https://community.cisco.com/t5/network-security/how-can-i-detect-how-long-the-ipsec-tunnel-has-been-up-on-the/m-p/1231607#M860739 <P>How can I detect how long the IPSEC tunnel has been up on the router? Is there any similiar command such as "show vpn-sessiondb l2l" on the router? </P><P></P><P>Thanks,</P><P></P><P></P> Mon, 11 Mar 2019 15:20:03 GMT yuhuiyao 2019-03-11T15:20:03Z https://community.cisco.com/t5/network-security/how-can-i-detect-how-long-the-ipsec-tunnel-has-been-up-on-the/m-p/1231607#M860739 <P>How can I detect how long the IPSEC tunnel has been up on the router? Is there any similiar command such as "show vpn-sessiondb l2l" on the router? </P><P></P><P>Thanks,</P><P></P><P></P> Mon, 11 Mar 2019 15:20:03 GMT https://community.cisco.com/t5/network-security/how-can-i-detect-how-long-the-ipsec-tunnel-has-been-up-on-the/m-p/1231607#M860739 yuhuiyao 2019-03-11T15:20:03Z https://community.cisco.com/t5/network-security/how-can-i-detect-how-long-the-ipsec-tunnel-has-been-up-on-the/m-p/1231608#M860740 <HTML><HEAD></HEAD><BODY><P>You can do:</P><P></P><P>sh crypt session detail</P><P></P><P>HTH,</P><P>John</P></BODY></HTML> Fri, 17 Apr 2009 12:28:24 GMT https://community.cisco.com/t5/network-security/how-can-i-detect-how-long-the-ipsec-tunnel-has-been-up-on-the/m-p/1231608#M860740 John Blakley 2009-04-17T12:28:24Z https://community.cisco.com/t5/network-security/how-can-i-detect-how-long-the-ipsec-tunnel-has-been-up-on-the/m-p/1231609#M860741 <HTML><HEAD></HEAD><BODY><P>Thanks. Do you mean life time? It does not seem to be accurate. I have an ISP issue last night about 10 hour and 45 minutes ago, EIGRP provides the accurate information about the outage. However, I can not get the same information from show crypto session detail. See below:</P><P></P><P></P><P>Interface: Tunnel1000</P><P>Uptime: 1w2d</P><P>Session status: UP-ACTIVE</P><P>Peer: 38.96.183.104 port 4500 fvrf: (none) ivrf: (none)</P><P> Phase1_id: 192.168.20.104</P><P> Desc: (none)</P><P> IKE SA: local 192.168.10.104/4500 remote 38.96.183.104/4500 Active</P><P> Capabilities:N connid:1031 lifetime:07:24:02</P><P> IPSEC FLOW: permit 47 host 192.168.10.104 host 38.96.183.104</P><P> Active SAs: 2, origin: crypto map</P><P> Inbound: #pkts dec'ed 333824 drop 0 life (KB/Sec) 4585091/2335</P><P> Outbound: #pkts enc'ed 337190 drop 93 life (KB/Sec) 4585139/2335</P><P></P><P>Interface: Tunnel115</P><P>Uptime: 1w6d</P><P>Session status: UP-ACTIVE</P><P>Peer: 38.96.183.222 port 4500 fvrf: (none) ivrf: (none)</P><P> Phase1_id: 192.168.255.104</P><P> Desc: (none)</P><P> IKE SA: local 192.168.10.104/4500 remote 38.96.183.222/4500 Active</P><P> Capabilities:N connid:1032 lifetime:14:35:51</P><P> IPSEC FLOW: permit 47 host 192.168.10.104 host 38.96.183.222</P><P> Active SAs: 2, origin: crypto map</P><P> Inbound: #pkts dec'ed 257754 drop 0 life (KB/Sec) 4456450/749</P><P> Outbound: #pkts enc'ed 263821 drop 37 life (KB/Sec) 4456536/749</P><P></P><P>hsc-dr-rtr-01# show ip ei nei</P><P>IP-EIGRP neighbors for process 3</P><P>H Address Interface Hold Uptime SRTT RTO Q Seq</P><P> (sec) (ms) Cnt Num</P><P>4 172.20.255.218 Tu115 11 10:45:06 76 1320 0 209</P><P>3 172.20.250.1 Tu1000 13 10:45:06 178 1320 0 15843</P><P></P></BODY></HTML> Fri, 17 Apr 2009 12:39:52 GMT https://community.cisco.com/t5/network-security/how-can-i-detect-how-long-the-ipsec-tunnel-has-been-up-on-the/m-p/1231609#M860741 yuhuiyao 2009-04-17T12:39:52Z https://community.cisco.com/t5/network-security/how-can-i-detect-how-long-the-ipsec-tunnel-has-been-up-on-the/m-p/1231610#M860742 <HTML><HEAD></HEAD><BODY><P>It does look like you have a discrepancy, but I'm not sure it's the tunnel that went down or the eigrp process had a glitch. If your gre tunnels went down, they would show here. According to this they've been up for 1w2d and 1w6d respectively. (Uptime)</P><P></P><P>HTH,</P><P>John</P></BODY></HTML> Fri, 17 Apr 2009 12:44:49 GMT https://community.cisco.com/t5/network-security/how-can-i-detect-how-long-the-ipsec-tunnel-has-been-up-on-the/m-p/1231610#M860742 John Blakley 2009-04-17T12:44:49Z https://community.cisco.com/t5/network-security/how-can-i-detect-how-long-the-ipsec-tunnel-has-been-up-on-the/m-p/1231611#M860743 <HTML><HEAD></HEAD><BODY><P>Since EIGRP sends hello messages quite frequently and will drop a neighbor when it misses 3 hello messages, EIGRP is pretty good at detecting failures on a link. Once the IPSec session gets established it may not send much traffic at some times. If the outage happened at a time when there was not much to go through the IPSec I believe that it is quite possible for the crypto session to be maintained over the outage and I am guessing that this is what happened in this instance.</P><P></P><P>HTH</P><P></P><P>Rick</P></BODY></HTML> Fri, 17 Apr 2009 16:43:41 GMT https://community.cisco.com/t5/network-security/how-can-i-detect-how-long-the-ipsec-tunnel-has-been-up-on-the/m-p/1231611#M860743 Richard Burts 2009-04-17T16:43:41Z