User Guide for CiscoView Device Manager for the Cisco IPSec VPN Acceleration Services Module (CVDM-VPNSM)
Viewing Statistics
Download this chapter
Viewing StatisticsViewing Statistics
Download the complete book
User Guide for CiscoView Device Manager for the Cisco IPSec VPN Acceleration Services Module - Book PDFUser Guide for CiscoView Device Manager for the Cisco IPSec VPN Acceleration Services Module - Book PDF (PDF - 2 MB)
 Feedback

Table Of Contents

VPN Module Statistics

Statistics Main Page

Viewing Connection Information

Viewing Security Association Information


VPN Module Statistics

CVDM-VPNSM allows you to view information about the crypto connections and security associations (SAs) that are currently active on the device.

An SA is a set of security parameters used by a tunnel for authentication and encryption. Key management tunnels use one SA for both directions of traffic; data management tunnels use at least one SA for each direction of traffic. Each endpoint assigns a unique identifier, called a security parameter index (SPI), to each SA.

A set of SAs is needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports Encapsulating Security Protocol (ESP) between peers, one ESP SA is required for each direction. SAs are uniquely identified by destination (IPSec endpoint) address, security protocol (AH or ESP), and SPI.

This chapter contains the following topics:

Statistics Main Page

Viewing Connection Information

Viewing Security Association Information

Statistics Main Page

To access the Statistics main page, click Setup at the top of the window and then click Statistics (see Figure 7-1).

Figure 7-1 Statistics Main Page

Viewing Connection Information

To access the Connections overview page, click Setup at the top of the window, click Statistics from the left-most pane, and then click Connections from the selector.

The following table describes the information provided on this page.

GUI Element
Description
Active Connection pane

Displays information about the crypto engine connections that are active on the device. The information is the result of the show crypto engine connection active CLI command.

ID column

Identifier of an active connection.

Interface VLAN column

Identifier of the interface VLAN associated with an active connection.

IP Address column

IP address of the associated interface VLAN.

State column

Current state of an active connection.

Algorithm column

Encryption algorithm used by an active connection.

Encrypt column

Indicates which packets are encrypted.

Decrypt column

Indicates which packets are decrypted.

Connection Per Group pane

Displays the crypto engine connection groups that are active on the device. The information is the result of the show crypto session groups CLI command.

Group Name column

Name of a connection group.

Number of Connections column

Number of connections in a group.


Viewing Security Association Information

To access the SA overview page, click Setup at the top of the window, click Statistics from the left-most pane, and then click SAs from the selector.

Note the following regarding SAs:

IP Security (IPSec) SAs are unidirectional and are unique in each security protocol.

An Internet Key Exchange (IKE) SA is used by IKE only, and unlike the IPSec SA, it is bidirectional.

IKE negotiates and establishes SAs on behalf of IPSec.

A user can also establish IPSec SAs manually.

The following table describes the information provided on this page.

GUI Element
Description
IPSec SAs pane

Displays information about the SAs configured on the device. The information is the result of the show crypto ipsec sa CLI command.

Interface VLAN column

Name/identifier of the interface VLAN associated with an SA.

Local IP Address column

IP address of the associated interface VLAN.

Peer Address column

IP address of the end point for an SA.

Crypto Map column

Name of the crypto map associated with an SA.

Pkts. Encrypted column

Indicates which packets are encrypted.

Pkts. Decrypted column

Indicates which packets are decrypted.

Outbound SPI column

Outbound security parameters index (SPI) for the SA.

The SPI is a number that, together with a destination IP address and security protocol, uniquely identifies a particular security association. When using IKE to establish the security associations, the SPI for each security association is a pseudo-randomly derived number. Without IKE, the SPI is manually specified for each security association.

ISAKMP SAs pane

Displays information about the IKE SAs configured on the device. The information is the result of the show isakmp sa CLI command.

Destination column

IP address of an SA's destination.

Source column

IP address of an SA's source.

State column

Current state of an SA.

Connection ID column

Identifier of the connection associated with an SA.

Slot column

Slot number of the VPN module handling an SA.