User Guide for Cisco Performance Monitor 3.2.2
Monitoring Remote Access VPN Services
Download this chapter
Monitoring Remote Access VPN ServicesMonitoring Remote Access VPN Services
Download the complete book
User Guide for Cisco Performance Monitor 3.2.2 - Whole Book PDFUser Guide for Cisco Performance Monitor 3.2.2 - Whole Book PDF (PDF - 2 MB)
give_us_feedback

Table Of Contents

Monitoring Remote Access VPN Services

Understanding RAS Virtual Clusters

Understanding Easy VPN

Working in the RAS Clusters Table

Working in the Table of RAS Devices

Working with RAS Device Details

Viewing Detail Graphs for a RAS Device

Monitoring RAS Device Usage and Activity

Monitoring RAS Device Failures

Monitoring RAS Device Crypto Activity

Viewing RAS Device Crypto Accelerator Card Data

Viewing the Remote Access Interfaces Table

Working with RAS Users

Viewing RAS User Details

Identifying the Top 10 Users of a RAS Device

Identifying the Top 10 Users of a RAS Cluster


Monitoring Remote Access VPN Services

A remote access service (RAS) VPN secures connections for remote users, such as mobile users or telecommuters. RAS VPN monitoring provides all of the most important indicators of cluster, concentrator, and user session performance at a glance.

Performance Monitor also enables you to determine quickly whether RAS VPN problems exist and where they exist. You can then apply this knowledge and use your network management tools to reduce or eliminate problems for your network and users.

Optionally, you can logout one RAS user at a time.

Tip To troubleshoot common problems with RAS VPN services, see the Troubleshooting appendix.

The following topics explain the RAS VPN monitoring features:

Understanding RAS Virtual Clusters

Understanding Easy VPN

Working in the RAS Clusters Table

Working in the Table of RAS Devices

Working with RAS Device Details

Working with RAS Users

Understanding RAS Virtual Clusters

NoteReferences in the Performance Monitor GUI and documentation to load balancing services pertain only to the web server load-balancing capabilities of content switching services modules. This Performance Monitor release does not monitor the load balancing of concentrators or appliances that you have combined in virtual clusters.

Although PIX OS and Easy VPN both support the use of RAS VPNs, neither technology supports the use of virtual clusters.

RAS VPNs enable remote users to participate in private networks through a shared public infrastructure, connecting through dial-up, ISDN, DSL, cable, or other technologies.

Performance Monitor monitors RAS VPN services that originate on several different kinds of devices, but special considerations apply to Cisco VPN 3000 Series concentrators and ASA 5520 or 5550 appliances because you can monitor them singly or when they are combined in a virtual cluster for load-balancing. In a virtual cluster, a collection of concentrators or a collection of appliances can function as a single entity.

The cluster is known to the outside client space by one IP address. The virtual IP address must be a routable address—meaning a valid address to which another device can send packets. Otherwise, inbound packets do not reach the cluster.

This virtual IP address is not tied to a specific device in the VPN cluster. It is serviced by the virtual cluster master. A virtual cluster master concentrator maintains the load information from all secondary concentrators or appliances in a specific cluster. Each secondary concentrator sends KeepAlive load information messages to the master.

The VPN 3000 series includes six different concentrator models. To learn about their uses and capabilities, which can help you to assess whether the concentrators that you monitor are operating correctly, see http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/index.html.

To learn about ASA 5520 and 5550 appliance uses and capabilities, see http://www.cisco.com/en/US/products/ps6120/index.html.

Understanding Easy VPN

Cisco Easy VPN, a software enhancement for several kinds of Cisco devices, greatly simplifies VPN deployment for remote offices and teleworkers. Easy VPN centralizes VPN management across many devices, thus reducing the complexity of VPN deployments. Easy VPN implementations require that you use both a Cisco Easy VPN Server and the Cisco Easy VPN Remote feature in your supported devices.

Supported routers, appliances, firewalls, and concentrators act like remote VPN clients when you use Easy VPN. As such, these devices can receive security policies from an Easy VPN server, which minimizes the VPN configuration requirements at remote locations in your organization.

In addition, a device enabled with Cisco Easy VPN Server can terminate VPN tunnels initiated by mobile remote workers who run Cisco VPN client software on their PCs.

Performance Monitor represents all Easy VPN sessions as if they are RAS VPN sessions, even though an Easy VPN server allows supported routers, appliances, firewalls, and concentrators to act as VPN head-end devices in either site-to-site or remote-access VPNs.

To learn about Easy VPN, see: http://www.cisco.com/en/US/products/sw/secursw/ps5299/index.html.

NoteEasy VPN does not support the use of RAS clusters.

Performance Monitor does not display Easy VPN session usernames, and does not associate  usernames with specific Easy VPN sessions.

The User Session Report feature in Performance Monitor does not support Easy VPN.

Working in the RAS Clusters Table

Performance Monitor provides a high-level overview that shows all of your remote access clusters. Use this overview to isolate user data and concentrator data, and display subsets of available cluster statistics.

Caution Performance Monitor updates its record of cluster membership automatically once each day. If you add or delete VPN concentrators in a cluster or if you move a concentrator from one cluster to another, you must select Devices > Importing Devices, then click Revalidate. Otherwise, displayed information is wrong for the relevant cluster until the next automatic update.

Procedure

Step 1 Select Monitor > Remote Access VPN > Clusters.

Performance Monitor averages its measurements of VPN concentrator health and performance to arrive at the high-level statistics it displays for the clusters in your network.

Step 2 Complete the optional tasks that meet your requirements (Table 5-1).

The refreshed display shows the result of any optional task that you complete.

Note Easy VPN does not support the use of RAS clusters.

Table 5-1 Optional Tasks in the Remote Access Clusters Page 

Optional Task
Procedure
Additional Information

Note Table 3-3 on page 3-9 describes additional optional tasks.

Find a device.

Enter the concentrator DNS name (if known) in the Find Device text box. If the DNS name is unknown, enter the concentrator IP address.

Click Find.

The possible outcomes are:

Success—The Remote Access Device Graphs page displays information about the specified concentrator.

Failure—A system message tells you that your query failed.

Table 5-3 describes elements in the Remote Access Device Graphs page.

Open a new browser and display the Packets Dropped graph for a specific RAS cluster.

Click a hyperlinked entry in the Packet Drop % column.

Open a new browser and display the Throughput (kbps) graph for a specific RAS cluster.

Click a hyperlinked entry in the Throughput (kbps) column.

Open a new browser and display the Bandwidth % graph for a specific RAS cluster.

Click a hyperlinked entry in the Bandwidth Usage % column.


Working in the Table of RAS Devices

Performance Monitor provides a high-level overview that shows all of the validated Cisco VPN 3000 Series concentrators that are providing RAS VPN services in any cluster in your network. Use this overview to:

Isolate data that describe VPN concentrator usage and activity, concentrator failures, and concentrator cryptographic activity.

View tables and graphs that summarize the condition of any VPN concentrator.

Procedure

Step 1 Select Monitor > Remote Access VPN > Devices.

The Remote Access Devices page displays usage and activity statistics for the concentrators in all of your RAS clusters.

Note Easy VPN does not support the use of RAS clusters.

Step 2 Complete the optional tasks that meet your requirements (Table 5-2).

The refreshed display shows the result of any optional task that you complete.

Table 5-2 Optional Tasks in the Remote Access Devices Page 

Optional Task
Procedure

Note Table 3-3 on page 3-9 describes additional optional tasks.

Display only the concentrators in a single cluster.

Select a cluster name from the Select Cluster list. The refreshed page lists only the concentrators in the specified cluster.

Display charts and graphs that summarize the condition of a single VPN concentrator.

Click the DNS name or IP address of a concentrator in the Device column. The Remote Access Device Graphs page displays graphs that describe the condition of the specified concentrator.

Open a new window and display a graph of dropped packets for one concentrator.

Click the relevant entry in the Packet Drop % column.

Open a new window and display a throughput graph for one concentrator.

Click the relevant entry in the Throughput (kbps) column.

Open a new window and display a graph of bandwidth usage for one concentrator.

Click the relevant entry in the Bandwidth Usage % column.


Working with RAS Device Details

See the following topics to learn how to isolate and monitor information that describes the status of any validated VPN concentrator:

Viewing Detail Graphs for a RAS Device

Monitoring RAS Device Usage and Activity

Monitoring RAS Device Failures

Monitoring RAS Device Crypto Activity

Viewing RAS Device Crypto Accelerator Card Data

Viewing the Remote Access Interfaces Table

Viewing Detail Graphs for a RAS Device

You can isolate information about a validated Cisco VPN 3000 Series concentrator in your network and display detail graphs that describe its health and performance.

Procedure

Step 1 Select Monitor > Remote Access VPN > Device Details.

By default, the Remote Access Device Graphs page displays graphs that describe the health and performance of whichever device uses the lowest number as its IP address (Table 5-3).

Step 2 (Optional) To display equivalent graphs for a different concentrator, select the relevant IP address from the Select Device list.

Table 3-3 on page 3-9 describes optional tasks that recur throughout the GUI.

Table 5-3 describes the different line graphs that summarize trends of RAS service conditions.

Note A known problem might interfere with your ability to interpret a graph that uses two vertical (Y) axes. The first Y axis always begins at zero, but the second Y axis begins at the lowest value for the specified time range—even when that value is greater than zero. Thus, the two Y axes might not be directly comparable.

Table 5-3 Types of RAS Graphs 

Graph Type
Description

Bandwidth Utilization

Illustrates percentages of device bandwidth capacity used on the public interface:

The vertical axis shows the average percentage of bandwidth capacity used in a specific polling cycle.

The horizontal axis shows the time of day for the polling cycle.

CPU Usage

Illustrates used percentages of device CPU capacity:

The vertical axis shows the average percentage of CPU capacity used in a specific polling cycle.

The horizontal axis shows time of day for the polling cycle.

Inbound Connect Failures

Illustrates the trend of inbound connection failures over time:

The vertical axis shows the average number of failures in a specific polling cycle.

The horizontal axis shows time of day for the polling cycle.

Throughput vs. Session

Displays a line graph that helps you compare throughput trends to the trend of the number of VPN sessions over time:

Because it shows two kinds of information, it has two vertical axes:

The vertical axis on the left (orange) shows the average throughput in a specific polling cycle, in bytes.

The vertical axis on the right (blue) shows the average number of sessions in a specific polling cycle.

The horizontal axis shows the time of day at which Performance Monitor calculated the trends in each vertical axis.

IKE Phase 1 Connection Failures

Illustrates the percentage of failures in Phase-1 (IKE) connections:

The vertical axis shows the average percentage of failed connections in a specific polling cycle.

The horizontal axis shows time of day for the polling cycle.

IPSec Phase 2 Connection Failures

Illustrates the percentage of failures in Phase-2 (IPSec) connections:

The vertical axis shows the average percentage of failed connections in a specific polling cycle.

The horizontal axis shows time of day for the polling cycle.


Monitoring RAS Device Usage and Activity

You can monitor your validated VPN concentrators from a table of usage and activity statistics.

Procedure

Step 1 Select Monitor > Remote Access VPN > Devices.

The Remote Access Devices page displays a table of concentrator usage and activity statistics. All measured values on the page are computed as deltas (meaning they indicate the scope of difference from one polling cycle to the next)—except for the whole number count of current users.

Note If you or one of your colleagues log out a RAS user, the whole number count of current users might differ the next time the display is refreshed.

Step 2 Complete the optional tasks that meet your requirements (Table 5-4).

The refreshed display shows the result of any optional task that you complete.

Table 5-4 Optional Tasks in the Remote Access Devices Page 

Optional Task
Procedure

Note Table 3-3 on page 3-9 describes additional optional tasks.

Display detailed graphs for one concentrator.

In the Device column, click the relevant concentrator IP address or DNS name.

Display a graph of dropped packets for one concentrator.

Click the relevant entry in the Packet Drop % column.

Display a throughput graph for one concentrator.

Click the relevant entry in the Throughput (kbps) column.

Display a graph of bandwidth usage for one concentrator.

Click the relevant entry in the Bandwidth Usage % column.


Monitoring RAS Device Failures

You can display and work from a table that describes the operational failures of your validated VPN concentrators.

Procedure

Step 1 Select Monitor > Remote Access VPN > Devices > Failures.

All measured values on the Remote Access Failures page are computed as deltas.

Step 2 (Optional) To display detailed statistics for one VPN concentrator, click the relevant IP address or DNS name in the Device column. See Working with RAS Device Details.

Table 3-3 on page 3-9 describes optional tasks that recur throughout the GUI.

Monitoring RAS Device Crypto Activity

Performance Monitor enables you to display and work from a high-level table of cryptographic activity data for validated VPN concentrators.

Note Displayed results do not include the VPN 3005 Concentrator or the VPN 3015 Concentrator. These devices use software encryption instead of scalable encryption processor (SEP) cards.

Procedure

Step 1 Select Monitor > Remote Access VPN > Devices > Cryptos.

All measured values on the Remote Access Cryptos page are computed as deltas, except for the whole number count of SEP cards.

Step 2 (Optional) To display detailed statistics for one VPN concentrator, click the relevant IP address or DNS name in the Device column. See Working with RAS Device Details.

Table 3-3 on page 3-9 describes optional tasks that recur throughout the GUI.

Viewing RAS Device Crypto Accelerator Card Data

Performance Monitor enables you to display and work from a table of cryptographic accelerator card data for one validated VPN concentrator.

Note Displayed results do not include the VPN 3005 Concentrator or the VPN 3015 Concentrator. These devices use software encryption instead of SEP cards.

Procedure

Step 1 Select Monitor > Remote Access VPN > Device Details > Crypto Status.

All measured values on the Remote Access Cryptos page are computed as deltas.

Step 2 (Optional) To display equivalent data for a different concentrator, select the relevant IP address from the Select Device list.

Table 3-3 on page 3-9 describes optional tasks that recur throughout the GUI.

Viewing the Remote Access Interfaces Table

Performance Monitor enables you to display and work from a table of interface status data for one validated VPN concentrator.

Procedure

Step 1 Select Monitor > Remote Access VPN > Device Details > Interfaces.

The Remote Access Interfaces page displays information about the public interface and the private interface. A public (outside) interface uses public IP addresses and connects to outside networks. A private (inside) interface uses private IP addresses and is hidden from outside networks.

All measured values on the Remote Access Interfaces page are computed as deltas.

Step 2 (Optional) To display equivalent data for a different concentrator, select the relevant IP address from the Select Device list.

Table 3-3 on page 3-9 describes optional tasks that recur throughout the GUI.

Working with RAS Users

The following topics describe the features with which you monitor RAS users.

Viewing RAS User Details

Identifying the Top 10 Users of a RAS Device

Identifying the Top 10 Users of a RAS Cluster

Viewing RAS User Details

You can isolate and display detailed information for a single current RAS VPN user. Optionally, you can log out the user you find.

Note Finding a user session might take longer than 1 minute if the relevant VPN concentrator has many active sessions.

Tip You can also display reports that:

Rank the top 10 RAS VPN users over a range of time that you specify, according to a trending type that you select. See Viewing RAS VPN Top 10 User Reports, page 10-8.

Describe the VPN sessions of one or more RAS VPN users over a range of time that you specify. See Viewing RAS VPN User Session Reports, page 10-8.

Before You Begin

The user logout feature is available to you only if:

Your CiscoWorks user role is System Administrator or Network Administrator. See User Permissions, page 3-2.

The VPN 3000 Concentrator Series Manager is enabled on the relevant VPN concentrator, and Performance Monitor has a record of the correct authentication credentials for that concentrator.

Procedure

Step 1 Select Monitor > Remote Access VPN > User Lookup.

Step 2 Enter the user IP address or username in the Find User text box.

Step 3 (Optional) In the Search In area, select either the Device or the Cluster option, then select an IP address.

Step 4 Click Go.

The possible outcomes are:

Success—The page refreshes and displays the relevant user details if your query matches a recognized user.

Failure—A system message informs you that your query failed.

Step 5 (Optional) To end the user session, click Logout.

The page refreshes and the possible outcomes are:

Success—The specified user is logged out and his or her IP address no longer appears in any GUI table that describes active RAS sessions. A system message tells you, "The user <username> was logged out successfully."

Failure—A system message tells you that an error occurred.

Table 3-3 on page 3-9 describes optional tasks that recur throughout the GUI.

Identifying the Top 10 Users of a RAS Device

Performance Monitor can rank the top 10 users who are connected to all validated VPN concentrators or to the validated concentrators in one cluster. The ranking values are determined by throughput, connection duration, or total traffic per user.

Note Performance Monitor ranks the top 10 users on each VPN concentrator. It then ranks only those users against one another when it calculates the top 10 users overall. A user who ranks outside the top 10 for a specific concentrator is excluded from the overall ranking even when the top users for a different concentrator have lower throughput or bandwidth requirements than the excluded user. The top 10 ranking is therefore approximate.

Before You Begin

The user logout feature is available to you only if:

Your CiscoWorks user role is System Administrator or Network Administrator. See User Permissions, page 3-2.

The VPN 3000 Concentrator Series Manager is enabled on the relevant VPN concentrator, and Performance Monitor has a record of the correct authentication credentials for that concentrator.

Procedure

Step 1 Select Monitor > Remote Access VPN > Device Details > Top 10 Device Users.

All measured values on the Top 10 Device Users page are whole numbers, rather than deltas.

Step 2 Complete the optional tasks that meet your requirements (Table 5-5).

The refreshed display shows the result of any optional task that you complete.

Table 5-5 Optional Tasks in the Top 10 Device Users Page 

Optional Task
Procedure
Additional Information

Note Table 3-3 on page 3-9 describes additional optional tasks.

Change the ranking criterion for the calculation of top users.

Select an option from the Compute Using list.

Options are as follows:

Throughput—Ranks users according to their throughput, measured in kbps.

Connect Duration—Ranks users according to the duration of their current session (in days, hours, minutes, and seconds).

Total Traffic—Ranks users according to the sum of their inbound and outbound packets.

Display equivalent data for the users of a different concentrator.

Select an IP address from the Select Device list.

Disconnect one user.

Click the radio button in the same row as the user whose session you plan to end, then click Logout.

The page refreshes and the possible outcomes are:

Success—The specified user is logged out and his or her IP address no longer appears in any GUI table that describes active RAS sessions.

Failure—A system message tells you that an error occurred.

Ending a user session might take longer than 1 minute if the relevant VPN concentrator has many active sessions.

The user logout feature is available to you only if:

Your CiscoWorks user role is System Administrator or Network Administrator. See User Permissions, page 3-2.

The VPN 3000 Concentrator Series Manager is enabled on the relevant VPN concentrator, and Performance Monitor has a record of the correct authentication credentials for that concentrator.


Identifying the Top 10 Users of a RAS Cluster

You can rank all users that are connected to a cluster, or rank users across all clusters, excluding any Easy VPN users.

You can also logout one user at a time, excluding any Easy VPN users.

Before You Begin

The user logout feature is available to you only if:

Your CiscoWorks user role is System Administrator or Network Administrator. See User Permissions, page 3-2.

The VPN 3000 Concentrator Series Manager is enabled on the relevant VPN concentrator, and Performance Monitor has a record of the correct authentication credentials for that concentrator.

Procedure

Step 1 Select Monitor  > Remote Access VPN > Top 10 Cluster Users.

All measured values on the Top 10 Cluster Users page are whole numbers, rather than deltas.

Step 2 Complete the optional tasks that meet your requirements (Table 5-6).

The refreshed display shows the result of any optional task that you complete.

Table 5-6 Optional Tasks in the Top 10 Cluster Users Page 

Optional Task
Procedure
Additional Information

Note Table 3-3 on page 3-9 describes additional optional tasks.

Restrict the top 10 ranking to the users of one cluster only or select a different cluster.

Select a cluster from the Select Cluster list.

Open the Details of the Group Policy window.

Click the group name.

The group name is hyperlinked if the user session is associated with a router that is configured as an Easy VPN server. In this case, you can click the link to open the Details of the Group Policy window.

Note The group name is never hyperlinked if the user session is associated with the Easy VPN server on a PIX firewall or a VPN 3000 concentrator.

Change the ranking criterion for the calculation of top users.

Select an option from the Compute Using list.

Options are:

Throughput—Ranks users according to their throughput, measured in kbps.

Connect Duration—Ranks users according to the duration of their current session (in days, hours, minutes, and seconds).

Total Traffic—Ranks users according to the sum of their inbound and outbound packets.

Disconnect one user.

Click the radio button in the same row as the user whose session you plan to end, then click Logout.

The page refreshes and the possible outcomes are:

Success—The specified user is logged out and his or her IP address no longer appears in any GUI table that describes active RAS sessions.

Failure—A system message tells you that an error occurred.

Ending a user session might take longer than 1 minute if the relevant VPN concentrator has many active sessions.

The user logout feature is available to you only if:

Your CiscoWorks user role is System Administrator or Network Administrator. See User Permissions, page 3-2.

The VPN 3000 Concentrator Series Manager is enabled on the relevant VPN concentrator, and Performance Monitor has a record of the correct authentication credentials for that concentrator.