04-06-2010 07:46 PM
Hi all,
My office is using cisco1811 and has a site to site vpn to another regional office.
How do i run logging or is there anything i can do on my cisco 1811 to verify that the vpn connection to my regional office is fine?
Thks in advance.
04-06-2010 08:14 PM
You can check the output of the following command:
-- show crypto isa sa --> if the status is QM_IDLE, that means Phase 1 is UP.
-- show crypto ipsec sa --> if you see the encrypted and decrypted counters are increasing, that means the VPN tunnel is up and passing traffic.
Hope that helps.
04-06-2010 11:11 PM
hi halijenn,
Below is the output after i run "show crypto ipsec sa"
How can i troubleshoot on the 63 and 399 errors detected?
interface: FastEthernet0
Crypto map tag: local addr x.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (x.x.x.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (x.0.0.0/255.0.0.0/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1802458, #pkts encrypt: 1802458, #pkts digest: 1802458
#pkts decaps: 2028301, #pkts decrypt: 2028301, #pkts verify: 2028301
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 63, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x27BBB83(41663363)
inbound esp sas:
spi: 0xEE759D4D(4000685389)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 37, flow_id: Motorola SEC 2.0:37, crypto map:
sa timing: remaining key lifetime (k/sec): (4410520/21809)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x27BBB83(41663363)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 40, flow_id: Motorola SEC 2.0:40, crypto map: x
sa timing: remaining key lifetime (k/sec): (4410636/21780)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (x.x.x.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (x.0.0.0/255.0.0.0/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 80663318, #pkts encrypt: 80663318, #pkts digest: 80663318
#pkts decaps: 81484352, #pkts decrypt: 81484352, #pkts verify: 81484352
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 399, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x26DF483(40760451)
inbound esp sas:
spi: 0x5A54B1D(94718749)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 33, flow_id: Motorola SEC 2.0:33, crypto map:
sa timing: remaining key lifetime (k/sec): (4176383/21742)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x26DF483(40760451)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 36, flow_id: Motorola SEC 2.0:36, crypto map:
sa timing: remaining key lifetime (k/sec): (4437132/21737)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
04-07-2010 05:24 AM
That is very small percentage of errors compared to the number of packets that have been encrypted and decrypted.
Are you seeing any specific problem with traffic going through the VPN tunnel?
04-06-2010 08:16 PM
wenbin,
You could setup a syslog server on a windows box and run Kiwi syslog to do the logging.
Kiwi which is now part of SolarWinds a company that has a bunch of tools for doing monitoring of just about any network device.
You could use something like Quick Ping Monitor which will allow you to setup a ping monitor of a device on the remote end.
You might want to write your own script to do the pings and check the status and send the alerts using blat when the vpn goes down.
Hope this helps,
Mike
04-07-2010 12:46 AM
Hi,
I have seen those kind of errors before, In my case they came from a mask difference in the sa with Checkpoint R65.
Checkpoint does not need an exact matching mask but the ios box does. This ment only being able to initiate a tunnel for only some traffic in one direction.
So you might wat to check the confiured SA or received sa's for differences.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide