User Guide for Cisco Performance Monitor 3.2 - Monitoring Site-to-Site VPN Services [Cisco Security Manager]

Table Of Contents

Monitoring Site-to-Site VPN Services

Understanding DMVPN

Working in the Site-to-Site Devices Table

Working with Site-to-Site Devices

Displaying and Interpreting Device or Module Detail Graphs

Monitoring Site-to-Site Device Usage and Activity

Monitoring Site-to-Site Device Failures

Monitoring Site-to-Site Device Crypto Activity

Working with Site-to-Site Device Details

Displaying and Interpreting Site-to-Site Device Detail Graphs

Displaying the Site-to-Site Device Interfaces Table

Working with Site-to-Site Tunnels

Displaying the Site-to-Site Device Tunnels Table

Finding a Site-to-Site VPN Tunnel

Monitoring Site-to-Site VPN Services

Site-to-site VPN monitoring provides all the most important indicators of device and tunnel performance at a glance. Performance Monitor also enables you to determine quickly whether site-to-site problems exist and where they exist. You can then apply this knowledge and use your network management tools to reduce or eliminate problems for your network and users.

Site-to-site VPNs permit connections between:

•An organization's headquarters, remote offices, and branch offices.

•An organization's intranet and its trusted partners, suppliers, customers, or communities of interest.

Performance Monitor monitors site-to-site VPN services in:

•Cisco IOS VPN routers.

•Cisco Catalyst 6500 series switches in which one or more supported services modules are installed.

•Cisco VPN 3000 Series concentrators.

•Adaptive Security Appliances.

•PIX Security Appliances (also known as PIX firewalls).

Note Performance Monitor represents all Easy VPN sessions as if they are RAS VPN sessions, even though an Easy VPN server allows supported routers, appliances, firewalls, and concentrators to act as VPN head-end devices in either site-to-site or remote-access VPNs. See Understanding Easy VPN, page 5-2.

Tip To troubleshoot common problems with site-to-site VPN services, see the Troubleshooting appendix.

The following topics explain the site-to-site VPN monitoring features:

•Understanding DMVPN

•Working in the Site-to-Site Devices Table

•Working with Site-to-Site Devices

•Working with Site-to-Site Device Details

•Working with Site-to-Site Tunnels

Understanding DMVPN

The Dynamic Multipoint VPN (DMVPN) feature on Cisco IOS routers provides a simple and scaleable way to create large and small IPsec VPNs by combining GRE tunnels, IPSec encryption, and Next Hop Resolution Protocol (NHRP). In NHRP, the hub maintains a database of public IP addresses for all spokes. Spokes in a DMVPN network register their public IP addresses with the hub during every boot session. Source spokes query the NHRP database on the hub to obtain the public IP address of destination spokes. A multipoint GRE tunnel interface enables a single GRE tunnel to support multiple IPSec tunnels. This method reduces complexity.

DMVPN supports two configurations, hub-to-spoke and spoke-to-spoke.

•The benefits of a hub-to-spoke deployment include:

–Simplified and smaller configurations for hub and spoke.

–Zero-touch provisioning for adding new spokes to the VPN.

–Support for dynamically addressed spokes.

–Support for multicast traffic from hub to spokes.

•The benefits of a spoke-to-spoke deployment include all of the benefits froma hub and spoke deployment, plus:

–Direct dynamic spoke-to-spoke tunnels.

–Support for participation by smaller spokes in the virtual full mesh.

In addition, the Performance Monitor GUI enables you to select a third option, spoke-to-hub. Spoke-to-hub is not actually a configuration that you can deploy. Instead, it is a convenience in Performance Monitor that enables you to select a spoke and quickly identify its associated hub.

In Performance Monitor, DMVPN usage is represented in the Tunnels page, where any displayed results are constrained by your selections from the Select Tunnel Type list. See Displaying the Site-to-Site Device Tunnels Table.

Note You might receive a flood of email messages about your DMVPN spoke-to-spoke tunnels if you do all of the following:

•Configure DMVPN to use a full mesh topology that supports spoke-to-spoke sessions.

•Configure a threshold for site-to-site VPN tunnel down events.

•Schedule automatic email notification for those events.

Site-to-site tunnels are dynamic and have short lives by design, which include many tunnel down events. If this email flood problem affects you, we recommend that you either disable email notification or configure Performance Monitor to monitor hubs only.

DMVPN and Easy VPN Comparison

Table 6-1 describes major differences between DMVPN and Easy VPN. To learn more about Easy VPN and how it is represented in Performance Monitor, see Understanding Easy VPN, page 5-2.

Table 6-1 Comparison of DMVPN and Easy VPN

Service/Feature Name

DMVPN

Easy VPN

Support for multicast traffic

Yes.

—

Spoke-to-spoke communication

Yes.

—

Support for GRE/Quality of Service

Yes.

—

Support for routing protocols

Yes.

—

Support for certificates

Yes.

—

Stateful failover

Depends on routing protocol for recovery.

Yes.

Scalability per hub

Because of routing protocols, DMVPN hubs support fewer spokes per hub.

Supports many spokes per hub.

Identical configuration for all spokes

—

Yes.

Cross-platform support

—

Yes.

Support for software or hardware clients

Hardware client only.

Yes.

Always up tunnel to hub

Yes.

Not required.

Working in the Site-to-Site Devices Table

Performance Monitor provides a high-level overview that shows all of your site-to-site devices or just the devices in one device group. You can use this overview to:

•Isolate descriptions of device usage and activity, device failures, and device crypto activity.

•Display charts and graphs that summarize the condition of any device or module that provides site-to-site VPN services.

Procedure

Step 1 Select Monitor > Site-to-Site VPN > Devices.

All measured values on the Site-to-Site Devices page are computed as deltas (meaning they indicate the scope of difference from one polling cycle to the next)—except for the whole numbers that:

•Count active Phase-2 tunnels.

•Show the percentage of CPU capacity used.

•Show the percentage of memory capacity used.

Step 2 Complete the optional tasks that meet your requirements (Table 6-2).

The refreshed display shows the result of any optional task that you complete.

Table 6-2 Optional Tasks in the Site-to-Site Devices Page

Optional Task

Procedure

Note Table 3-3 on page 3-9 describes additional optional tasks.

Display only the devices in one user-defined device group, or display all devices.

Note Some of your monitored devices might not belong to any user-defined device groups.

Select a group name from the Select Group list. The refreshed page lists only the devices in the specified group. The default is to display all devices.

Display charts and graphs that summarize the overall condition of one device or module.

Click the relevant DNS name or IP address in the Device column.

Display a throughput graph for one device or module.

Click a hyperlinked entry in the Throughput (Bps) column

Display a graph of dropped packets for one device or module.

Click a hyperlinked entry in the Packets Drop % column.

Working with Site-to-Site Devices

The following topics explain how you can monitor the status of individual devices and modules that provide site-to-site VPN services.

•Displaying and Interpreting Device or Module Detail Graphs

•Monitoring Site-to-Site Device Usage and Activity

•Monitoring Site-to-Site Device Failures

•Monitoring Site-to-Site Device Crypto Activity

Displaying and Interpreting Device or Module Detail Graphs

You can display and work from detailed graphs that describe any validated site-to-site endpoint device or module in your network.

Procedure

Step 1 Select Monitor > Site-to-Site VPN > Device Details.

The Site-to-Site Device Graphs page displays graphs that describe the health and performance of the device or module that you select (Table 6-3).

Step 2 (Optional) To view equivalent graphs for a different device or module, select the relevant IP address in the Select Device list.

Table 3-3 on page 3-9 describes other optional tasks that recur throughout the GUI.

Note A known problem might interfere with your ability to interpret a graph that uses two vertical (Y) axes. The first Y axis always begins at zero, but the second Y axis begins at the lowest value for the specified time range—even when that value is greater than zero. Thus, the two Y axes might not be directly comparable.

Table 6-3 Types of Site-to-Site Graphs

Graph Type

Description

CPU Usage

Illustrates used percentages of device CPU capacity:

•The vertical axis shows the average percentage of CPU capacity used in a specific polling cycle.

•The horizontal axis shows time of day for the polling cycle.

Memory Usage

Illustrates used percentages of device memory capacity:

•The vertical axis shows the average percentage of memory capacity used in a specific polling cycle.

•The horizontal axis shows time of day for the polling cycle.

Packet Drops

Illustrates the percentage of dropped packets in site-to-site VPN tunnels:

•The vertical axis shows the average percentage of dropped packets in a specific polling cycle.

•The horizontal axis shows time of day for the polling cycle.

Throughput vs. No. of Tunnels

Displays a line graph that helps you compare throughput trends to the trend of the number of tunnels in use over time:

•Because it shows two kinds of information, it has two vertical axes.

–The vertical axis on the left (orange) shows the average throughput in bytes in a specific polling cycle.

–The vertical axis on the right (blue) shows the average number of tunnels in a specific polling cycle.

•The horizontal axis shows the time of day at which Performance Monitor calculated the trends in each vertical axis.

Inbound Connection Failure

Illustrates the trend of inbound connection failures over time:

•The vertical axis shows the average number of failures in a specific polling cycle.

•The horizontal axis shows time of day.

Outbound Connection Failure

Illustrates the trend of outbound connection failures over time:

•The vertical axis shows the average number of failures in a specific polling cycle.

•The horizontal axis shows time of day.

Monitoring Site-to-Site Device Usage and Activity

You can display and work from a table of usage and activity statistics for any of the validated site-to-site devices or service modules in your network.

Procedure

Step 1 Select Monitor > Site-to-Site VPN > Devices .

The Site-to-Site Devices table displays usage and activity statistics for all of your site-to-site devices and service modules.

Step 2 Complete the optional tasks that meet your requirements (Table 6-4).

The refreshed display shows the result of any optional task that you complete.

Table 6-4 Optional Tasks in the Site-to-Site Devices Page

Optional Task

Procedure

Note Table 3-3 on page 3-9 describes additional optional tasks.

Open an Event Browser that displays only the critical errors (P1 or P2) for a specific device or service module.

Click the relevant alert icon in the Alert column.

Note The Alert column is empty for a device or module without any critical errors.

Display charts and graphs that summarize the overall condition of one device or service module.

Click the relevant DNS name or IP address in the Device column.

Display a throughput graph for one device or service module.

Click a hyperlinked entry in the Throughput (Kbps) column

Display a graph of dropped packets for one device or service module.

Click a hyperlinked entry in the Packet Drop % column.

Monitoring Site-to-Site Device Failures

You can display and work from a table that describes the operational failures of validated site-to-site devices and service modules.

Procedure

Step 1 Select Monitor > Site-to-Site VPN > Failures.

All measured values on the Site-to-Site Failures page are computed as deltas.

Step 2 (Optional) To display charts and graphs that summarize the overall condition of one device or service module in the Failures table, click the relevant DNS name or IP address in the Device column.

Table 3-3 on page 3-9 describes other optional tasks that recur throughout the GUI.

Monitoring Site-to-Site Device Crypto Activity

You can display and work from a table of cryptographic activity on any validated site-to-site device.

Procedure

Step 1 Select Monitor > Site-to-Site VPN > Cryptos.

The Site-to-Site Cryptos page describes the encryption and decryption activities of your VPN routers and IPSec VPN service modules. All measured values on the Site-to-Site Cryptos page are computed as deltas.

Step 2 Complete the optional tasks that meet your requirements (Table 6-5).

The refreshed display shows the result of any optional task that you complete.

Table 6-5 Optional Tasks in the Site-to-Site Cryptos Page

Optional Task

Procedure

Note Table 3-3 on page 3-9 describes additional optional tasks.

Open an Event Browser that displays only the critical errors (P1 or P2) for a specific device.

Click the relevant alert icon in the Alert column.

Note The Alert column is empty for a device without any critical errors.

Display charts and graphs that summarize the overall condition of one device.

Click the relevant DNS name or IP address in the Device column.

Working with Site-to-Site Device Details

Performance Monitor enables you to display and work from detailed presentations of essential site-to-site VPN device information. See these topics for additional information:

•Displaying and Interpreting Site-to-Site Device Detail Graphs

•Displaying the Site-to-Site Device Interfaces Table

•Displaying the Site-to-Site Device Tunnels Table

Displaying and Interpreting Site-to-Site Device Detail Graphs

You can display a graphical representation of the status of any validated device in any of your site-to-site VPNs.

Procedure

Step 1 Select Monitor > Site-to-Site VPN > Device Details.

By default, Performance Monitor displays graphs that describe the health and performance of whichever device uses the lowest number as its IP address (Table 6-6).

Step 2 (Optional) To display equivalent information for a different device, select the relevant IP address from the Select Device list.

Table 3-3 on page 3-9 describes additional optional tasks.

Note A known problem might interfere with your ability to interpret a graph that uses two vertical (Y) axes. The first Y axis always begins at zero, but the second Y axis begins at the lowest value for the specified time range — even when that value is greater than zero. Thus, the two Y axes might not be directly comparable.

Table 6-6 Types of Site-to-Site Device Graphs

Graph Type

Description

CPU Usage

Illustrates the used percentage of device CPU capacity:

•The vertical axis shows the average percentage of CPU capacity used in a specific polling cycle.

•The horizontal axis shows the time of day for the polling cycle.

Memory Usage

Illustrates the used percentage of device memory capacity:

•The vertical axis shows the average percentage of memory capacity used in a specific polling cycle.

•The horizontal axis shows the time of day for the polling cycle.

Packet Drops

Illustrates the percentage of dropped packets in site-to-site VPN tunnels:

•The vertical axis shows the average percentage of dropped packets in a specific polling cycle.

•The horizontal axis shows time of day for the polling cycle.

Throughput vs. No. Tunnels

Displays a line graph that helps you compare throughput trends to the trend of the number of tunnels over time:

•Because it shows two kinds of information, it has two vertical axes:

–The vertical axis on the left (orange) shows the average throughput for a specific polling cycle, in bytes per second.

–The vertical axis on the right (blue) shows the average number of tunnels in a specific polling cycle.

•The horizontal axis shows the time of day at which Performance Monitor calculated the trends in each vertical axis.

Inbound Connection Failures

Illustrates the trend of inbound connection failures over time:

•The vertical axis shows the average number of failures in a specific polling cycle.

•The horizontal axis shows the time of day for the polling cycle.

Outbound Connection Failures

Illustrates the trend of outbound connection failures over time:

•The vertical axis shows the average number of failures in a specific polling cycle.

•The horizontal axis shows the time of day for the polling cycle.

Displaying the Site-to-Site Device Interfaces Table

You can display and work from a table of site-to-site device interface performance and activity statistics.

Procedure

Step 1 Select Monitor > Site-to-Site VPN > Device Details > Interfaces.

The Site-to-Site Interfaces page describes device interfaces that are either bound to a crypto map or that are of Internet Assigned Number Authority (IANA) interface type 131—tunnel.

All measured values on the Site-to-Site Interfaces page are computed as deltas.

Step 2 (Optional) To view equivalent data for a different device, select the relevant IP address from the Select Device list.

Table 3-3 on page 3-9 describes other optional tasks that recur throughout the GUI.

Working with Site-to-Site Tunnels

The following topics describe ways to work with tunnels in site-to-site VPNs.

•Displaying the Site-to-Site Device Tunnels Table

•Finding a Site-to-Site VPN Tunnel

Displaying the Site-to-Site Device Tunnels Table

Performance Monitor enables you to display and work from a table of VPN tunnels on all of your validated site-to-site devices, or display the tunnels on one device.

Procedure

Step 1 Select Monitor > Site-to-Site VPN > Device Details > Tunnels.

By default, the Tunnels page describes tunnels on all of your validated site-to-site devices. The displayed values are whole numbers, computed since tunnel inception.

Step 2 (Optional) To display tunnels on one device, select the relevant IP address from the Select Device list.

The refreshed page displays only the tunnels on the specified device.

Table 3-3 on page 3-9 describes other optional tasks that recur throughout the GUI.

Finding a Site-to-Site VPN Tunnel

You can locate, isolate, and display the properties of a single tunnel.

Procedure

Step 1 Select Monitor > Site-to-Site VPN > Tunnel Lookup.

The Site-to-Site Tunnel Lookup page appears.

Step 2 To identify one tunnel, enter:

•The IP address of the endpoint device interface at which one end of the tunnel terminates.

•The IP address of the endpoint device interface at which the opposite end of the same tunnel terminates.

Step 3 Click Go.

The possible outcomes are:

•Success—The refreshed page displays details for the specified tunnel.

•Failure—A system message tells you that your query failed.

Table 3-3 on page 3-9 describes other optional tasks that recur throughout the GUI.