Table Of Contents
Statistics
Monitoring | Statistics
Accounting
Screen Elements
Address Pools
Screen Elements
Address Pools | Detail
Screen Elements
Administrative AAA
Screen Elements
Authentication
Screen Elements
Authentication | Replicas
Screen Elements
Authorization
Screen Elements
Bandwidth Management
Screen Elements
Compression
Screen Elements
DHCP
Screen Elements
DNS
Screen Elements
Events
Screen Elements
Filtering
Screen Elements
HTTP
Screen Elements
HTTP Sessions
IPSec
Screen Elements
IKE (Phase 1) Statistics
IPSec (Phase 2) Statistics
L2TP
Screen Elements
L2TP Sessions
Load Balancing
Screen Elements
Peers
NAT
Screen Elements
NAT Sessions
PPTP
Screen Elements
PPTP Sessions
SSH
Screen Elements
SSL
Screen Elements
Telnet
Screen Elements
Telnet Sessions
VRRP
Screen Elements
Virtual Routers
MIB-II
MIB-II | Interfaces
Screen Elements
MIB-II | TCP/UDP
Screen Elements
MIB-II | IP
Screen Elements
MIB-II | RIP
Screen Elements
MIB-II | OSPF
Screen Elements
Designated Routers
Neighbors
Areas
External LSAs
MIB-II | ICMP
Screen Elements
MIB-II | ARP Table
Screen Elements
MIB-II | Ethernet
Screen Elements
MIB-II | SNMP
Screen Elements
Statistics
Monitoring | Statistics
This section of the Manager shows statistics for traffic and activity on the VPN Concentrator since it was last booted or reset, and for current tunneled sessions, plus statistics in standard MIB-II objects for interfaces, TCP/UDP, IP, ICMP, and the ARP table.
Figure 18-1 Monitoring | Statistics Screen
Statistics include:
•
Accounting: total requests, responses, timeouts, etc.
•Address Pools: configured pools, allocated and available addresses.
•Administrative AAA: requests, accepts, rejects, challenges, timeouts, etc.
•Authentication: total requests, accepts, rejects, challenges, timeouts, etc.
•Authorization: total requests, accepts, rejects, challenges, timeouts, etc.
•Bandwidth Management: volume and rate of traffic managed by bandwidth policies.
•Compression: pre and post-compression byte totals for IPComp and MPPC.
•DHCP: leased addresses, duration, server addresses, etc.
•DNS: total requests, responses, timeouts, etc.
•Events: total events sorted by class, number, and count.
•Filtering: total inbound and outbound filtered traffic by interface.
•HTTP: total data traffic and connection statistics.
•IPSec: total Phase 1 and Phase 2 tunnels, received and transmitted packets, failures, drops, etc.
•L2TP: total tunnels, sessions, received and transmitted control and data packets; and detailed current session data.
•Load Balancing: device role; device load; and cluster peers' sessions, IP addresses, priority, etc.
•NAT: Network Address Translation session data.
•PPTP: total tunnels, sessions, received and transmitted control and data packets; and detailed current session data.
•SSH: total and active sessions, bytes and packets sent and received, etc.
•SSL: total sessions, encrypted vs. unencrypted traffic, etc.
•Telnet: total sessions, and current session inbound and outbound traffic.
•VRRP: total advertisements, Master router roles, errors, etc.
•MIB-II: interfaces, TCP/UDP, IP, RIP, OSPF, ICMP, ARP table, Ethernet, and SNMP.
Accounting
This screen shows statistics for RADIUS user accounting activity on the VPN Concentrator since it was last booted or reset.
To configure the VPN Concentrator to communicate with RADIUS accounting servers, see the Configuration | System | Servers | Accounting screens.
Figure 18-2 Monitoring | Statistics | Accounting Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Server IP Address: Port — The IP address of the configured RADIUS user accounting server, and the port number that the VPN Concentrator is using to access the server. Each configured accounting server is a row in this table. The well-known port number for RADIUS accounting is 1646.
•Group — The group on which the server is configured.
•Requests — The number of accounting request packets sent to this RADIUS accounting server. This number does not include retransmissions.
•Retransmissions — The number of accounting request packets retransmitted to this RADIUS accounting server.
•Responses — The number of accounting response packets received from this RADIUS accounting server.
•Malformed Responses — The number of malformed accounting response packets received from this RADIUS accounting server. Malformed packets include packets with an invalid length. Bad authenticators are not included in this number.
•Bad Authenticators — The number of accounting response packets received from this server that contained invalid authenticators.
•Pending Requests — The number of accounting request packets sent to this RADIUS accounting server that have not yet timed out or received a response.
•Timeouts — The number of accounting timeouts to this RADIUS server. After a timeout the system may retry the same server, send to a different server, or give up. Retrying the same server is counted as a retransmission as well as a timeout. Sending to a different server is counted as a request as well as a timeout.
•Unknown Type — The number of RADIUS packets of unknown type received from this server on the accounting port.
Address Pools
This screen shows statistics for address pool activity on the VPN Concentrator since it was last booted or reset. This data appears if the VPN Concentrator is configured to assign IP addresses to clients from an internal address pool.
To configure address pools, see the Configuration | System | Address Management screens and the Configuration | User Management | Groups | Address Pools screen.
Figure 18-3 Monitoring | Statistics | Address Pools Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Group — The names of configured groups. Click on a group name to display details of held IP addresses for that group.
•IP Address Range: Start / End — The starting and ending IP addresses in the configured address pool.
•Total Addresses — The total number of IP addresses in this configured pool.
•Available Addresses — The number of IP addresses available (unassigned) in this pool.
•Allocated Addresses — The number of IP addresses currently assigned from this pool.
•Held — The number of IP addresses currently in a "held" state (either subject to IP re-use delay or externally-in-use) from this pool. Click on the group name to display details for the help IP addresses.
•Max Allocated Addresses — The maximum number of IP addresses assigned from this pool at any one time.
Address Pools | Detail
This screen shows statistics for held IP addresses in the address pools for the selected group on the VPN Concentrator.
To configure address pools, see the Configuration | System | Address Management screens.
Figure 18-4 Monitoring | Statistics | Address Pools | Detail Screen
Screen Elements
•IP Address Range — The starting and ending IP addresses in the configured address pool.
•IP Address — The specific held IP address.
•Time Left (seconds) — The amount of time remaining until the IP address is released.
•Reason — Why the IP address is being held:
–Reuse Delay: The address is held for a time period that is configured globally in the IP Reuse Delay field on the Configuration | System | Address Management | Assignment screen. This applies to internally-assigned IP addresses (assigned by the VPN Concentrator).
–Externally In Use: The address is held for 30 minutes. If the VPN Concentrator tries to assign an IP address from the address pool, and an ARP request reveals that the address is taken, the IP address is considered externally-in-use. After the hold period, the VPN Concentrator may again attempt to assign this address.
Administrative AAA
If you have configured a TACACS+ server, this screen shows statistics for communications between the VPN Concentrator and the TACACS+ server since the VPN Concentrator was last booted or reset.
Figure 18-5 Monitoring | Statistics | Administrative AAA Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•IP Address — The IP address of the TACACS+ server.
•Requests — The number of requests for authentication, information, or authorization from the VPN Concentrator to the TACACS+ server.
•Accepts — The number of successful authentications.
•Rejects — The number of rejected authentications.
•Challenge — This field is not used.
•Pending Requests — The number of requests that have not yet been answered.
•Timeouts — The number of times the VPN Concentrator timed out waiting for a request.
Authentication
This screen shows statistics for user authentication activity on the VPN Concentrator since it was last booted or reset.
Note Not all fields apply to all types of authentication servers.
To configure the VPN Concentrator to communicate with authentication servers, see the Configuration | System | Servers | Authentication screens.
Figure 18-6 Monitoring | Statistics | Authentication Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Server IP Address:Port — The IP address of the configured authentication server, and the port number that the VPN Concentrator is using to access the server. Each configured authentication server is a row in this table. Internal identifies the internal VPN Concentrator authentication server.
When the authentication server is an SDI 5.0 server, this field becomes a link. Click the link to view the Monitoring | Statistics | Authentication | Replicas screen, which displays a list of replicas, and data about them (see the next section).
The default, or well-known, port numbers identify an authentication server type:
–139 = NT Domain
–389 = LDAP
–1645 = RADIUS
–5500 = SDI
•Group — The group on which the server is configured.
•Requests — The total number of authentication request packets sent to this server. This number does not include retransmissions.
•Retransmissions — The number of authentication request packets retransmitted to this server.
•Accepts — The number of authentication acceptance packets received from this server.
•Rejects — The number of authentication rejection packets received from this server.
•Challenges — The number of authentication challenge packets received from this server.
•Malformed Responses — The number of malformed authentication response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators are not included in this number.
•Bad Authenticators — The number of bad authentication response packets received from this server. Bad authenticators contain invalid authenticators or signature attributes.
•Pending Requests — The number of authentication request packets destined for this server that have not yet timed out or received a response.
•Timeouts — The number of authentication timeouts to this server. After a timeout the system might retry the same server, send to a different server, or give up. Retrying the same server is counted as a retransmission as well as a timeout. Sending to a different server is counted as a request as well as a timeout.
•Unknown Type — The number of authentication packets of unknown type received from this server.
Authentication | Replicas
This screen shows statistics for SDI 5.0 user authentication activity on the VPN Concentrator since it was last booted or reset.
Figure 18-7 Monitoring | Statistics | Authentication | Replicas Screen
Screen Elements
•Server IP Address:Port — The IP address of the configured SDI authentication server, and the port number that the VPN Concentrator is using to access the server.
The default, or well-known, port numbers for an SDI 5.0 authentication server is 5500.
•Group — The group on which the server is configured.
•Retransmissions — The number of authentication request packets retransmitted to this server.
•Accepts — The number of authentication acceptance packets received from this server.
•Rejects — The number of authentication rejection packets received from this server.
•Timeouts — The number of authentication timeouts to this server. After a timeout the system might retry the same server, send to a different server, or give up. Retrying the same server is counted as a retransmission as well as a timeout. Sending to a different server is counted as a request as well as a timeout.
•BadCodeSent — The number of bad code packets received from this server. Bad code packets indicate invalid SecurID token code.
•BadPinSent — The number of bad pin packets received from this server. Bad pin packets indicate invalid user identification.
Authorization
This screen shows statistics for user authorization activity on the VPN Concentrator since it was last booted or reset.
To configure the VPN Concentrator to communicate with authorization servers, see the Configuration | System | Servers | Authorization screens.
Figure 18-8 Monitoring | Statistics | Authorization Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Server IP Address:Port — The IP address of the configured authorization server, and the port number that the VPN Concentrator is using to access the server. Each configured authorization server is a row in this table. Internal identifies the internal VPN Concentrator authorization server.
The default, or well-known, port numbers identify an authorization server type:
–389 = LDAP
–1645 = RADIUS
•Group — The group on which the server is configured.
•Requests — The total number of authorization request packets sent to this server. This number does not include retransmissions.
•Retransmissions — The number of authorization request packets retransmitted to this server.
•Accepts — The number of authorization acceptance packets received from this server.
•Rejects — The number of authorization rejection packets received from this server.
•Challenges — The number of authorization challenge packets received from this server.
•Malformed Responses — The number of malformed authorization response packets received from this server. Malformed packets include packets with an invalid length. Bad authorizations are not included in this number.
•Bad Authenticators — The number of bad authorization response packets received from this server. Bad authenticators contain invalid authenticators or signature attributes.
•Pending Requests — The number of authorization request packets destined for this server that have not yet timed out or received a response.
•Timeouts — The number of authorization timeouts to this server. After a timeout the system might retry the same server, send to a different server, or give up. Retrying the same server is counted as a retransmission as well as a timeout. Sending to a different server is counted as a request as well as a timeout.
•Unknown Type — The number of authorization packets of unknown type received from this server.
Bandwidth Management
This screen shows details of the effects of bandwidth management policies on each tunnel. Only tunnels on which bandwidth management policies are enabled appear on this screen.
Figure 18-9 Monitoring | Statistics | Bandwidth Management Screen
Screen Elements
•Group — Choose a group from this menu to show bandwidth statistics for users in that group only. The default value is --All--, which displays bandwidth statistics for users in all groups.
•User Name — The user name identifying a tunnel using a bandwidth management policy.
•Traffic Rate (kbps) Conformed — The current rate of session traffic (as set by the bandwidth management policy).
•Traffic Rate (kbps) Throttled — The rate at which packets are being throttled to maintain the conformed rate.
•Traffic Volume (bytes) Conformed — The number of bytes of session traffic (as set by the bandwidth management policy).
•Traffic Volume (bytes) Throttled — The number of bytes being throttled to maintain the conformed rate.
Compression
If you have enabled data compression, this screen shows statistics for data compression on the VPN Concentrator since it was last booted or reset.
Figure 18-10 Monitoring | Statistics | Compression Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•IPSec Using IPComp — This section shows statistics for IPSec data compression using the IPComp compression protocol.
Note The following IPComp statistics measure the results of compression on all incoming and outgoing data, including data not intended for compression and data that is not compressible.
•(IPSec) Outbound Pre-Compression — The total number of bytes of all outbound data before compression.
•(IPSec) Outbound Post-Compression — The total number of bytes of all outbound data after compression.
•(IPSec Outbound) Ratio — The ratio of Outbound Pre-Compression to Outbound Post-Compression.
•(IPSec) Inbound Pre-Decompression — The total number of bytes of all incoming data before any of it is decompressed.
•(IPSec) Inbound Post-Decompression — The total number of bytes of all incoming data after decompression.
•(IPSec Inbound) Ratio — The ratio of Inbound Post-Decompression to Inbound Pre-Decompression.
•L2TP/PPTP Using MPPC — This table shows statistics for L2TP and PPTP data compression using the MPPC compression protocol. These MPPC statistics use the following distinctions. (See Figure 18-11.) All data transmitted can be divided into two groups: data intended for compression (A) and data that is not intended for compression (B). Of the data intended for compression, some of it actually compresses (A1) and some does not (A2). (The compression process would actually cause certain data to expand, so this data is left uncompressed.)
Figure 18-11 Distinctions Used for Data Compression Statistics
•(L2TP) Resets Received — The total number of reset requests received from the remote peer.
•(L2TP) Resets Sent — The total number of reset requests sent to the remote peer.
•(L2TP) Outbound Pre-Compression — The total number of bytes of outbound data intended for compression ("A" in Figure 18-11).
•(L2TP) Outbound Post-Compression — The total number of bytes of outbound data actually compressed ("A1" in Figure 18-11.).
•(L2TP) Outbound Not Compressed — The total number of bytes of data intended for compression that were not compressed. The compression process would actually cause certain data to expand, so this data is left uncompressed ("A2" in Figure 18-11.).
•(L2TP Outbound) Compression Ratio — The ratio of Outbound Pre-Compression to (Outbound Post-Compression + Outbound Not Compressed).
•(L2TP Outbound) Not Compressed Ratio — The ratio of Outbound Pre-Compressed to Outbound Not Compressed.
•(L2TP) Inbound Pre-Decompression — The total number of bytes of incoming data intended for decompression ("A" in Figure 18-11.).
•(L2TP) Inbound Post-Decompression — The total number of bytes of incoming data actually decompressed ("A1" in Figure 18-11.).
•(L2TP) Inbound Not Compressed — The total number of uncompressed inbound data bytes of the data ("A2" in Figure 18-11.).
•(L2TP Inbound) Compression Ratio — The ratio of (Inbound Post-Decompression + Inbound Not Compressed) to Inbound Pre-Decompression.
•(L2TP Inbound) Not Compressed Ratio — The ratio of Inbound Pre-Decompression to Inbound Not Compressed.
DHCP
This screen shows statistics for DHCP (Dynamic Host Configuration Protocol) activity on the VPN Concentrator since it was last booted or reset. Each row of the table shows data for each session using an IP address via DHCP.
To identify DHCP servers to the VPN Concentrator, see Configuration | System | Servers | DHCP. To configure system-wide DHCP functions within the VPN Concentrator, see Configuration | System | IP Routing | DHCP. To use DHCP to assign addresses to clients, see the Configuration | System | Address Management | Assignment screen.
Figure 18-12 Monitoring | Statistics | DHCP Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Leased IP Address — The IP address leased from the DHCP server by the remote client.
•Lease Duration — The duration of the current IP address lease, shown as HH:MM:SS.
•Time Used — The total length of time that this session has had an active IP address lease, shown as HH:MM:SS.
•Time Left — The time remaining until the current IP address lease expires, shown as HH:MM:SS.
•DHCP Server Address — The IP address of the DHCP server that leased this IP address.
DNS
This screen shows statistics for DNS (Domain Name System) activity on the VPN Concentrator since it was last booted or reset.
To configure the VPN Concentrator to communicate with DNS servers, see the Configuration | System | Servers | DNS screen.
Figure 18-13 Monitoring | Statistics | DNS Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Requests — The total number of DNS queries the VPN Concentrator made since it was last booted or reset. This number equals the sum of the numbers in the four cells below.
•Responses — The number of DNS queries that were successfully resolved.
•Timeouts — The number of DNS queries that failed because there was no response from the server.
•Server Unreachable — The number of DNS queries that failed because the address of the server is not reachable according to the VPN Concentrator's routing table.
•Other Failures — The number of DNS queries that failed for an unspecified reason.
Events
This screen shows statistics for all events on the VPN Concentrator since it was last booted or reset.
To configure event handling, see the Configuration | System | Events screens.
Figure 18-14 Monitoring | Statistics | Events Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Event Class — Event class denotes the source of the event and refers to a specific hardware or software subsystem within the VPN Concentrator. For a description of event classes, see VPN 3000 Series Concentrator Reference Volume 1: Configuration.
•Event Number — Event number is an Cisco-assigned reference number that denotes a specific event within the event class. For example, CONFIG event number 2 is "Reading configuration file." This reference number assists Cisco support personnel if they need to examine event statistics.
•Count of Events — The number of times that specific event has occurred on the VPN Concentrator since it was last booted or reset.
Filtering
This screen shows statistics for filtering of traffic that has passed through the interfaces on the VPN Concentrator since it was last booted or reset.
To configure filters, see the Configuration | Policy Management | Traffic Management screens. To apply filters to interfaces, see the Configuration | Interfaces screens. To apply filters to users and groups, see the Configuration | User Management screens.
Figure 18-15 Monitoring | Statistics | Filtering Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Interface — The VPN Concentrator network interface through which the filtered traffic has passed.
–1 = Ethernet 1 (Private) interface.
–2 = Ethernet 2 (Public) interface.
–3 = Ethernet 3 (External) interface.
•Inbound Packets Pre-Filter — The total number of inbound packets received on this interface.
•Inbound Packets Filtered — The number of inbound packets that have been filtered and dropped on this interface.
•Inbound Packets Post Filter — The number of inbound packets that have been filtered and forwarded on this interface. This number equals Inbound Packets Pre-Filter minus Inbound Packets Filtered.
•Outbound Packets Pre-Filter — The total number of outbound packets received on this interface.
•Outbound Packets Filtered — The number of outbound packets that have been filtered and dropped on this interface.
•Outbound Packets Post Filter — The number of outbound packets that have been filtered and forwarded on this interface. This number equals Outbound Packets Pre-Filter minus Outbound Packets Filtered.
HTTP
This screen shows statistics for HTTP activity on the VPN Concentrator since it was last booted or reset.
To configure system-wide HTTP server parameters, see the Configuration | System | Management Protocols | HTTP screen.
Figure 18-16 Monitoring | Statistics | HTTP Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Octets Sent/Received — The total number of HTTP octets (bytes) sent or received since the VPN Concentrator was last booted or reset.
•Packets Sent/Received — The total number of HTTP packets sent or received since the VPN Concentrator was last booted or reset.
•Packets Sent Sockets/Sessions — The number of HTTP sessions on the VPN Concentrator.
•Active — The number of currently active HTTP connections on the VPN Concentrator.
•Peak — The maximum number of HTTP connections that were simultaneously active on the VPN Concentrator since it was last booted or reset.
•Total — The total number of HTTP connections on the VPN Concentrator since it was last booted or reset.
HTTP Sessions
This section provides information about HTTP sessions on the VPN Concentrator since it was last booted or reset.
•Login Name — The name of the administrative user for the HTTP session.
•IP Address — The IP address of the HTTP session.
•Login Time — The time when the HTTP session began.
•Encryption — The encryption method used in the HTTP session.
•Octets Sent/Received — Number of octets sent or received during the HTTP session.
•Packets Sent/Received — Number of packets sent or received during the HTTP session.
•Sockets Active — The number of currently active sockets for the HTTP session.
•Sockets Peak — The maximum number of sockets simultaneously active during the HTTP session.
•Sockets Total — The total number of sockets active during the HTTP session.
•Max Connections — The maximum number of concurrent HTTP connections for the VPN Concentrator since it was last rebooted or reset.
IPSec
This screen shows statistics for IPSec activity—including current IPSec tunnels—on the VPN Concentrator since it was last booted or reset. These statistics conform to the IETF draft for the IPSec Flow Monitoring MIB.
The Monitoring | Sessions | Detail screens also show IPSec data.
To configure system-wide IPSec parameters and LAN-to-LAN connections, see the Configuration | System | Tunneling Protocols | IPSec screens. To configure IPSec parameters for users and groups, see Configuration | User Management. To configure IPSec parameters and SAs on rules in filters that govern data traffic, see Configuration | Policy Management | Traffic Management.
Figure 18-17 Monitoring | Statistics | IPSec Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
IKE (Phase 1) Statistics
This table provides IPSec Phase 1 (IKE: Internet Key Exchange) global statistics. During IPSec Phase 1 (IKE), the two peers establish control tunnels through which they negotiate Security Associations.
•Active Tunnels — The number of currently active IKE control tunnels, both for LAN-to-LAN connections and remote access.
•Total Tunnels — The cumulative total of all currently and previously active IKE control tunnels, both for LAN-to-LAN connections and remote access.
•Received Bytes — The cumulative total of bytes (octets) received by all currently and previously active IKE tunnels.
•Sent Bytes — The cumulative total of bytes (octets) sent by all currently and previously active IKE tunnels.
•Received Packets — The cumulative total of packets received by all currently and previously active IKE tunnels.
•Sent Packets — The cumulative total of packets sent by all currently and previously active IKE tunnels.
•Received Packets Dropped — The cumulative total of packets that were dropped during receive processing by all currently and previously active IKE tunnels. If there is a problem with the content of a packet (such as hash failure, parsing error, or encryption failure) received in Phase 1 or the negotiation of Phase 2, the system drops the packet. This number should be zero or very small; if not, check for misconfiguration.
•Sent Packets Dropped — The cumulative total of packets that were dropped during send processing by all currently and previously active IKE tunnels. This number should be zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support.
•Received Notifies — The cumulative total of notify packets received by all currently and previously active IKE tunnels. A notify packet is an informational packet that is sent in response to a bad packet or to indicate status, for example: error packets, keepalive packets, etc.
•Sent Notifies — The cumulative total of notify packets sent by all currently and previously active IKE tunnels. See comments for Received Notifies.
•Received Phase-2 Exchanges — The cumulative total of IPSec Phase-2 exchanges received by all currently and previously active IKE tunnels, in other words, the total of Phase-2 negotiations received that were initiated by a remote peer. A complete exchange consists of three packets.
•Sent Phase-2 Exchanges — The cumulative total of IPSec Phase-2 exchanges that were sent by all currently and previously active and IKE tunnels, in other words, the total of Phase-2 negotiations initiated by this VPN Concentrator.
•Invalid Phase-2 Exchanges Received — The cumulative total of IPSec Phase-2 exchanges that were received, found to be invalid because of protocol errors, and dropped, by all currently and previously active IKE tunnels. In other words, the total of Phase-2 negotiations that were initiated by a remote peer but that this VPN Concentrator dropped because of protocol errors.
•Invalid Phase-2 Exchanges Sent — The cumulative total of IPSec Phase-2 exchanges that were sent and were found to be invalid, by all currently and previously active IKE tunnels.
•Rejected Received Phase-2 Exchanges — The cumulative total of IPSec Phase-2 exchanges that were initiated by a remote peer, received, and rejected by all currently and previously active IKE tunnels. Rejected exchanges indicate policy-related failures, such as configuration problems.
•Rejected Sent Phase-2 Exchanges — The cumulative total of IPSec Phase-2 exchanges that were initiated by this VPN Concentrator, sent, and rejected, by all currently and previously active IKE tunnels. See the previous comment.
•Phase-2 SA Delete Requests Received — The cumulative total of requests to delete IPSec Phase-2 Security Associations received by all currently and previously active IKE tunnels.
•Phase-2 SA Delete Requests Sent — The cumulative total of requests to delete IPSec Phase-2 Security Associations sent by all currently and previously active IKE tunnels.
•Initiated Tunnels — The cumulative total of IKE tunnels that this VPN Concentrator initiated. The VPN Concentrator initiates tunnels only for LAN-to-LAN connections.
•Failed Initiated Tunnels — The cumulative total of IKE tunnels that this VPN Concentrator initiated and that failed to activate.
•Failed Remote Tunnels — The cumulative total of IKE tunnels that remote peers initiated and that failed to activate.
•Authentication Failures — The cumulative total of authentication attempts that failed, by all currently and previously active IKE tunnels. Authentication failures indicate problems with preshared keys, digital certificates, or user-level authentication.
•Decryption Failures — The cumulative total of decryptions that failed, by all currently and previously active IKE tunnels. This number should be at or near zero; if not, check for misconfiguration or SEP module problems.
•Hash Validation Failures — The cumulative total of hash validations that failed, by all currently and previously active IKE tunnels. Hash validation failures usually indicate misconfiguration or mismatched preshared keys or digital certificates.
•System Capability Failures — The cumulative total of system capacity failures that occurred during processing of all currently and previously active IKE tunnels. These failures indicate that the system has run out of memory, or that the tunnel count exceeds the system maximum.
•No-SA Failures — The cumulative total of nonexistent-Security Association failures that occurred during processing of all currently and previously active IKE tunnels. These failures occur when the system receives a packet for which it has no Security Association, and might indicate synchronization problems.
IPSec (Phase 2) Statistics
This table provides IPSec Phase 2 global statistics. During IPSec Phase 2, the two peers negotiate Security Associations that govern traffic within the tunnel.
•Active Tunnels — The number of currently active IPSec Phase-2 tunnels, both for LAN-to-LAN connections and remote access.
•Total Tunnels — The cumulative total of all currently and previously active IPSec Phase-2 tunnels, both for LAN-to-LAN connections and remote access.
•Received Bytes — The cumulative total of bytes (octets) received by all currently and previously active IPSec Phase-2 tunnels, before decompression. In other words, total bytes of IPSec-only data received by the IPSec subsystem, before decompressing the IPSec payload.
•Sent Bytes — The cumulative total of bytes (octets) sent by all currently and previously active IPSec Phase-2 tunnels, after compression. In other words, total bytes of IPSec-only data sent by the IPSec subsystem, after compressing the IPSec payload.
•Received Packets — The cumulative total of packets received by all currently and previously active IPSec Phase-2 tunnels.
•Sent Packets — The cumulative total of packets sent by all currently and previously active IPSec Phase-2 tunnels.
•Received Packets Dropped — The cumulative total of packets dropped during receive processing by all currently and previously active IPSec Phase-2 tunnels, excluding packets dropped due to anti-replay processing. If there is a problem with the content of a packet, the system drops the packet. This number should be zero or very small; if not, check for misconfiguration.
•Received Packets Dropped (Anti-Replay) — The cumulative total of packets dropped during receive processing due to anti-replay errors, by all currently and previously active IPSec Phase-2 tunnels. If the sequence number of a packet is a duplicate or out of bounds, there might be a faulty network or a security breach, and the system drops the packet.
•Sent Packets Dropped — The cumulative total of packets dropped during send processing by all currently and previously active IPSec Phase-2 tunnels. This number should be zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support.
•Inbound Authentications — The cumulative total number of inbound individual packet authentications performed by all currently and previously active IPSec Phase-2 tunnels.
•Failed Inbound Authentications — The cumulative total of inbound packet authentications that failed, by all currently and previously active IPSec Phase-2 tunnels. Failed authentications could indicate corrupted packets or a potential security attack ("man in the middle").
•Outbound Authentications — The cumulative total of outbound individual packet authentications performed by all currently and previously active IPSec Phase-2 tunnels.
•Failed Outbound Authentications — The cumulative total of outbound packet authentications that failed, by all currently and previously active IPSec Phase-2 tunnels. This number should be zero or very small; if not, check the event log for an internal IPSec subsystem problem.
•Decryptions — The cumulative total of inbound decryptions performed by all currently and previously active IPSec Phase-2 tunnels.
•Failed Decryptions — The cumulative total of inbound decryptions that failed, by all currently and previously active IPSec Phase-2 tunnels. This number should be zero or very small; if not, check for misconfiguration or SEP module problems.
•Encryptions — The cumulative total of outbound encryptions performed by all currently and previously active IPSec Phase-2 tunnels.
•Failed Encryptions — The cumulative total of outbound encryptions that failed, by all currently and previously active IPSec Phase-2 tunnels. This number should be zero or very small; if not, check for IPSec subsystem or SEP module problems.
•System Capability Failures — The total number of system capacity failures that occurred during processing of all currently and previously active IPSec Phase-2 tunnels. These failures indicate that the system has run out of memory or some other critical resource; check the event log.
•No-SA Failures — The cumulative total of nonexistent-Security Association failures which occurred during processing of all currently and previously active IPSec Phase-2 tunnels. These failures occur when the system receives an IPSec packet for which it has no Security Association, and might indicate synchronization problems.
•Protocol Use Failures — The cumulative total of protocol use failures that occurred during processing of all currently and previously active IPSec Phase-2 tunnels. These failures indicate errors parsing IPSec packets.
L2TP
This screen shows statistics for L2TP activity on the VPN Concentrator since it was last booted or reset, and for current L2TP sessions.
The Monitoring | Sessions | Detail screens also show L2TP data.
To configure system-wide L2TP parameters, see the Configuration | System | Tunneling Protocols | L2TP screen. To configure L2TP parameters for users and groups, see Configuration | User Management. To configure L2TP on rules in filters that govern data traffic, see Configuration | Policy Management | Traffic Management.
Figure 18-18 Monitoring | Statistics | L2TP Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Total Tunnels — The total number of L2TP tunnels successfully established since the VPN Concentrator was last booted or reset.
•Active Tunnels — The number of L2TP tunnels that are currently active.
•Maximum Tunnels — The maximum number of L2TP tunnels that have been simultaneously active on the VPN Concentrator since it was last booted or reset.
•Failed Tunnels — The number of L2TP tunnels that failed to become established since the VPN Concentrator was last booted or reset.
•Total Sessions — The total number of user sessions successfully established through L2TP tunnels since the VPN Concentrator was last booted or reset.
•Active Sessions — The number of user sessions that are currently active through PPTP tunnels. The L2TP Sessions table shows statistics for these sessions.
•Maximum Sessions — The maximum number of user sessions that have been simultaneously active through L2TP tunnels on the VPN Concentrator since it was last booted or reset.
•Failed Sessions — The number of sessions that failed to become established through L2TP tunnels since the VPN Concentrator was last booted or reset.
•Rx Octets Control / Data — The number of L2TP control / data channel octets (bytes) received by the VPN Concentrator since it was last booted or reset.
•Rx Packets Control / Data — The number of L2TP control / data channel packets received by the VPN Concentrator since it was last booted or reset.
•Rx Discards Control / Data — The number of L2TP control / data channel packets received and discarded by the VPN Concentrator since it was last booted or reset.
•Tx Octets Control / Data — The number of L2TP control/data channel octets (bytes) transmitted by the VPN Concentrator since it was last booted or reset.
•Tx Packets Control / Data — The number of L2TP control/data channel packets transmitted by the VPN Concentrator since it was last booted or reset.
L2TP Sessions
This table shows statistics for active L2TP sessions on the VPN Concentrator. Each active session is a row.
•Remote IP — The IP address of the remote host that established the L2TP tunnel for this session, in other words, the tunnel endpoint IP address. The Monitoring | Sessions screen shows the IP address assigned to the client using the tunnel.
•Username — The username for the session within an L2TP tunnel. This is typically the login name of the remote user.
•Serial — The serial number of the session within an L2TP tunnel. If there are multiple sessions using a tunnel, each session has a unique serial number.
•Receive Octets — The total number L2TP data octets (bytes) received by this session.
•Receive Packets — The total number of L2TP data packets received by this session.
•Receive Discards — The total number of L2TP data packets received and discarded by this session.
•Receive ZLB — The total number of L2TP Zero Length Body acknowledgement data packets received by this session. ZLB packets are sent as acknowledgement packets when there is no data packet on which to piggyback an acknowledgement.
•Transmit Octets — The total number of L2TP data octets (bytes) transmitted by this session.
•Transmit Packets — The total number of L2TP data packets transmitted by this session.
•Transmit ZLB — The total number of L2TP Zero Length Body acknowledgement packets transmitted by this session. ZLB packets are sent as acknowledgement packets when there is no data packet on which to piggyback an acknowledgement.
Load Balancing
This screen shows statistics for load balancing on the VPN Concentrator since it was last booted or reset.
Figure 18-19 Monitoring | Statistics | Load Balancing Screen
Screen Elements
•Refresh — Click to update the screen and its data. The date and time indicate the last update.
•Enabled? — Indicates whether load balancing has been enabled on this VPN Concentrator.
•Role — The role of this VPN Concentrator within the virtual cluster. It is either a virtual cluster master or a secondary device.
•Load — The percentage of the cluster's total session load that this VPN Concentrator is carrying.
•Number of Peers — The number of other VPN Concentrators in the virtual cluster.
Peers
The peers chart shows configuration details and session statistics of the other VPN Concentrators in the virtual cluster.
•Private IP Address — The private IP address of the peer.
•Public IP Address — The public IP address of the peer.
•Mapped IP Address — The NAT address of the peer, if it has one.
•Role — The role of the peer within the virtual cluster. It is either a virtual cluster master or a secondary device.
•Device Type — The VPN Concentrator model (such as 3005 or 3030) of the peer.
•Load — The percentage of the cluster's total session load that the peer is carrying. You can view this information only from the virtual cluster master device. If you are viewing this field from a secondary device, its value is N/A.
•Sessions — The number of currently active sessions on the peer. You can view this information only from the virtual cluster master device. If you are viewing this field from a secondary device, its value is N/A.
•Priority — The likelihood that this peer will become the master at power-up or if the current master fails. For more information on priorities, see the Configuration | System | Load Balancing section.
•Duration — The length of time this device has been connected to the virtual cluster.
NAT
This screen shows statistics for NAT (Network Address Translation) activity on the VPN Concentrator since it was last booted or reset.
Figure 18-20 Monitoring | Statistics | NAT screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Packets In/Out — The total of NAT packets inbound and outbound since the last time the VPN Concentrator was rebooted or reset.
•Translations Active — The number of currently active NAT sessions.
•Translations Peak — The maximum number of NAT sessions that were simultaneously active on the VPN Concentrator since it was last booted or reset.
•Translations Total — The total number of NAT sessions on the VPN Concentrator since it was last booted or reset.
NAT Sessions
The NAT Sessions table provides detailed information about active NAT sessions on the VPN Concentrator.
•Source IP Address/Port — The source IP address and port for the NAT session.
•Destination IP Address/Port — The destination IP address and port for the NAT session.
•Translated IP Address/Port — The translated IP address and port for the NAT session. The VPN Concentrator uses this port number to keep track of which devices initiate data transfer; by keeping this record, the VPN Concentrator is able to correctly route responses.
•Direction — The direction, inbound or outbound, of the data transferred for the NAT session.
•Age — The number of half seconds remaining until the NAT session times out.
•Type — The type of packets for the NAT session. The possible types are:
–TCP NAT session
–UDP NAT session
–FTP session
–TFTP session
–NetBIOS over TCP Proxy
–NetBIOS over UDP Proxy
–NetBIOS Datagram Service
•Translated Bytes/Packets — The total number of translated bytes and packets for the NAT session.
PPTP
This screen shows statistics for PPTP activity on the VPN Concentrator since it was last booted or reset, and for current PPTP sessions.
The Monitoring | Sessions | Detail screens also show PPTP data.
To configure system-wide PPTP parameters, see the Configuration | System | Tunneling Protocols | PPTP screen. To configure PPTP parameters for users and groups, see Configuration | User Management. To configure PPTP on rules in filters that govern data traffic, see Configuration | Policy Management | Traffic Management.
Figure 18-21 Monitoring | Statistics | PPTP Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Total Tunnels — The total number of PPTP tunnels created since the VPN Concentrator was last booted or reset, including those tunnels that failed to be established.
•Active Tunnels — The number of PPTP tunnels that are currently active.
•Maximum Tunnels — The maximum number of PPTP tunnels that have been simultaneously active on the VPN Concentrator since it was last booted or reset.
•Total Sessions — The total number of user sessions through PPTP tunnels since the VPN Concentrator was last booted or reset.
•Active Sessions — The number of user sessions that are currently active through PPTP tunnels. The PPTP Sessions table shows statistics for these sessions.
•Maximum Sessions — The maximum number of user sessions that have been simultaneously active through PPTP tunnels on the VPN Concentrator since it was last booted or reset.
•Rx Octets Control / Data — The number of PPTP control/data octets (bytes) received by the VPN Concentrator since it was last booted or reset.
•Rx Packets Control / Data — The number of PPTP control/data packets received by the VPN Concentrator since it was last booted or reset.
•Rx Discards Control / Data — The number of PPTP control/data packets received and discarded by the VPN Concentrator since it was last booted or reset.
•Tx Octets Control / Data — The number of PPTP control/data octets (bytes) transmitted by the VPN Concentrator since it was last booted or reset.
•Tx Packets Control / Data — The number of PPTP control/data packets transmitted by the VPN Concentrator since it was last booted or reset.
PPTP Sessions
This table shows statistics for active PPTP sessions on the VPN Concentrator. Each active session is a row.
•Peer IP — The IP address of the peer host that established the PPTP tunnel for this session, in other words, the tunnel endpoint IP address. The Monitoring | Sessions screen shows the IP address assigned to the client using the tunnel.
•Username — The username for the session within a PPTP tunnel. This is typically the login name of the remote user.
•Receive Octets — The total number of PPTP data octets (bytes) received by this session.
•Receive Packets — The total number of PPTP data packets received by this session.
•Receive Discards — The total number of PPTP data packets received and discarded by this session.
•Receive ZLB — The total number of PPTP Zero Length Body acknowledgement data packets received by this session. ZLB packets are sent as GRE acknowledgement packets when there is no data packet on which to piggyback an acknowledgement.
•Transmit Octets — The total number of PPTP data octets (bytes) transmitted by this session.
•Transmit Packets — The total number of PPTP data packets transmitted by this session.
•Transmit ZLB — The total number of PPTP Zero Length Body acknowledgement packets transmitted by this session. ZLB packets are sent as GRE acknowledgement packets when there is no data packet on which to piggyback an acknowledgement.
•ACK Timeouts — The total number of acknowledgement timeouts seen on PPTP data packets for this session. When the system times out waiting for a data packet on which to piggyback an acknowledgement, it sends a ZLB instead. Therefore, this should equal the Transmit ZLB number.
•Flow — The state of packet flow control for this PPTP session:
–Local = The local buffer is full. Packet flow for the local end of the session is OFF because the number of outstanding unacknowledged packets received from the peer is equal to the local window size.
–Peer = The peer buffer is full. Packet flow for the peer end of the session is OFF because the number of outstanding unacknowledged packets sent to the peer is equal to the peer's window size.
–Both = Both buffers are full. Packet flow for both ends of the session is OFF because the number of outstanding unacknowledged packets is equal to the window size on both ends.
–None = Neither end of the session has a full buffer. Packet flow for the session is ON. This is the normal operating state.
SSH
This screen shows statistics for SSH (Secure Shell) protocol traffic on the VPN Concentrator since it was last booted or reset.
To configure SSH, see Configuration | System | Management Protocols | SSH.
Figure 18-22 Monitoring | Statistics | SSH Screen
Screen Elements
•Octets Sent / Received — The total number of SSH octets (bytes) sent / received since the VPN Concentrator was last booted or reset.
•Packets Sent / Received — The total number of SSH packets sent / received since the VPN Concentrator was last booted or reset.
•Total Sessions — The total number of SSH sessions since the VPN Concentrator was last booted or reset.
•Active Sessions — The number of currently active SSH sessions.
•Max Sessions — The maximum number of simultaneously active SSH sessions.
SSL
This screen shows statistics for SSL (Secure Sockets Layer) protocol traffic on the VPN Concentrator since it was last booted or reset. To configure SSL, see Configuration | System | Management Protocols | SSL.
Figure 18-23 Monitoring | Statistics | SSL Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Unencrypted Inbound Octets — The number of octets (bytes) of inbound traffic output by the decryption engine.
•Encrypted Inbound Octets — The number of octets (bytes) of encrypted inbound traffic sent to the decryption engine. This number includes negotiation traffic.
•Unencrypted Outbound Octets — The number of unencrypted outbound octets (bytes) sent to the encryption engine.
•Encrypted Outbound Octets — The number of octets (bytes) of outbound traffic output by the encryption engine. This number includes negotiation traffic.
•Total Sessions — The total number of SSL sessions.
•Active Sessions — The number of currently active SSL sessions.
•Max Active Sessions — The maximum number of SSL sessions simultaneously active at any one time.
Telnet
This screen shows statistics for Telnet activity on the VPN Concentrator since it was last booted or reset, and for current Telnet sessions.
To configure the VPN Concentrator's Telnet server, see the Configuration | System | Management Protocols | Telnet screen.
Figure 18-24 Monitoring | Statistics | Telnet Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Active Sessions — The number of active Telnet sessions. The Telnet Sessions table shows statistics for these sessions.
•Attempted Sessions — The total number of attempts to establish Telnet sessions on the VPN Concentrator since it was last booted or reset.
•Successful Sessions — The total number of Telnet sessions successfully established on the VPN Concentrator since it was last booted or reset.
Telnet Sessions
This table shows statistics for active Telnet sessions on the VPN Concentrator. Each active session is a row.
•Client IP Address:Port — The IP address and TCP source port number of this session's remote Telnet client.
•Inbound Octets Total — The total number of Telnet octets (bytes) received by this session.
•Inbound Octets Command — The number of octets (bytes) containing Telnet commands or options, received by this session.
•Inbound Octets Discarded — The number of Telnet octets (bytes) received and dropped during input processing by this session.
•Outbound Octets Total — The total number of Telnet octets (bytes) transmitted by this session.
•Outbound Octets Dropped — The number of outbound Telnet octets dropped during output processing by this session.
VRRP
This screen shows status and statistics for VRRP (Virtual Router Redundancy Protocol) activity on the VPN Concentrator since it was last booted or reset.
To configure VRRP, see the Configuration | System | IP Routing | Redundancy screen.
Figure 18-25 Monitoring | Statistics | VRRP Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Checksum Errors — The total number of VRRP packets received with an invalid VRRP checksum value.
•Version Errors — The total number of VRRP packets received with an unknown or unsupported version number. The VPN Concentrator supports VRRP version 2 as defined in RFC 2338.
•VRID Errors — The total number of VRRP packets received with an invalid VRRP Group ID number.
•VRID — The identification number that uniquely identifies the group of virtual routers to which this VPN Concentrator belongs. Not Configured = VRRP has not been configured or enabled.
Virtual Routers
This table shows statistics for the virtual router on each configured VRRP interface on this VPN Concentrator.
•Interface: 1 (Private), 2 (Public), 3 (External) — The Ethernet interface configured for VRRP.
•Status — The status of the VRRP router in this VPN Concentrator:
–Master = VRRP is enabled and the router is functioning as the Master router.
–Backup = VRRP is enabled and the router is functioning as a Backup router, monitoring the status of the Master router.
–Init = VRRP has been configured but is disabled. The router is waiting to be enabled (initialized).
•Became Master — The total number of times that this VPN Concentrator has become a VRRP Master router after having a different role. This number should be the same in all columns.
•Advertisements Received — The total number of VRRP advertisements received by this interface.
•Advertisement Interval Errors — The total number of VRRP advertisement packets received by this interface, in which the advertisement interval differs from the interval configured on this VPN Concentrator.
•Authentication Failures — The total number of VRRP packets received by this interface that do not pass the authentication check.
•Time-to-Live Errors — The total number of VRRP packets received by this interface with IP TTL (Time-To-Live) not equal to 255. All VRRP packets must have TTL = 255.
•Priority 0 Packets Received — The total number of VRRP packets received by this interface with a priority of 0. Priority 0 packets indicate that the current Master router has stopped participating in VRRP.
•Priority 0 Packets Sent — The total number of VRRP packets sent by this interface with a priority of 0. Priority 0 packets indicate that the current Master router has stopped participating in VRRP.
•Invalid Type Received — The number of VRRP packets received by this interface with an invalid value in the Type field. For VRRP version 2, the only valid Type value is 1, which indicates an advertisement packet.
•Address List Errors — The total number of packets received for which the address list does not match the list configured on this VPN Concentrator.
•Invalid Authentication Errors — The total number of packets received by this interface with an unknown authentication type.
•Mismatch Authentication Errors — The total number of packets received by this interface with an authentication type that differs from the configured authentication type.
•Packet Length Errors — The total number of packets received by this interface with a packet length less than the length of the VRRP header.
MIB-II
This section of the Manager lets you view statistics that are recorded in standard MIB-II objects on the VPN Concentrator. MIB-II (Management Information Base, version 2) objects are variables that contain data about the system. They are defined as part of the Simple Network Management Protocol (SNMP); and SNMP-based network management systems can query the VPN Concentrator to gather the data.
Each subsequent screen displays the data for a standard MIB-II group of objects:
•MIB-II | Interfaces: packets sent and received on network interfaces and VPN tunnels.
•MIB-II | TCP/UDP: Transmission Control Protocol and User Datagram Protocol segments and datagrams sent and received, etc.
•MIB-II | IP: Internet Protocol packets sent and received, fragmentation and reassembly data, etc.
•MIB-II | RIP: Routing Information Protocol global route changes, bad packets and bad routes received, etc.
•MIB-II | OSPF: Open Shortest Path First protocol LSA data, Area data, etc.
•MIB-II | ICMP: Internet Control Message Protocol ping, timestamp, and address mask requests and replies, etc.
•MIB-II | ARP Table: Address Resolution Protocol physical (MAC) addresses, IP addresses, and mapping types.
•MIB-II | Ethernet: errors and collisions, MAC errors, etc.
•MIB-II | SNMP: Simple Network Management Protocol requests, bad community strings, parsing errors, etc.
To configure and enable the VPN Concentrator's SNMP server, see the Configuration | System | Management Protocols | SNMP screen.
Figure 18-26 Monitoring | Statistics | MIB-II Screen
MIB-II | Interfaces
This screen shows statistics in MIB-II objects for VPN Concentrator interfaces since the system was last booted or reset. This screen also shows statistics for VPN tunnels as logical interfaces. RFC 2233 defines interface MIB objects.
Figure 18-27 Monitoring | Statistics | MIB-II | Interfaces Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Interface — The VPN Concentrator interface:
–Ethernet 1 (Private) = The first, private, Ethernet interface.
–Ethernet 2 (Public) = The second, public, Ethernet interface.
–Ethernet 3 (External) = The third, external, Ethernet interface.
–1000 and up = VPN tunnels, which are treated as logical interfaces.
•Status — The operational status of this interface:
–UP = configured and enabled, ready to pass data traffic.
–DOWN = configured but disabled.
–Dormant = configured and enabled but waiting for an external action, such as an incoming connection.
–Lower Layer Down = not operational because a lower-layer interface is down.
–Not Present = missing hardware components.
–Testing = in test mode; no regular data traffic can pass.
–Unknown = not configured.
•Unicast In — The number of unicast packets that were received by this interface. Unicast packets are those addressed to a single host.
•Unicast Out — The number of unicast packets that were routed to this interface for transmission, including those that were discarded or not sent. Unicast packets are those addressed to a single host.
•Multicast In — The number of multicast packets that were received by this interface. Multicast packets are those addressed to a specific group of hosts.
•Multicast Out — The number of multicast packets that were routed to this interface for transmission, including those that were discarded or not sent. Multicast packets are those addressed to a specific group of hosts.
•Broadcast In — The number of broadcast packets that were received by this interface. Broadcast packets are those addressed to all hosts on a network.
•Broadcast Out — The number of broadcast packets that were routed to this interface for transmission, including those that were discarded or not sent. Broadcast packets are those addressed to all hosts on a network.
MIB-II | TCP/UDP
This screen shows statistics in MIB-II objects for TCP and UDP traffic on the VPN Concentrator since it was last booted or reset. RFC 2012 defines TCP MIB objects, and RFC 2013 defines UDP MIB objects.
Figure 18-28 Monitoring | Statistics | MIB-II | TCP/UDP Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•TCP Segments Received — The total number of segments received, including those received in error and those received on currently established connections. Segment is the official TCP name for what is often called a data packet.
•TCP Segments Transmitted — The total number of segments sent, including those on currently established connections but excluding those containing only retransmitted bytes. Segment is the official TCP name for what is casually called a data packet.
•TCP Segments Retransmitted — The total number of segments retransmitted; that is, the number of TCP segments transmitted containing one or more previously transmitted bytes. Segment is the official TCP name for what is casually called a data packet.
•TCP Timeout Min — The minimum value permitted for TCP retransmission timeout, measured in milliseconds.
•TCP Timeout Max — The maximum value permitted for TCP retransmission timeout, measured in milliseconds.
•TCP Connection Limit — The limit on the total number of TCP connections that the system can support. A value of -1 means there is no limit.
•TCP Active Opens — The number of TCP connections that went directly from an unconnected state to a connection-synchronizing state, bypassing the listening state. These connections are allowed, but they are usually in the minority.
•TCP Passive Opens — The number of TCP connections that went from a listening state to a connection-synchronizing state. These connections are usually in the majority.
•TCP Attempt Failures — The number of TCP connection attempts that failed. Technically this is the number of TCP connections that went to an unconnected state, plus the number that went to a listening state, from a connection-synchronizing state.
•TCP Established Resets — The number of established TCP connections that abruptly closed, bypassing graceful termination.
•TCP Current Established — The number of TCP connections that are currently established or are gracefully terminating.
•UDP Datagrams Received — The total number of UDP datagrams received. Datagram is the official UDP name for what is casually called a data packet.
•UDP Datagrams Transmitted — The total number of UDP datagrams sent. Datagram is the official UDP name for what is casually called a data packet.
•UDP Errored Datagrams — The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port (UDP No Port). Datagram is the official UDP name for what is casually called a data packet.
•UDP No Port — The total number of received UDP datagrams that could not be delivered because there was no application at the destination port. Datagram is the official UDP name for what is casually called a data packet.
MIB-II | IP
This screen shows statistics in MIB-II objects for IP traffic on the VPN Concentrator since it was last booted or reset. RFC 2011 defines IP MIB objects.
Figure 18-29 Monitoring | Statistics | MIB-II | IP Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Packets Received (Total) — The total number of IP data packets received by the VPN Concentrator, including those received with errors.
•Packets Received (Header Errors) — The number of IP data packets received and discarded due to errors in IP headers, including bad check sums, version number mismatches, other format errors, etc.
•Packets Received (Address Errors) — The number of IP data packets received and discarded because the IP address in the destination field was not a valid address for the VPN Concentrator. This count includes invalid addresses (for example, 0.0.0.0) and addresses of unsupported classes (for example, Class E).
•Packets Received (Unknown Protocols) — The number of IP data packets received and discarded because of an unknown or unsupported protocol.
•Packets Received (Discarded) — The number of IP data packets received that had no problems preventing continued processing, but that were discarded (for example, for lack of buffer space). This number does not include any packets discarded while awaiting reassembly.
•Packets Received (Delivered) — The number of IP data packets received and successfully delivered to IP user protocols (including ICMP) on the VPN Concentrator; i.e., the VPN Concentrator was the final destination.
•Packets Forwarded — The number of IP data packets received and forwarded to destinations other than the VPN Concentrator.
•Outbound Packets Discarded — The number of outbound IP data packets that had no problems preventing their transmission to a destination, but that were discarded (for example, for lack of buffer space).
•Outbound Packets with No Route — The number of outbound IP data packets discarded because no route could be found to transmit them to their destination. This number includes any packets that the VPN Concentrator could not route because all of its default routers are down.
•Packets Transmitted (Requests) — The number of IP data packets that local IP user protocols (including ICMP) supplied to transmission requests. This number does not include any packets counted in Packets Forwarded.
•Fragments Needing Reassembly — The number of IP fragments received by the VPN Concentrator that needed to be reassembled.
•Reassembly Successes — The number of IP data packets successfully reassembled.
•Reassembly Failures — The number of failures detected by the IP reassembly algorithm (for whatever reason: timed out, errors, etc.). This number is not necessarily a count of discarded IP fragments since some algorithms can lose track of the number of fragments by combining them as they are received.
•Fragmentation Successes — The number of IP data packets that have been successfully fragmented by the VPN Concentrator.
•Fragmentation Failures — The number of IP data packets that have been discarded because they needed to be fragmented but could not be fragmented (for example, because the Don't Fragment flag was set).
•Fragments Created — The number of IP data packet fragments that have been generated by the VPN Concentrator.
MIB-II | RIP
This screen shows statistics in MIB-II objects for RIP version 2 traffic on the VPN Concentrator since it was last booted or reset. RFC 1724 defines RIP version 2 MIB objects.
To configure RIP on interfaces, see Configuration | Interfaces.
Figure 18-30 Monitoring | Statistics | MIB-II | RIP Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Global Route Changes — The total number of route changes made to the IP route database by RIP. This number does not include changes that only refresh the age route of a route.
•Global Queries — The total number of responses sent to RIP queries from other systems.
•Interfaces — This table shows a row of statistics for each configured interface.
•Interface Address — The IP address configured on the interface.
•Received Bad Packets — The number of RIP response packets received by this interface that were subsequently discarded for any reason (such as wrong version or unknown command type).
•Received Bad Routes — The number of routes in valid RIP packets received by this interface that were ignored for any reason (such as unknown address family or invalid metric).
•Sent Updates — The number of triggered RIP updates actually sent by this interface. This number does not include full updates sent containing new information.
MIB-II | OSPF
This screen shows statistics in MIB-II objects for OSPF version 2 traffic on the VPN Concentrator since it was last booted or reset. RFC 1850a defines OSPF version 2 MIB objects.
To configure OSPF on interfaces, see Configuration | Interfaces. To configure system-wide OSPF parameters, see Configuration | System | IP Routing.
Figure 18-31 Monitoring | Statistics | MIB-II | OSPF Screen
Screen Elements
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Router ID — The VPN Concentrator OSPF router ID. This ID uniquely identifies the VPN Concentrator to other OSPF routers in its domain. While the format is that of an IP address, it functions only as an identifier and not an address. By convention, however, this identifier is the same as the IP address of the interface that is connected to the OSPF router network. 0.0.0.0 means no router is configured.
•Version — The current version number of the OSPF protocol running on the VPN Concentrator.
•External LSA Count — The number of external Link-State Advertisements (LSAs) in the link-state database. LSAs from neighboring OSPF Autonomous Systems (AS) describe the state of the AS router's interfaces and routing paths.
•External LSA Checksum — The sum of the check sums of the external Link-State Advertisements in the link-state database. You can use this sum to determine if there has been a change in the OSPF router link-state database of the system, and to compare its database with other routers.
•LSAs Originated — The number of new Link-State Advertisements that the system has originated. This number increments each time the OSPF router originates a new LSA.
•New LSAs Received — The number of Link-State Advertisements received that are completely new LSAs. This number does not include newer instances of self-originated LSAs.
•LSA Database Limit — The maximum number of external LSAs that can be stored in the link-state database. A value of -1 means there is no limit.
Designated Routers
This table shows a row of statistics for each enabled VPN Concentrator interface. When OSPF routing is enabled on an interface, that interface communicates with other OSPF routers in its area, and each area elects one OSPF router to be the Designated Router.
•Interface Address — The IP address of the VPN Concentrator interface that communicates with its area.
•Interface Name — The VPN Concentrator interface that communicates with its area:
–Ethernet 1 (Private) = The first, private, Ethernet interface.
–Ethernet 2 (Public) = The second, public, Ethernet interface.
–Ethernet 3 (External) = The third, external, Ethernet interface.
•Designated Router — The IP address of the Designated Router in this OSPF area.
•Backup Designated Router — The IP address of the backup Designated Router in this OSPF area.
Neighbors
This table shows a row of statistics for each OSPF neighbor, for all areas in which the VPN Concentrator participates. A neighbor is another OSPF router in an OSPF area, and this table includes all such areas for the VPN Concentrator.
•IP Address — The IP address of the neighboring OSPF router.
•Router ID — The router ID of the neighboring OSPF router, which uniquely identifies it to other OSPF routers in its domain. While the format is that of an IP address, it functions only as an identifier. By convention, however, it is the same as the IP address of the interface that is connected to the OSPF router network.
•State — The state of the relationship with this neighboring OSPF router:
–Attempting = This state applies only to neighbors in an NBMA (Non-Broadcast Multi-Access) OSPF network. It indicates that the VPN Concentrator has received no recent information from this neighbor, but it is trying to establish contact by sending Hello packets at the Hello Interval.
–Down = (Red) The VPN Concentrator has received no recent information from this neighbor. The neighbor might be out of service, or it might not have been in service long enough to establish its presence (at startup).
–Exchange Start = The VPN Concentrator and this neighbor are in the first step of establishing an adjacency relationship.
–Exchanging = The VPN Concentrator is describing its entire link state database by sending Database Description packets to this neighbor, to establish an adjacency relationship.
–Full = (Green) The VPN Concentrator is in a fully adjacent relationship with this neighbor. This adjacency now appears in router LSAs and network LSAs.
–Initializing = The VPN Concentrator has received a Hello packet from this neighbor, but it has not yet established bidirectional communication.
–Loading = The VPN Concentrator is sending Link State Request packets to this neighbor asking for the more recent LSAs that have been discovered but not yet received in the Exchange state.
–Two Way = The VPN Concentrator has established bidirectional communication with this neighbor, but has not established adjacency, in other words, they are not exchanging routing information.
Areas
This table shows a row of statistics for each OSPF Area.
•Area ID — The Area ID identifies the subnet area within the OSPF Autonomous System or domain. While its format is the same as an IP address, it functions only as an identifier and not an address. 0.0.0.0 identifies a special area—the backbone—that contains all area border routers.
•SPF Runs — The number of times that the system has calculated the intra-area route table (SPF, or Shortest Path First table) using the link-state database of this area.
•AS Border Routers — The total number of Autonomous System border routers reachable within this area.
•Area Border Routers — The total number of area border routers reachable within this area.
•Area LSA Count — The total number of Link-State Advertisements in the link-state database of this area, excluding AS external LSAs.
•Area LSA Checksum — The sum of the check sums of the Link-State Advertisements in the link-state database of this area. This sum excludes external LSAs. You can use this sum to determine if there has been a change in the link-state database of the area, and to compare its database with other routers.
External LSAs
This table shows a row for each external Link-State Advertisement in the link-state database.
•Area ID — The Area ID identifies the Area from which the LSA was received.
•Type — The LSA type. Each LSA type has a different format:
–Router Link = Describes the states of the router's interfaces (LS Type 1).
–Network Link = Describes the set of routers attached to the network (LS Type 2).
–Summary Link = Describes routes to networks (LS Type 3).
–AS Summary Link = Describes routes to AS boundary routers (LS Type 4).
–AS External Link = Describes routes to destinations external to the AS (LS Type 5).
–Multicast Link = Describes group membership for multicast OSPF routing (LS Type 6).
–NSSA External Link = Describes routing for NSSAs: Not-So-Stubby-Areas (LS Type 7).
•Link State ID — Either a router ID or an IP address that identifies the piece of the routing domain being described by the LSA.
•Router ID — The identifier of the router in the Autonomous System that originated this LSA.
•Sequence — The sequence number of this LSA. Sequence numbers are linear. They are used to detect old and duplicate LSAs. The larger the number, the more recent the LSA.
•Age — The age of the LSA in seconds.
MIB-II | ICMP
This screen shows statistics in MIB-II objects for ICMP traffic on the VPN Concentrator since it was last booted or reset. RFC 2011 defines ICMP MIB objects.
Figure 18-32 Monitoring | Statistics | MIB-II | ICMP Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Total Received / Transmitted — The total number of ICMP messages that the VPN Concentrator received / sent. This number includes messages counted as Errors Received / Transmitted. ICMP messages solicit and provide information about the network environment.
•Errors Received / Transmitted — The number of ICMP messages that the VPN Concentrator received but determined to have ICMP-specific errors (bad ICMP check sums, bad length, etc.).
The number of ICMP messages that the VPN Concentrator did not send due to problems within ICMP such as a lack of buffers.
•Destination Unreachable Received / Transmitted — The number of ICMP Destination Unreachable messages received / sent. Destination Unreachable messages apply to many network situations, including inability to determine a route, an unusable source route specified, and the Don't Fragment flag set for a packet that must be fragmented.
•Time Exceeded Received / Transmitted — The number of ICMP Time Exceeded messages received / sent. Time Exceeded messages indicate that the lifetime of the packet has expired, or that a router cannot reassemble a packet within a time limit.
•Parameter Problems Received / Transmitted — The number of ICMP Parameter Problem messages received / sent. Parameter Problem messages indicate a syntactic or semantic error in an IP header.
•Source Quench Received / Transmitted — The number of ICMP Source Quench messages received / sent. Source Quench messages provide rudimentary flow control; they request a reduction in the rate of sending traffic on the network.
•Redirects Received / Transmitted — The number of ICMP Redirect messages received / sent. Redirect messages advise that there is a better route to a particular destination.
•Echo Requests (PINGs) Received / Transmitted — The number of ICMP Echo (request) messages received / sent. Echo messages are probably the most visible ICMP messages. They test the communication path between network entities by asking for Echo Reply response messages.
•Echo Replies (PINGs) Received / Transmitted — The number of ICMP Echo Reply messages received / sent. Echo Reply messages are sent in response to Echo messages, to test the communication path between network entities.
•Timestamp Requests Received / Transmitted — The number of ICMP Timestamp (request) messages received / sent. Timestamp messages measure the propagation delay between network entities by including the originating time in the message, and asking for the receipt time in a Timestamp Reply message.
•Timestamp Replies Received / Transmitted — The number of ICMP Timestamp Reply messages received / sent. Timestamp Reply messages are sent in response to Timestamp messages, to measure propagation delay in the network.
•Address Mask Requests Received / Transmitted — The number of ICMP Address Mask Request messages received / sent. Address Mask Request messages ask for the address (subnet) mask for the LAN to which a router connects.
•Address Mask Replies Received / Transmitted — The number of ICMP Address Mask Reply messages received / sent. Address Mask Reply messages respond to Address Mask Request messages by supplying the address (subnet) mask for the LAN to which a router connects.
MIB-II | ARP Table
This screen shows entries in the Address Resolution Protocol mapping table since the VPN Concentrator was last booted or reset. ARP matches IP addresses with physical MAC addresses, so the system can forward traffic to computers on its network. RFC 2011 defines MIB entries in the ARP table.
The entries are sorted first by Interface, then by IP Address. To speed display, the Manager might construct multiple 64-row tables. Use the scroll controls (if present) to view the entire series of tables.
You can also delete dynamic, or learned, entries in the mapping table.
Figure 18-33 Monitoring | Statistics | MIB-II | ARP Table Screen
Screen Elements
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Arp Entries — The total number of entries in the ARP table.
•Interface — The VPN Concentrator network interface on which this mapping applies:
–1 = Ethernet 1 (Private) interface.
–2 = Ethernet 2 (Public) interface.
–3 = Ethernet 3 (External) interface.
–1000 and up = VPN tunnels, which are treated as logical interfaces.
•Physical Address — The hardwired MAC (Medium Access Control) address of a physical network interface card, in 6-byte hexadecimal notation, that maps to the IP Address. Exceptions are:
–00 = a virtual address for a tunnel.
–FF.FF.FF.FF.FF.FF = a network broadcast address.
•IP Address — The IP address that maps to the physical address.
•Mapping Type — The type of mapping:
–Other = none of the following.
–Invalid = an invalid mapping.
–Dynamic = a learned mapping.
–Static = a static mapping on the VPN Concentrator.
•Action / Delete — To remove a dynamic, or learned, mapping from the table, click Delete. There is no confirmation or undo. The Manager deletes the entry and refreshes the screen.
To delete an entry, you must have the administrator privilege to Modify Config under General Access Rights. See Administration | Access Rights | Administrators.
You cannot delete static mappings.
MIB-II | Ethernet
This screen shows statistics in MIB-II objects for Ethernet interface traffic on the VPN Concentrator since it was last booted or reset. IEEE standard 802.3 describes Ethernet networks, and RFC 1650 defines Ethernet interface MIB objects.
To configure Ethernet interfaces, see Configuration | Interfaces.
Figure 18-34 Monitoring | Statistics | MIB-II | Ethernet Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Interface — The Ethernet interface to which the data in this row applies. Only configured interfaces are shown.
•Alignment Errors — The number of frames received on this interface that are not an integral number of bytes long and do not pass the FCS (Frame Check Sequence; used for error detection) check.
•FCS Errors — The number of frames received on this interface that are an integral number of bytes long but do not pass the FCS (Frame Check Sequence) check.
•Carrier Sense Errors — The number of times that the carrier sense signal was lost or missing when trying to transmit a frame on this interface.
•SQE Test Errors — The number of times that the SQE (Signal Quality Error) Test Error message was generated for this interface. The SQE message tests the collision circuits on an interface.
•Frame Too Long Errors — The number of frames received on this interface that exceed the maximum permitted frame size.
•Deferred Transmits — The number of frames for which the first transmission attempt on this interface is delayed because the medium is busy. This number does not include frames involved in collisions.
•Single Collisions — The number of successfully transmitted frames on this interface for which transmission is inhibited by exactly one collision. This number is not included in the Multiple Collisions number.
•Multiple Collisions — The number of successfully transmitted frames on this interface for which transmission is inhibited by more than one collision. This number does not include the Single Collisions number.
•Late Collisions — The number of times that a collision is detected on this interface later than 512 bit-times into the transmission of a packet. 512 bit-times = 51.2 microseconds on a 10-Mbps system.
•Excessive Collisions — The number of frames for which transmission on this interface failed due to excessive collisions.
•MAC Errors: Transmit — The number of frames for which transmission on this interface failed due to an internal MAC sublayer transmit error. This number does not include Carrier Sense Errors, Late Collisions, or Excessive Collisions.
•MAC Errors: Receive — The number of frames for which reception on this interface failed due to an internal MAC sublayer receive error. This number does not include Alignment Errors, FCS Errors, or Frame Too Long Errors.
•Speed (Mbps) — This interface's nominal bandwidth in megabits per second.
•Duplex — The current LAN duplex transmission mode for this interface:
–Full = Full-Duplex: transmission in both directions at the same time.
–Half = Half-Duplex: transmission in only one direction at a time.
MIB-II | SNMP
This screen shows statistics in MIB-II objects for SNMP traffic on the VPN Concentrator since it was last booted or reset. RFC 1907 defines SNMP version 2 MIB objects.
To configure the VPN Concentrator SNMP server, see Configuration | System | Management Protocols | SNMP.
Figure 18-35 Monitoring | Statistics | MIB-II | SNMP Screen
Screen Elements
•Reset — Click to reset, or start anew, the screen contents. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.
•Restore — Click to restore the screen contents to their actual statistical values. This icon displays only if you previously clicked the Reset icon.
•Refresh — Click to update the screen and its data. The date and time indicate when the screen was last updated.
•Requests Received — The total number of SNMP messages received by the VPN Concentrator.
•Bad Version — The total number of SNMP messages received that were for an unsupported SNMP version. The VPN Concentrator supports SNMP version 2.
•Bad Community String — The total number of SNMP messages received that used an SNMP community string the VPN Concentrator did not recognize. See Configuration | System | Management Protocols | SNMP Communities to configure permitted community strings. To protect security, the VPN Concentrator does not include the usual default public community string.
•Parsing Errors — The total number of syntax or transmission errors encountered by the VPN Concentrator when decoding received SNMP messages.
•Silent Drops — The total number of SNMP request messages that were silently dropped because the reply exceeded the maximum allowable message size.
•Proxy Drops — The total number of SNMP request messages that were silently dropped because the transmission of the reply message to a proxy target failed for some reason (other than a timeout).
