monitor vpn connection

victorchen · ‎12-29-2004

hi,

I would like to ask what different between IPSEC Active tunnels & IKE Active tunnels when we monitor the vpn connection.

thanks victor

smahbub · ‎01-04-2005

IKE tunnels are Phase I tunnels which are formed for IPSec tunnel (Phase II) to form securely.

irshad.saifi · ‎01-16-2005

Hi There,

I want to know about the tools/utilities to monitor vpn..

Thanks

Irshad

victorchen · ‎01-16-2005

using Cisco PDM

irshad.saifi · ‎01-17-2005

Hi,

I tried using PDM.

It's not giving me any data... only showing a green line in between of the graph...

Secondly how i can monitor, and see the historic data using PDM....

Please help me its urgent...

Thanks

dougz · ‎01-17-2005

debug crypto isakmp

and

debug crypto ipsec

are probably two of the best commands for watch what is going on.

debug crypto isakmp shows the phase 1 negotiation setup so you will only see command output when a tunnel is built.

debug crypto ipsec shows the connection state when interesting traffic traverses the tunnel.

There are various forms of 'show isakmp' and 'show crypto' but these commands only show you what is already in your running configuration. Their best use is troubleshooting configuration problems.

In PDM, you can either use the built-in CLI in the Tools menu or you can click the Monitoring icon, then from the left column, expand VPN statistics, click IPSec VPNs, then choose the VPN you want to view and click "View Details..."

Hope this helps.

Please rate this post.

Doug.

Please rate this post.

irshad.saifi · ‎01-18-2005

Doug,

Thanks for your kind reply

I really agreed with the commands you have told me that helps during the troubleshooting and monitoring.

Let me tell you what i want..

I m using MRTG for monitoring the bandwidth.

limitation in mrtg is that it shows only the physical/logical interfaces and by this way we monitor.

IN my scenerio i am using PIX where i have created certain vpn's.

In the outside interface ihave defined one ip which is using for all the vpn's. All are ipsec and using crypto map.

when i run mrtg it shows the traffic that is going from outside interface as a whole.

I want to monitor per vpn bandwidth utilization.

What are all the options that i can try to achieve this without any investment in first go...

PLEASE SUGGEST............

Thanks

dougz · ‎01-18-2005

Irshad,

Your question really comes down to whether VPN traffic can be monitored via SNMP. I do not know the answer to that question. Beyond that, I don't think it matters what monitors that traffic. At that point it is a question of your company's SLA's and economics. (MRTG, CiscoWorks, etc.)

I can tell you that PDM (3.0(2)) will monitor and graph the number of connections up to 5 days back but not the traffic on the connection. Even if it could, there is the question of exactly what is being encrypted over the wire. Is it the whole packet or just the payload? (Rhetorical) This is made more difficult to gage if you have Perfect Forwarding Secrecy enabled.

You may consider trying to monitor any VPN traffic from the far end if you have static VPN tunnels. I cannot remember if MRTG can filter on IP address but if it can, that could get you close. We have a spoke/hub setup as well and if I were needing that info, that is probably the way I would go about it.

Hope this helps.

Doug.