The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The IP Security VPN Monitoring feature provides VPN session monitoring enhancements that will allow you to troubleshoot the Virtual Private Network (VPN) and monitor the end-user interface. Session monitoring enhancements include the following:
•Ability to specify an Internet Key Exchange (IKE) peer description in the configuration file
•Summary listing of crypto session status
•Syslog notification for crypto session up or down status
•Ability to clear both IKE and IP Security (IPsec) security associations (SAs) using one command-line interface (CLI)
For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for IP Security VPN Monitoring" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
•Prerequisites for IP Security VPN Monitoring
•Restrictions for IP Security VPN Monitoring
•Information About IPsec VPN Monitoring
•How to Configure IP Security VPN Monitoring
•Configuration Examples for IP Security VPN Monitoring
•Feature Information for IP Security VPN Monitoring
•You should be familiar with IPsec and encryption.
•Your router must support IPsec, and before using the IP Security VPN Monitoring feature, you must have configured IPsec on your router.
•You must be running Cisco IOS XE k8 or k9 crypto images on your router.
To troubleshoot the IPsec VPN and monitor the end-user interface, you should understand the following concepts:
•Summary Listing of Crypto Session Status
•Syslog Notification for Crypto Session Up or Down Status
•IKE and IPsec Security Exchange Clear Command
A crypto session is a set of IPsec connections (flows) between two crypto endpoints. If the two crypto endpoints use IKE as the keying protocol, they are IKE peers to each other. Typically, a crypto session consists of one IKE security association (for control traffic) and at least two IPsec security associations (for data traffic—one per each direction). There may be duplicated IKE security associations (SAs) and IPsec SAs or duplicated IKE SAs or IPsec SAs for the same session in the duration of rekeying or because of simultaneous setup requests from both sides.
The Per-IKE Peer Description function allows you to enter a description of your choosing for an IKE peer. The unique peer description, which can include up to 80 characters, can be used whenever you are referencing that particular IKE peer. To add the peer description, use the description command.
Note IKE peers that "sit" behind a Network Address Translation (NAT) device cannot be uniquely identified; therefore, they have to share the same peer description.
The primary application of this description field is for monitoring purposes (for example, when using show commands or for logging [syslog messages]). The description field is purely informational (for example, it cannot act as a substitute for the peer address or FQDN when defining crypto maps).
You can get a list of all the active VPN sessions by entering the show crypto session command. The listing will include the following:
•Interface
•IKE peer description, if available
•IKE SAs that are associated with the peer by whom the IPsec SAs are created
•IPsec SAs serving the flows of a session
Multiple IKE or IPsec SAs may be established for the same peer (for the same session), in which case IKE peer descriptions will be repeated with different values for the IKE SAs that are associated with the peer and for the IPsec SAs that are serving the flows of the session.
You can also use the show crypto session detail variant of this command to obtain more detailed information about the sessions.
The Syslog Notification for Crypto Session Up or Down Status function provides syslog notification every time the crypto session comes up or goes down.
The following is a sample syslog notification showing that a crypto session is up:
%CRYPTO-5-SESSION_STATUS: Crypto session is UP. Peer 10.6.6.1:500 fvrf=name10 ivrf=name20 Description: SJC24-2-VPN-Gateway Id: 10.5.5.2
The following is a sample syslog notification showing that a crypto session is down:
%CRYPTO-5-SESSION_STATUS: Crypto session is DOWN. Peer 10.6.6.1:500 fvrf=name10 ivrf=name20 Description: SJC24-2-VPN-Gateway Id: 10.5.5.2
The clear crypto session command allows you to clear both IKE and IPsec with a single command. To clear a specific crypto session or a subset of all the sessions (for example, a single tunnel to one remote site), you need to provide session-specific parameters, such as a local or remote IP address, a local or remote port, a front door VPN routing and forwarding (FVRF) name, or an inside VRF (IVRF) name. Typically, the remote IP address will be used to specify a single tunnel to be deleted.
If a local IP address is provided as a parameter when you use the clear crypto session command, all the sessions (and their IKE SAs and IPsec SAs) that share the IP address as a local crypto endpoint (IKE local address) will be cleared. If you do not provide a parameter when you use the clear crypto session command, all IPsec SAs and IKE SAs that are in the router will be deleted.
See the following sections for configuration tasks for this feature. Each task in the list is identified as either required or optional.
•Adding the Description of an IKE Peer (optional)
•Verifying Peer Descriptions (optional)
•Clearing a Crypto Session (optional)
To add the description of an IKE peer to an IPsec VPN session, perform the following steps.
1. enable
2. configure terminal
3. crypto isakmp peer {ip-address ip-address}
4. description
To verify peer descriptions, use the show crypto isakmp peer command.
1. enable
2. show crypto isakmp peer
The following output example verifies that the description "connection from site A" has been added for IKE peer 10.2.2.9:
Router# show crypto isakmp peer
Peer: 10.2.2.9 Port: 500
Description: connection from site A
flags: PEER_POLICY
When the peer at address 10.2.2.9 connects and the session comes up, the syslog status will be shown as follows:
%CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP. Peer 10.2.2.9:500 Description: connection from site A Id: ezvpn
To clear a crypto session, use the clear crypto session command from the router command line. No configuration statements are required in the configuration file to use this command.
1. enable
2. clear crypto session
This section provides the following configuration example:
•show crypto session Command Output: Examples
The following is sample output for the show crypto session output without the detail keyword:
Router# show crypto session
Crypto session current status
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 172.0.0.2/500
IKE SA: local 172.0.0.1/500 remote 172.0.0.2/500 Active
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.30.30.0/255.255.255.0
Active SAs: 2, origin: crypto map
The following is sample output using the show crypto session command and the detail keyword:
Router# show crypto session detail
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 10.1.1.3 port 500 fvrf: (none) ivrf: (none)
Desc: this is my peer at 10.1.1.3:500 Green
Phase1_id: 10.1.1.3
IKE SA: local 10.1.1.4/500 remote 10.1.1.3/500 Active
Capabilities:(none) connid:3 lifetime:22:03:24
IPSEC FLOW: permit 47 host 10.1.1.4 host 10.1.1.3
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
IPSEC FLOW: permit ip host 10.1.1.4 host 10.1.1.3
Active SAs: 4, origin: crypto map
Inbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4605665/2949
Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4605665/2949
The following sections provide references related to IP Security VPN Monitoring.
|
|
---|---|
IP security, encryption, and IKE |
•Configuring Internet Key Exchange for IPsec VPNs |
Security commands |
|
|
---|---|
No new or modified standards are supported by this feature, and support for exiting standards has not been modified by this feature. |
— |
|
|
---|---|
No new or modified RFCs are supported by this feature, and support for exiting RFCs has not been modified by this feature. |
— |
Table 1 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.js. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.