Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
785
Views
9
Helpful
7
Replies

ip sec tunnel status

gavin han
Level 1
Level 1

‎02-03-2011 07:06 PM - edited ‎03-04-2019 11:18 AM

Hi,

how to check ip sec or gre tunnel status.if there isnt any data going through the tunnel then tunnel wont show up in "sh crypto ipsec peer sa" (QM_IDLE status) so the tunnel would be down if there isn't any data.

is there any way to validate the tunnel to make sure whether tunnel is real functional or will be in use?

Labels:
0 Helpful
7 Replies 7

Leo Laohoo
Hall of Fame
Hall of Fame

‎02-03-2011 07:18 PM

"sh crypto engine connection active" - Encrypt and decrypt counter should be incrementing

"sh crypto ipsec sa" - status should be ACTIVE

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Leo Laohoo

‎02-03-2011 09:21 PM

Leo

With all due respect - your answer is quite right if there has been traffic that traverses the tunnel. But the question that Gavin raises is about the situation in which there has not bee traffic through the tunnel. If there has not been traffic long enough for the IPSec timer to expire then there will not be ipsec sa or connections active.

Gavin

In the case where there has been no traffic over the tunnel I believe that there is no way to determine whether the tunnel is functional or not. The solution is to make sure that there is traffic going through the tunnel on a regular basis. One solution would be to enable GRE tunnel keepalives which are supported in recent versions of IOS. Or another possibility - I believe that if you enable ISAKMP Dead Peer Detection that the keepalive traffic that it generates would solve this. I have not used that approach and so can not say for sure that it works. My personal favorite solution for this is to run a routing protocol such as EIGRP or OSPF over the tunnel. The routing protocol keepalive messages will keep the tunnel active (so Leo's suggestions would work) and has the added benefit that if the routing protocol neighbor goes down we get another warning that the tunnel is not working.

HTH

Rick

HTH

Rick

gerald.suiza
Level 1
Level 1

‎02-03-2011 10:00 PM

wouldn't generating interesting traffic using ICMP bring the tunnel up and thus you can verify it works...just a thought...

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to gerald.suiza

‎02-03-2011 10:36 PM

Gerald

It is an interesting suggestion. And at some level it probably works. But my understanding of the original post is that they are looking for a more general approach. I think that they are looking for something that will determine, in general, whether a tunnel is up or not. I believe that if they want a case by case (lets ping that particular tunnel) it may work (depending on whether ping is configured as interesting traffic or not). But I do not believe that this really satisfies their real requirements.

HTH

Rick

HTH

Rick
0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to Richard Burts

‎02-03-2011 11:15 PM

Hi Gavin,

#sh cry isa peers
Will give you all the active tunnel peers if some peer is not there then you can consider that is not working or down or some problem with that...


#sh cry isa sa
Will give you all the tunnel state, status and connection id. The complete working tunnel should be in QM_IDLE state and ACTIVE status


Hope this helps you...


Regards,
Naidu.

gavin han
Level 1
Level 1
In response to Latchum Naidu

‎02-04-2011 04:11 AM

Thanks everyone...

here is what i'm trying to do:

i've alot of ipsec and gre tunnels defined (about 40 tunnels) - and I'm performing a clean up.

so i need to find out what tunnels should i keep and which one should i get rid of.

there might be some tunnels that aren't used for quite a long time but user may still use it after sometime.

so is there a way to classify - which one should i get rid of and which should I keep?

0 Helpful

hobbe
Level 7
Level 7
In response to gavin han

‎02-04-2011 05:13 AM

Hi

is that all, well that is easy !

Start with setting up a syslog and log all VPN information from the router/firewall.

After a week/month/suitable time just take all the logfiles and do a grep on the different peer ip addresses.

If its not there (in the logs) it have not been used and you can safely retract it from the configuration.

If you have trouble deciding or feel that you are not confident but still you realy want to shut the tunnel add a rule in the inbound access-list of the interfaces that permits, but logs the ip addresses that was in that tunnel

Now if someone tries to send traffic that would engage the tunnel they will hit the access-list and the next time you do a grep that will be logged.

If the peer tries to raise from afar then you will also see that in the logs.

Just save the tunnelconfig and keys that you remove and you can have it up and running in notime if need be.

I do not know what type of system you are running tunnels from, but if it is a ASA and you have forgotten/lost the keys you can try

more system:running-config

Good luck

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card