07-14-2008 08:18 AM - edited 02-21-2020 03:49 PM
is there a way to verify from Cisco router syslogs that an IPSec tunnel is being successfully established with another Cisco router / peer? I've been looking at the System Message manuals (SEC, Crypto events) and only see stuff that would indicate problems - would like to be able to check syslogs to validate that a tunnel came up without issue, or if a tunnel drops, etc. but not sure what these messages look like.
thanks
-randy
Solved! Go to Solution.
07-14-2008 10:24 AM
Randy, I understand now!
What I would do in this case is couple of things, but this still needs some minor configuration on the router, it depends on the router managed provider but.. you should be able to ask the provider know that you want to get syslog traps from the router to your syslog server, and they should be able to provide this to you and they should provide that, after all, you are paying for services even though is a managed router by provider.
On the router thye would configure a secondary logging server.
e.i
say your syslog server is 20.20.20.20
router(config)#logging 20.20.20.20
router(config)#logging trap informational
the above informational is facility #6 out of the 7 levels of facility, 0 being emergencies 1 alerts 2 critical and so on..I believe with this facility# you will see tunnel info on the syslog.
additionally, on the access-lists pertaining to the L2L Ipsec tunnel add the keyword log at the end of each of its access-list, with the keywork log the router will send traps pertaining to the access-list to your syslog thus providing you that the connection is stablihed or not.
Rgds
-Jorge
07-14-2008 09:02 AM
Randy Try:
show crypto isakmp sa , the output should provide built tunnels between peers.
See this link for more crypto cli commands and output example information.
http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_r1g.html#wp1074075
HTH
Jorge
07-14-2008 09:31 AM
Hi Jorge - thanks for the quick reply - the situation here is that this is a managed router (I do not have access to the console). The only visibility I have is the syslog data that's generated by the router and sent to me. Does the router create a log entry when a tunnel is built, or when keys are exchanged, or for any other operational (normal) IPSec events?
thanks
-randy
07-14-2008 10:24 AM
Randy, I understand now!
What I would do in this case is couple of things, but this still needs some minor configuration on the router, it depends on the router managed provider but.. you should be able to ask the provider know that you want to get syslog traps from the router to your syslog server, and they should be able to provide this to you and they should provide that, after all, you are paying for services even though is a managed router by provider.
On the router thye would configure a secondary logging server.
e.i
say your syslog server is 20.20.20.20
router(config)#logging 20.20.20.20
router(config)#logging trap informational
the above informational is facility #6 out of the 7 levels of facility, 0 being emergencies 1 alerts 2 critical and so on..I believe with this facility# you will see tunnel info on the syslog.
additionally, on the access-lists pertaining to the L2L Ipsec tunnel add the keyword log at the end of each of its access-list, with the keywork log the router will send traps pertaining to the access-list to your syslog thus providing you that the connection is stablihed or not.
Rgds
-Jorge
07-14-2008 10:31 AM
thanks Jorge - much appreciated....
-randy
07-14-2008 11:18 AM
Randy, you are welcome, thanks for rating.
Check these two links as well, good info.
Router Syslog events information
http://www.cisco.com/web/about/security/intelligence/identify-incidents-via-syslog.html
Access Control List Logging
http://www.cisco.com/web/about/security/intelligence/acl-logging.html
Rgds
Jorge
07-14-2008 03:41 PM
Personally, I don't think you want to log every IPSec related Access Control Entry match, as has been recommended to you.
You might want to consider the following command:
router(config)#crypto logging session
Sample syslog message:
13770: router-A: Jul 14 19:23:17.831 EDT: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer aaa.bbb.ccc.ddd:500 Id: router-B.domain.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide