Download this chapter
Contents Last Updated: August 7, 2012 The IP Security VPN Monitoring feature provides the following Virtual Private Network (VPN) session monitoring enhancements to troubleshoot and monitor the end-user interface: Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. A crypto session is a set of IPSec connections (flows) between two crypto endpoints. If the two crypto endpoints use IKE as the keying protocol, they are IKE peers to each other. Typically, a crypto session consists of one IKE security association (for control traffic) and at least two IPSec security associations (for data traffic--one per each direction). There may be duplicated IKE security associations (SAs) and IPSec SAs or duplicated IKE SAs or IPSec SAs for the same session in the duration of rekeying or because of simultaneous setup requests from both sides. The Per-IKE Peer Description function allows you to enter a description of your choosing for an IKE peer. (Before Cisco IOS Release 12.3(4)T, you could use only the IP address or fully qualified domain name [FQDN] to identify the peer; there was no way to configure a description string.) The unique peer description, which can include up to 80 characters, can be used whenever you are referencing that particular IKE peer. To add the peer description, use the description command. The primary application of this description field is for monitoring purposes (for example, when using show commands or for logging [syslog messages]). The description field is purely informational (for example, it cannot act as a substitute for the peer address or FQDN when defining crypto maps). You can get a list of all the active VPN sessions by entering the show crypto session command. The listing will include the following: Multiple IKE or IPSec SAs may be established for the same peer (for the same session), in which case IKE peer descriptions will be repeated with different values for the IKE SAs that are associated with the peer and for the IPSec SAs that are serving the flows of the session. You can also use the show crypto session detail variant of this command to obtain more detailed information about the sessions. The Syslog Notification for Crypto Session Up or Down Status function provides syslog notification every time the crypto session comes up or goes down. The following is a sample syslog notification showing that a crypto session is up: The following is a sample syslog notification showing that a crypto session is down: In previous IOS versions, there was no single command to clear both IKE and IPSec connections (that is, SAs). Instead, you had to use the clear crypto isakmp command to clear IKE and the clear crypto ipsec command to clear IPSec. The new clear crypto session command allows you to clear both IKE and IPSec with a single command. To clear a specific crypto session or a subset of all the sessions (for example, a single tunnel to one remote site), you need to provide session-specific parameters, such as a local or remote IP address, a local or remote port, a front door VPN routing and forwarding (FVRF) name, or an inside VRF (IVRF) name. Typically, the remote IP address will be used to specify a single tunnel to be deleted. If a local IP address is provided as a parameter when you use the clear crypto session command, all the sessions (and their IKE SAs and IPSec SAs) that share the IP address as a local crypto endpoint (IKE local address) will be cleared. If you do not provide a parameter when you use the clear crypto session command, all IPSec SAs and IKE SAs that are in the router will be deleted. SUMMARY STEPS 1. enable 2. configure terminal 3. crypto isakmp peer {ip-addressip-address} 4. description DETAILED STEPS SUMMARY STEPS 1. enable 2. show crypto isakmp peer DETAILED STEPS The following output example verifies that the description "connection from site A" has been added for IKE peer 10.2.2.9: When the peer at address 10.2.2.9 connects and the session comes up, the syslog status will be shown as follows: The following output example verifies that the description "connection from site A" has been added for IKE peer 10.2.2.9: When the peer at address 10.2.2.9 connects and the session comes up, the syslog status will be shown as follows: To clear a crypto session, use the clear crypto session command from the router command line. No configuration statements are required in the configuration file to use this command. SUMMARY STEPS 1. enable 2. clear crypto session DETAILED STEPS The following is sample output for the show crypto session output without the detail keyword: The following is sample output using the show crypto session command and the detail keyword: Description Link The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. © 2012 Cisco Systems, Inc. All rights reserved.
Finding Feature Information
Information About IPSec VPN Monitoring
Background Crypto Sessions
Per-IKE Peer Description
Note
IKE peers that "sit" behind a Network Address Translation (NAT) device cannot be uniquely identified; therefore, they have to share the same peer description.Summary Listing of Crypto Session Status
Syslog Notification for Crypto Session Up or Down Status
%CRYPTO-5-SESSION_STATUS: Crypto session is UP. Peer 10.6.6.1:500 fvrf=name10 ivrf=name20 Description: SJC24-2-VPN-Gateway Id: 10.5.5.2
%CRYPTO-5-SESSION_STATUS: Crypto session is DOWN. Peer 10.6.6.1:500 fvrf=name10 ivrf=name20 Description: SJC24-2-VPN-Gateway Id: 10.5.5.2
IKE and IPSec Security Exchange Clear Command
How to Configure IP Security VPN Monitoring
Adding the Description of an IKE Peer
Verifying Peer Descriptions
Examples
Router# show crypto isakmp peerPeer: 10.2.2.9 Port: 500 Description: connection from site A flags: PEER_POLICY
%CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP. Peer 10.2.2.9:500 Description: connection from site A Id: ezvpn
Router# show crypto isakmp peerPeer: 10.2.2.9 Port: 500 Description: connection from site A flags: PEER_POLICY
%CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP. Peer 10.2.2.9:500 Description: connection from site A Id: ezvpn
Clearing a Crypto Session
Configuration Examples for IP Security VPN Monitoring
show crypto session Command Output Examples
Router# show crypto sessionCrypto session current statusInterface: FastEthernet0/1Session status: UP-ACTIVEPeer: 172.0.0.2/500 IKE SA: local 172.0.0.1/500 remote 172.0.0.2/500 Active IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.30.30.0/255.255.255.0 Active SAs: 2, origin: crypto map
Router# show crypto session detailInterface: Tunnel0Session status: UP-ACTIVEPeer: 10.1.1.3 port 500 fvrf: (none) ivrf: (none) Desc: this is my peer at 10.1.1.3:500 Green Phase1_id: 10.1.1.3 IKE SA: local 10.1.1.4/500 remote 10.1.1.3/500 Active Capabilities:(none) connid:3 lifetime:22:03:24 IPSEC FLOW: permit 47 host 10.1.1.4 host 10.1.1.3 Active SAs: 0, origin: crypto map Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 IPSEC FLOW: permit ip host 10.1.1.4 host 10.1.1.3 Active SAs: 4, origin: crypto map Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4605665/2949 Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4605665/2949
Additional References
MIBs
Technical Assistance
Feature Information for IP Security VPN Monitoring
Table 1 Feature Information for IP Security VPN Monitoring