
Views
5
Helpful
5
Replies