Table Of Contents

Administer Sessions

Administration | Administer Sessions

Screen Elements

Session Summary Table

Table Elements

NAC Session Summary Table

Table Elements

LAN-to-LAN Sessions Table

Table Elements

Remote Access Sessions Table

Table Elements

Management Sessions Table

Table Elements

Administer Sessions | Detail

Administer Sessions | Detail Parameters

Administer Sessions

---

Administration | Administer Sessions

This screen shows comprehensive statistics for all active sessions on the VPN Concentrator. You can also click the name of a session to see detailed parameters and statistics for that session. See Administration | Administer Sessions | Detail.

Figure 2-1 Administration | Administer Sessions Screen

Screen Elements

•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.

•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.

•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.

•Group — Choose a group from the menu to monitor statistics for that group only. The default is --All-- which displays statistics for all groups.

•Logout All — These active labels let you log out all active sessions of a given tunnel type at once:

–PPTP User = PPTP remote-access users

–L2TP User = L2TP remote-access users

–IPSec User = IPSec remote-access users

–L2TP/IPSec User = L2TP over IPSec users

–IPSec/UDP User = IPSec through UDP users

–IPSec/TCP User = IPSec through TCP users

–IPSec/LAN-to-LAN = IPSec LAN-to-LAN

–E-Mail = WebVPN E-Mail

–WebVPN = SSL over VPN

To log out the sessions, click the appropriate label. The Manager displays a prompt to confirm the action.

Figure 2-2 Logout All Sessions Confirmation Prompt

---

Caution This action immediately terminates all sessions of the given tunnel type. There is no user warning or undo.

---

The Manager refreshes the screen after it terminates the sessions.

•NAC — These labels let you act on all active NAC sessions at once.

–Revalidate All = Update posture validation for all hosts. The existing ACL based on previous posture validation remains in force during the revalidation process.

–Reinitialize All = Perform new posture validation for all hosts, purging the existing EAP association. The Default ACL remains in effect until posture validation is complete.

Session Summary Table

This table shows summary totals for LAN-to-LAN, remote access, and management sessions.

A session is a VPN tunnel established with a specific peer. In most cases, one user connection = one tunnel = one session. However, one IPSec LAN-to-LAN tunnel counts as one session, but it allows many host-to-host connections through the tunnel.

Table Elements

•Active LAN-to-LAN Sessions — The number of IPSec LAN-to-LAN sessions that are currently active.

•Active Remote Access Sessions — The number of PPTP, L2TP, IPSec remote-access user, L2TP over IPSec, and IPSec through NAT sessions that are currently active.

•Active Management Sessions — The number of administrator management sessions that are currently active.

•Total Active Sessions — The total number of sessions of all types that are currently active.

•Peak Concurrent Sessions — The highest number of sessions of all types that were concurrently active since the VPN Concentrator was last booted or reset.

•Concurrent Sessions Limit — The maximum number of concurrently active sessions permitted on this VPN Concentrator. This number is model-dependent, for example: model 3060 = 5000 sessions.

•Total Cumulative Sessions — The total cumulative number of sessions of all types since the VPN Concentrator was last booted or reset.

NAC Session Summary Table

This table shows summary totals for network admission control (NAC) sessions.

The VPN Concentrator works with other components of Cisco NAC architecture, including the Cisco Trust Agent (CTA) and the Cisco Secure Access Control Servers (ACS). The VPN Concentrator functions as a NAC authenticator and an ACS client.

Table Elements

•Accepted — The number of host sessions that successfully completed NAC posture validation. Each host revalidation also increments this counter.

•Rejected — The number of host sessions whose posture credentials were rejected by the ACS server. This typically indicates an ACS error.

•Exempted — The number of host sessions that matched the configured NAC Exception List, and were therefore exempt from posture validation.

•Non-responsive — The number of host sessions that did not respond to posture validation requests, and were therefore connected as "clientless hosts."

•Hold-off — The number of host sessions placed in hold-off state. Hold-off is a transitory state before an attempt is made to re-establish an EAPoUDP session with a host.

•N/A — The number of sessions for which NAC is disabled based on the VPN Concentrator's configuration.

LAN-to-LAN Sessions Table

This table shows parameters and statistics for all active IPSec LAN-to-LAN sessions, sorted alphanumerically by connection name. Each session here identifies only the outer LAN-to-LAN connection or tunnel, not individual host-to-host sessions within the tunnel.

Table Elements

•[ Remote Access Sessions | Management Sessions ] — Click these active links to go to the other session tables on this Manager screen.

•Connection Name — The name of the IPSec LAN-to-LAN connection. To display detailed parameters and statistics for this connection, click this name. See the Administration | Administer Sessions | Detail screen.

•IP Address — The IP address of the remote peer VPN Concentrator or other secure gateway that initiated this LAN-to-LAN connection.

•Protocol, Encryption, Login Time, Duration, Bytes TX, Bytes RX, Actions — See Table 2-1 for definitions of these parameters.

Remote Access Sessions Table

This table shows parameters and statistics for all active remote-access sessions. Each session is a single-user connection from a remote client to the VPN Concentrator. Remote-access sessions include PPTP, L2TP, IPSec remote-access user, L2TP over IPSec, and IPSec through NAT sessions.

Click a column header in this table to sort the table entries in ascending alphanumeric order, using that column as the sort key field.

Table Elements

•[ LAN-to-LAN Sessions | Management Sessions ] — Click these active links to go to the other session tables on this Manager screen.

•Username — The username or login name for the session. The field shows Authenticating... if the remote-access client is still negotiating authentication. If the client is using a digital certificate for authentication, the field shows the Subject CN or Subject OU from the certificate.

To display detailed parameters and statistics for this session, click this name. See the Administration | Administer Sessions | Detail screen.

•Assigned IP Address / Public IP Address — For the indicated user, this column shows the Assigned IP Address and the Public IP Address stacked in that order.

–The top address, called the Assigned IP Address, is the private IP address assigned to the remote client for this session. This is also known as the "inner" or "virtual" IP address, and it lets the client appear to be a host on the private network.

---

Note If the remote client is a VPN 3002 using network extension mode, this field shows the network address of the private interface of the 3002. Therefore, you cannot ping the address.

---

–The bottom address is the Public IP Address of the client for this remote-access session. This is also known as the "outer" IP address. It is typically assigned to the client by the ISP, and it lets the client function as a host on the public network.

•Group — The group name of the client for this remote-access session. Clicking the column head for Group sorts the table entries in ascending alphanumeric order and also sorts the usernames within each group in ascending alphanumeric order.

•Client Type — The client type of connected clients, and, when available, the associated operating system, sorted by username. For example:

Client Type	Operating System
VPN 3000 Hardware Client	VPN3002
Windows NT client	Windows NT 4.0, Windows 2000, and Windows XP
Windows 98 client	Windows 98
Windows 2000 client	Windows 2000

•Version — The software version number (for example, rel. 3.6,_int 50) for connected clients, sorted by username.

•NAC Result — The results of NAC posture validation. Possible values are Unknown, Accepted, Rejected, Exempted, Non-responsive, Hold-off, and N/A. See the "NAC Session Summary Table" section. When "Unknown" is shown in the NAC Result column, it indicates that posture validation is in progress for that host.

In addition, links are available here to revalidate or reinitialize individual sessions. These function as described for Revalidate All and Reinitialize All, respectively, above.

•Protocol, Encryption, Login Time, Duration, Bytes Tx, Bytes Rx, Actions — See Table 2-1 for definitions of these parameters.

Management Sessions Table

This table shows parameters and statistics for all active administrator management sessions on the VPN Concentrator.

Table Elements

•[ LAN-to-LAN Sessions | Remote Access Sessions ] — Click these active links to go to the other session tables on this Manager screen.

•Administrator — The administrator username or login name for the session.

The lock icon indicates the administrator who has the configuration lock, that is, the person who has the right to make changes to the active system configuration. See the explanation of Configuration locked by that follows.

•IP Address — The IP address of the manager workstation that is accessing the system. Local indicates a direct connection through the Console port on the system.

•Protocol, Encryption, Login Time, Duration, Bytes Tx, Bytes Rx, Actions — See Table 2-1 for definitions of these parameters.

Table 2-1 Parameter definitions for Administration | Administer Sessions Screen

Parameter	Definition
Protocol	The protocol this session is using. Console indicates a direct connection through the Console port on the system.
Encryption	The data encryption algorithm this session is using, if any.
Login Time	The date and time (MMM DD HH:MM:SS) that the session logged in. Time is displayed in 24-hour notation.
Duration	The elapsed time (HH:MM:SS) between the session login time and the last screen refresh.
Bytes Tx	The total number of bytes transmitted to the remote peer or client by the VPN Concentrator.
Bytes Rx	The total number of bytes received from the remote peer or client by the VPN Concentrator.
Actions / Logout / Ping	To log out a specific session, click Logout. The screen refreshes and shows the new session statistics. Caution Clicking Logout terminates a session without warning! There is no undo. To test the network connection to a session, click Ping. The VPN Concentrator sends an ICMP Ping message to the session IP address. See the Administration | Ping screen for details and results.

•Configuration locked by — The administrator (IP address or Console) who has the right to make changes to the active system configuration.

The administrator who first makes a change to the active (running) configuration locks it. That administrator holds the lock until logout, or until the Session Idle Timeout period expires (see the Administration | Access Rights | Access Settings screen). For example, an administrator who is just viewing and refreshing statistics on a Monitoring screen for longer than the timeout period, loses the lock.

Administer Sessions | Detail

These Manager screens show detailed parameters and statistics for a specific remote-access or LAN-to-LAN session. The parameters and statistics differ depending on the session protocol. There are unique screens for:

•IPSec LAN-to-LAN (IPSec/LAN-to-LAN)

•IPSec remote access (IPSec User)

•IPSec through UDP (IPSec/UDP)

•IPSec through TCP (IPSec/TCP)

•L2TP

•L2TP over IPSec (L2TP/IPSec)

•PPTP

The Manager displays the appropriate screen when you click a highlighted connection name or username on the Administration | Administer Sessions screen. Figure 2-3 shows an example of one kind of detail screen. Depending on the type of connection you select, your detail screen might look somewhat different from the example shown. But, each session detail screen shows three tables: summary data, bandwidth statistics, and detail data. The summary data echoes the session data from the Administration | Administer Sessions screen. The Bandwidth Statistics table shows the effect of bandwidth policing on the session. The session detail table shows all the relevant parameters for each session and subsession.

See Table 2-2 for definitions of the possible session detail parameters, in alphabetical order.

Figure 2-3 Example Administration | Administer Sessions | Detail Screen

Administer Sessions | Detail Parameters

This table lists definitions of the possible session detail parameters.

The parameters EAPoUDP Session Age, Hold-off Time Remaining, Posture Token, Redirect URL, Revalidation Time Interval, Status Query Time Interval, and Time Until Next Revalidation display only if NAC is configured.

Table 2-2 Parameter Definitions for Administration | Administer Sessions | Detail Screens

Parameter	Definition
Assigned IP Address	The private IP address assigned to the remote client for this session. This is also known as the "inner" or "virtual" IP address, and it lets the client appear to be a host on the private network.
Authentication Mode	The protocol or mode used to authenticate this session.
Bytes Rx / Received	The total number of bytes received from the remote peer or client by the VPN Concentrator.
Bytes Tx / Transmitted	The total number of bytes transmitted to the remote peer or client by the VPN Concentrator.
Compression	The data compression algorithm this session is using. LZS is the data compression algorithm used by IPComp. MPPC uses LZ.
Connection Name	The name of the IPSec LAN-to-LAN connection.
Diffie-Hellman Group	The algorithm and key size used to generate IPSec SA encryption keys.
Duration	The elapsed time (HH:MM:SS) between the session login time and the last screen refresh.
Dynamic Filter	RADIUS user filter applied to this session.
Dynamic Rules	The rules that make up the dynamic filter. For the syntax of these rules, see Monitoring | Dynamic Filters.
EAPoUDP Session Age	Amount of time, in seconds, that the EAP over UDP session has been up.
Encapsulation Mode	The mode for applying IPSec ESP (Encapsulation Security Payload protocol) encryption and authentication, in other words, what part of the original IP packet has ESP applied.
Encryption Encryption Algorithm	The data encryption algorithm this session is using, if any.
Hashing Algorithm	The algorithm used to create a hash of the packet, which is used for IPSec data authentication.
Hold-off Time Remaining	The number of seconds remaining before the VPN Concentrator removes the host's NAC session from the Hold-off state and retries posture validation.
Idle Time	The elapsed time (HH:MM:SS) between the last communication activity on this session and the last screen refresh.
IKE Negotiation Mode	The IKE (IPSec Phase 1) mode for exchanging key information and setting up SAs: Aggressive or Main.
IKE Sessions	The total number of IKE (IPSec Phase 1) sessions; usually 1. These sessions establish the tunnel for IPSec traffic.
Interface	The interface this session is using.
IP Address	The IP address of the remote peer VPN Concentrator or other secure gateway that initiated the IPSec LAN-to-LAN connection.
IPSec Sessions	The total number of IPSec (Phase 2) sessions, which are data traffic sessions through the tunnel. Each IPSec remote-access session might have two IPSec sessions: one showing the tunnel endpoints, and one showing the private networks reachable through the tunnel.
L2TP Sessions	The total number of user sessions through this L2TP or L2TP / IPSec tunnel; usually 1.
Local Address	The IP address (and wildcard mask) of the destination host (or network) for this session.
Login Time	The date and time (MMM DD HH:MM:SS) that the session logged in. Time is displayed in 24-hour notation.
Perfect Forward Secrecy Group	The Diffie-Hellman algorithm and key size used to generate IPSec SA encryption keys using Perfect Forward Secrecy.
PFS Group	The Perfect Forward Secrecy group: 1, 2, 3, 4, or 7.
Posture Token	State of the host as determined by the ACS server during posture validation. Although these are configurable on ACS, typical ACS posture token values are Healthy, Checkup, Quarantine, Infected, and Unknown.
PPTP Sessions	The total number of user sessions through this PPTP tunnel; usually 1.
Protocol	The tunneling protocol that this session is using.
Public IP Address	The public IP address of the client for this remote-access session. This is also known as the "outer" IP address. It is typically assigned to the client by the ISP, and it lets the client function as a host on the public network.
Redirect URL	The optional URL to which the Concentrator redirects hosts' HTTP sessions. ACS sets this parameter. The Concentrator obtains the redirect URL from ACS as a result of posture validation or clientless authentication.
Rekey Data Interval	The lifetime in kilobytes of the IPSec (IKE) SA encryption keys.
Rekey Time Interval	The lifetime in seconds of the IPSec (IKE) SA encryption keys.
Remote Address	The IP address (and wildcard mask) of the remote peer (or network) that initiated this session.
Revalidation Time Interval	The number of seconds between revalidation processes. You configure this on the Configuration | User Management | Group | NAC tab. ACS may override this configuration.
SEP	The Scalable Encryption Module that is handling cryptographic processing for this session.
Session ID	An identifier for session components (subsessions) on this screen. With IPSec, there is one identifier for each SA.
Status Query Time Interval	The number of seconds between NAC status queries. You configure this on the Configuration | User Management | Group | NAC tab. ACS may override this configuration.
Time Until Next Revalidation	The number of seconds remaining until revalidation takes place.
Traffic Rate (bytes)	The effect of bandwidth management on this session's traffic rate. •Conformed = The current rate of session traffic (as set by the bandwidth management policy). •Throttled = The rate at which packets are being throttled to maintain the conformed rate.
Traffic Volume (kbps)	The effect of bandwidth management on this session's traffic volume. •Conformed = The number of bytes of session traffic (as set by the bandwidth management policy). •Throttled = The number of bytes being throttled to maintain the conformed rate. Note The Bandwidth Management Traffic Volume byte counters include the outer IP tunnel header and MAC layer and therefore show larger totals than those shown for user statistics.
UDP Port	The UDP port number used in an IPSec through NAT connection.
Username	The username or login name for the session. If the client is using a digital certificate for authentication, the field shows the Subject CN or Subject OU from the certificate.