02-03-2011 07:06 PM - edited 03-04-2019 11:18 AM
Hi,
how to check ip sec or gre tunnel status.if there isnt any data going through the tunnel then tunnel wont show up in "sh crypto ipsec peer sa" (QM_IDLE status) so the tunnel would be down if there isn't any data.
is there any way to validate the tunnel to make sure whether tunnel is real functional or will be in use?
02-03-2011 07:18 PM
"sh crypto engine connection active" - Encrypt and decrypt counter should be incrementing
"sh crypto ipsec sa" - status should be ACTIVE
02-03-2011 09:21 PM
Leo
With all due respect - your answer is quite right if there has been traffic that traverses the tunnel. But the question that Gavin raises is about the situation in which there has not bee traffic through the tunnel. If there has not been traffic long enough for the IPSec timer to expire then there will not be ipsec sa or connections active.
Gavin
In the case where there has been no traffic over the tunnel I believe that there is no way to determine whether the tunnel is functional or not. The solution is to make sure that there is traffic going through the tunnel on a regular basis. One solution would be to enable GRE tunnel keepalives which are supported in recent versions of IOS. Or another possibility - I believe that if you enable ISAKMP Dead Peer Detection that the keepalive traffic that it generates would solve this. I have not used that approach and so can not say for sure that it works. My personal favorite solution for this is to run a routing protocol such as EIGRP or OSPF over the tunnel. The routing protocol keepalive messages will keep the tunnel active (so Leo's suggestions would work) and has the added benefit that if the routing protocol neighbor goes down we get another warning that the tunnel is not working.
HTH
Rick
02-03-2011 10:00 PM
wouldn't generating interesting traffic using ICMP bring the tunnel up and thus you can verify it works...just a thought...
02-03-2011 10:36 PM
Gerald
It is an interesting suggestion. And at some level it probably works. But my understanding of the original post is that they are looking for a more general approach. I think that they are looking for something that will determine, in general, whether a tunnel is up or not. I believe that if they want a case by case (lets ping that particular tunnel) it may work (depending on whether ping is configured as interesting traffic or not). But I do not believe that this really satisfies their real requirements.
HTH
Rick
02-03-2011 11:15 PM
Hi Gavin,
#sh cry isa peers
Will give you all the active tunnel peers if some peer is not there then you can consider that is not working or down or some problem with that...
#sh cry isa sa
Will give you all the tunnel state, status and connection id. The complete working tunnel should be in QM_IDLE state and ACTIVE status
Hope this helps you...
Regards,
Naidu.
02-04-2011 04:11 AM
Thanks everyone...
here is what i'm trying to do:
i've alot of ipsec and gre tunnels defined (about 40 tunnels) - and I'm performing a clean up.
so i need to find out what tunnels should i keep and which one should i get rid of.
there might be some tunnels that aren't used for quite a long time but user may still use it after sometime.
so is there a way to classify - which one should i get rid of and which should I keep?
02-04-2011 05:13 AM
Hi
is that all, well that is easy !
Start with setting up a syslog and log all VPN information from the router/firewall.
After a week/month/suitable time just take all the logfiles and do a grep on the different peer ip addresses.
If its not there (in the logs) it have not been used and you can safely retract it from the configuration.
If you have trouble deciding or feel that you are not confident but still you realy want to shut the tunnel add a rule in the inbound access-list of the interfaces that permits, but logs the ip addresses that was in that tunnel
Now if someone tries to send traffic that would engage the tunnel they will hit the access-list and the next time you do a grep that will be logged.
If the peer tries to raise from afar then you will also see that in the logs.
Just save the tunnelconfig and keys that you remove and you can have it up and running in notime if need be.
I do not know what type of system you are running tunnels from, but if it is a ASA and you have forgotten/lost the keys you can try
more system:running-config
Good luck
HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: