Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1684
Views
10
Helpful
6
Replies

IPSEC vpn logging

ubuntu_guy
Level 3
Level 3

‎02-08-2011 05:43 AM

I'm having an issue with one of the ipsec vpn tunnels in my hub and spoke network. I'd like to log the tunnel information on the remote router, when it goes down, comes back up, anything really that could provide information as to why the tunnel drops but their data circuit isnt taking hits.

Thanks in advance.

Labels:
0 Helpful
6 Replies 6

Todd Pula
Level 11
Level 11

‎02-08-2011 07:56 AM

You can utilize a few different tools to try and diagnose a transient tunnel drop further.  You may want to start with a simple ICMP IP SLA monitor which pings the remote crypto peer every X number of seconds.  The monitor can be configured to log an SLA ok/failure event to syslog so that you can correlate a tunnel flap to an IP connectivity issue between the peers. If the IP path looks stable, you will then want to enable "deb cry isa" and "deb cry ipsec" on both hub and spoke and then log the data to syslog or an extended buffer.  Make sure that the time is correctly configured on both devices so that the resulting data can be properly correlated.  On the hub router where you may have more than one tunnel, you can configure a debug condition using the "deb cry condition peer" command. This will enable a filter for the crypto debugs so that only messages related to the specific peer will be captured.

Todd

ubuntu_guy
Level 3
Level 3
In response to Todd Pula

‎02-08-2011 08:02 AM

Outstanding, I'm setting that up now. I have the debugs you mentioned running on the remote 1841, and the asa/hub.

0 Helpful

Todd Pula
Level 11
Level 11

‎02-08-2011 08:06 AM

Are these routers or ASA/PIX firewalls?

0 Helpful

ubuntu_guy
Level 3
Level 3
In response to Todd Pula

‎02-08-2011 08:10 AM

I just edited the previous post with that info, the remote site is an 1841, the hub is an ASA5510.

0 Helpful

Todd Pula
Level 11
Level 11
In response to ubuntu_guy

‎02-08-2011 08:22 AM

Below is a sample IP SLA configuration that you can add to the 1841.  The SLA monitor command syntax may differ from one IOS rev to the next so use this as a guide.  The debug levels on the ASA are somewhat subjective. A level of 255 will give you all possible output but could slow down a busy ASA.  I would say start with a level of 128 to see if you can trap enough details to isolate where the communication breakdown is occuring.  On the router side, you don't set a debug level.  It is always preferred to send the debug data to a syslog server but you can always log the debugs locally to the router's buffer.

IP SLA w/ logging:

ip sla monitor logging traps

ip sla monitor 1
type echo protocol ipIcmpEcho 1.1.1.1
frequency 5
ip sla monitor reaction-configuration 1 timeout-enable threshold-falling 5000 action-type trapOnly
ip sla monitor schedule 1 life forever start-time now

ubuntu_guy
Level 3
Level 3
In response to Todd Pula

‎02-08-2011 09:27 AM

ip sla in place.

0 Helpful
Customers Also Viewed These Support Documents