VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring, Release 4.0 - Statistics [Cisco VPN 3000 Series Concentrators]

This section of the Manager shows statistics for traffic and activity on the VPN Concentrator since it was last booted or reset, and for current tunneled sessions, plus statistics in standard MIB-II objects for interfaces, TCP/UDP, IP, ICMP, and the ARP table.

Figure 17-1 Monitoring | Statistics Screen

Statistics include:

Accounting: total requests, responses, timeouts, etc.
Address Pools: configured pools, allocated and available addresses.
Administrative AAA: requests, accepts, rejects, challenges, timeouts, etc.
Authentication: total requests, accepts, rejects, challenges, timeouts, etc.
Authorization: total requests, accepts, rejects, challenges, timeouts, etc.
Bandwidth Management: volume and rate of traffic managed by bandwidth policies.
Compression: pre and post-compression byte totals for IPComp and MPPC.
DHCP: leased addresses, duration, server addresses, etc.
DNS: total requests, responses, timeouts, etc.
Events: total events sorted by class, number, and count.
Filtering: total inbound and outbound filtered traffic by interface.
HTTP: total data traffic and connection statistics.
IPSec: total Phase 1 and Phase 2 tunnels, received and transmitted packets, failures, drops, etc.
L2TP: total tunnels, sessions, received and transmitted control and data packets; and detailed current session data.
Load Balancing: device role; device load; and cluster peers' sessions, IP addresses, priority, etc.
NAT: Network Address Translation session data.
PPTP: total tunnels, sessions, received and transmitted control and data packets; and detailed current session data.
SSH: total and active sessions, bytes and packets sent and received, etc.
SSL: total sessions, encrypted vs. unencrypted traffic, etc.
Telnet: total sessions, and current session inbound and outbound traffic.
VRRP: total advertisements, Master router roles, errors, etc.
MIB-II Stats: interfaces, TCP/UDP, IP, RIP, OSPF, ICMP, ARP table, Ethernet, and SNMP.

Monitoring | Statistics | Accounting

This screen shows statistics for RADIUS user accounting activity on the VPN Concentrator since it was last booted or reset.

To configure the VPN Concentrator to communicate with RADIUS accounting servers, see the Configuration | System | Servers | Accounting screens.

Figure 17-2 Monitoring | Statistics | Accounting Screen

Reset

To reset, or start anew, the screen contents, click Reset. The system temporarily resets a counter for the chosen statistics without affecting the operation of the device. You can then view statistical information without affecting the actual current values of the counters or other management sessions. The function is like that of a vehicle's trip odometer, versus the regular odometer.

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Server IP Address: Port

The IP address of the configured RADIUS user accounting server, and the port number that the VPN Concentrator is using to access the server. Each configured accounting server is a row in this table. The well-known port number for RADIUS accounting is 1646.

Group

The group on which the server is configured.

Requests

The number of accounting request packets sent to this RADIUS accounting server. This number does not include retransmissions.

Retransmissions

The number of accounting request packets retransmitted to this RADIUS accounting server.

Responses

The number of accounting response packets received from this RADIUS accounting server.

Malformed Responses

The number of malformed accounting response packets received from this RADIUS accounting server. Malformed packets include packets with an invalid length. Bad authenticators are not included in this number.

Bad Authenticators

The number of accounting response packets received from this server that contained invalid authenticators.

Pending Requests

The number of accounting request packets sent to this RADIUS accounting server that have not yet timed out or received a response.

Timeouts

The number of accounting timeouts to this RADIUS server. After a timeout the system may retry the same server, send to a different server, or give up. Retrying the same server is counted as a retransmission as well as a timeout. Sending to a different server is counted as a request as well as a timeout.

Unknown Type

The number of RADIUS packets of unknown type received from this server on the accounting port.

Monitoring | Statistics | Address Pools

This screen shows statistics for address pool activity on the VPN Concentrator since it was last booted or reset. This data appears if the VPN Concentrator is configured to assign IP addresses to clients from an internal address pool.

To configure address pools, see the Configuration | System | Address Management screens.

Figure 17-3 Monitoring | Statistics | Address Pools Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

IP Address Range: Start / End

The starting and ending IP addresses in the configured address pool. Each configured range is a row in the table.

Total Addresses

The total number of IP addresses in this configured pool.

Available Addresses

The number of IP addresses available (unassigned) in this pool.

Allocated Addresses

The number of IP addresses currently assigned from this pool.

Max Allocated Addresses

The maximum number of IP addresses assigned from this pool at any one time.

Group

The names of configured groups.

IP Address Range: Start / End

The starting and ending IP addresses in the group's address pool. Each configured range is a row in the table.

Total Addresses

The total number of IP addresses in the address pool of this group.

Available Addresses

The number of IP addresses available (unassigned) in this group's pool.

Allocated Addresses

The number of IP addresses currently assigned from this group's pool.

Max Allocated Addresses

The maximum number of IP addresses assigned from this group's pool at any one time.

Monitoring | Statistics | Administrative AAA

If you have configured a TACACS+ server, this screen shows statistics for communications between the VPN Concentrator and the TACACS+ server since the VPN Concentrator was last booted or reset.

Figure 17-4 Monitoring | Statistics | Administrative AAA Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

IP Address

The IP address of the TACACS+ server.

Requests

The number of requests for authentication, information, or authorization from the VPN Concentrator to the TACACS+ server.

Accepts

The number of successful authentications.

Rejects

The number of rejected authentications.

Challenge

This field is not used.

Pending Requests

The number of requests that have not yet been answered.

Timeouts

The number of times the VPN Concentrator timed out waiting for a request.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Monitoring | Statistics | Authentication

This screen shows statistics for user authentication activity on the VPN Concentrator since it was last booted or reset.

Note Not all fields apply to all types of authentication servers.

To configure the VPN Concentrator to communicate with authentication servers, see the Configuration | System | Servers | Authentication screens.

Figure 17-5 Monitoring | Statistics | Authentication Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Server IP Address:Port

The IP address of the configured authentication server, and the port number that the VPN Concentrator is using to access the server. Each configured authentication server is a row in this table. Internal identifies the internal VPN Concentrator authentication server.

When the authentication server is an SDI 5.0 server, this field becomes a link. Click the link to view the Monitoring | Statistics | Authentication | Replicas screen, which displays a list of replicas, and data about them (see the next section).

The default, or well-known, port numbers identify an authentication server type:

139 = NT Domain
389 = LDAP
1645 = RADIUS
5500 = SDI

Group

The group on which the server is configured.

Requests

The total number of authentication request packets sent to this server. This number does not include retransmissions.

Retransmissions

The number of authentication request packets retransmitted to this server.

Accepts

The number of authentication acceptance packets received from this server.

Rejects

The number of authentication rejection packets received from this server.

Challenges

The number of authentication challenge packets received from this server.

Malformed Responses

The number of malformed authentication response packets received from this server. Malformed packets include packets with an invalid length. Bad authenticators are not included in this number.

Bad Authenticators

The number of bad authentication response packets received from this server. Bad authenticators contain invalid authenticators or signature attributes.

Pending Requests

The number of authentication request packets destined for this server that have not yet timed out or received a response.

Timeouts

The number of authentication timeouts to this server. After a timeout the system might retry the same server, send to a different server, or give up. Retrying the same server is counted as a retransmission as well as a timeout. Sending to a different server is counted as a request as well as a timeout.

Unknown Type

The number of authentication packets of unknown type received from this server.

Monitoring | Statistics | Authentication | Replicas

This screen shows statistics for SDI 5.0 user authentication activity on the VPN Concentrator since it was last booted or reset.

Figure 17-6 Monitoring | Statistics | Authentication | Replicas Screen

Server IP Address:Port

The IP address of the configured SDI authentication server, and the port number that the VPN Concentrator is using to access the server.

The default, or well-known, port numbers for an SDI 5.0 authentication server is 5500.

Group

The group on which the server is configured.

Retransmissions

The number of authentication request packets retransmitted to this server.

Accepts

The number of authentication acceptance packets received from this server.

Rejects

The number of authentication rejection packets received from this server.

Timeouts

BadCodeSent

The number of bad code packets received from this server. Bad code packets indicate invalid SecurID token code.

BadPinSent

The number of bad pin packets received from this server. Bad pin packets indicate invalid user identification.

Monitoring | Statistics | Authorization

This screen shows statistics for user authorization activity on the VPN Concentrator since it was last booted or reset.

To configure the VPN Concentrator to communicate with authorization servers, see the Configuration | System | Servers | Authorization screens.

Figure 17-7 Monitoring | Statistics | Authorization Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Server IP Address:Port

The IP address of the configured authorization server, and the port number that the VPN Concentrator is using to access the server. Each configured authorization server is a row in this table. Internal identifies the internal VPN Concentrator authorization server.

The default, or well-known, port numbers identify an authorization server type:

389 = LDAP
1645 = RADIUS

Group

The group on which the server is configured.

Requests

The total number of authorization request packets sent to this server. This number does not include retransmissions.

Retransmissions

The number of authorization request packets retransmitted to this server.

Accepts

The number of authorization acceptance packets received from this server.

Rejects

The number of authorization rejection packets received from this server.

Challenges

The number of authorization challenge packets received from this server.

Malformed Responses

The number of malformed authorization response packets received from this server. Malformed packets include packets with an invalid length. Bad authorizations are not included in this number.

Bad Authenticators

The number of bad authorization response packets received from this server. Bad authenticators contain invalid authenticators or signature attributes.

Pending Requests

The number of authorization request packets destined for this server that have not yet timed out or received a response.

Timeouts

The number of authorization timeouts to this server. After a timeout the system might retry the same server, send to a different server, or give up. Retrying the same server is counted as a retransmission as well as a timeout. Sending to a different server is counted as a request as well as a timeout.

Unknown Type

The number of authorization packets of unknown type received from this server.

Monitoring | Statistics | Bandwidth Management

This screen shows details of the effects of bandwidth management policies on each tunnel. Only tunnels on which bandwidth management policies are enabled appear on this screen.

Figure 17-8 Monitoring | Statistics | Bandwidth Management Screen

Group

Choose a group from the Group menu to show bandwidth statistics for users in that group only. The default value is --All--, which displays bandwidth statistics for users in all groups.

User Name

The user name identifying a tunnel using a bandwidth management policy.

Traffic Rate (kbps)

Conformed

The current rate of session traffic (as set by the bandwidth management policy).

Throttled

The rate at which packets are being throttled to maintain the conformed rate.

Traffic Volume (bytes)

Conformed

The number of bytes of session traffic (as set by the bandwidth management policy).

Throttled

The number of bytes being throttled to maintain the conformed rate.

Monitoring | Statistics | Compression

If you have enabled data compression, this screen shows statistics for data compression on the VPN Concentrator since it was last booted or reset.

Figure 17-9 Monitoring | Statistics | Compression Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

IPSec Using IPComp

This screen shows statistics for IPSec data compression using the IPComp compression protocol.

Note The following IPComp statistics measure the results of compression on all incoming and outgoing data, including data not intended for compression and data that is not compressible.

Outbound Pre-Compression

The total number of bytes of all outbound data before compression.

Outbound Post-Compression

The total number of bytes of all outbound data after compression.

Ratio

The ratio of Outbound Pre-Compression to Outbound Post-Compression.

Inbound Pre-Decompression

The total number of bytes of all incoming data before any of it is decompressed.

Inbound Post-Decompression

The total number of bytes of all incoming data after decompression.

Ratio

The ratio of Inbound Post-Decompression to Inbound Pre-Decompression.

L2TP/PPTP Using MPPC

This table shows statistics for L2TP and PPTP data compression using the MPPC compression protocol. These MPPC statistics use the following distinctions. (See Figure 17-10.) All data transmitted can be divided into two groups: data intended for compression (A) and data that is not intended for compression (B). Of the data intended for compression, some of it actually compresses (A1) and some does not (A2). (The compression process would actually cause certain data to expand, so this data is left uncompressed.)

Figure 17-10 Distinctions Used for Data Compression Statistics

Resets Received

The total number of reset requests received from the remote peer.

Resets Sent

The total number of reset requests sent to the remote peer.

Outbound Pre-Compression

The total number of bytes of outbound data intended for compression. ("A" in Figure 17-10.)

Outbound Post-Compression

The total number of bytes of outbound data actually compressed. ("A1" in Figure 17-10.)

Outbound Not Compressed

The total number of bytes of data intended for compression that were not compressed. The compression process would actually cause certain data to expand, so this data is left uncompressed. ("A2" in Figure 17-10.)

Compression Ratio

The ratio of Outbound Pre-Compression to (Outbound Post-Compression + Outbound Not Compressed).

Not Compressed Ratio

The ratio of Outbound Pre-Compressed to Outbound Not Compressed.

Inbound Pre-Decompression

The total number of bytes of incoming data intended for decompression. ("A" in Figure 17-10.)

Inbound Post-Decompression

The total number of bytes of incoming data actually decompressed. ("A1" in Figure 17-10.)

Inbound Not Compressed

The total number of uncompressed inbound data bytes of the data. ("A2" in Figure 17-10.)

Compression Ratio

The ratio of (Inbound Post-Decompression + Inbound Not Compressed) to Inbound Pre-Decompression.

Not Compressed Ratio

The ratio of Inbound Pre-Decompression to Inbound Not Compressed.

Monitoring | Statistics | DHCP

This screen shows statistics for DHCP (Dynamic Host Configuration Protocol) activity on the VPN Concentrator since it was last booted or reset. Each row of the table shows data for each session using an IP address via DHCP.

Figure 17-11 Monitoring | Statistics | DHCP Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Leased IP Address

The IP address leased from the DHCP server by the remote client.

Lease Duration

The duration of the current IP address lease, shown as HH:MM:SS.

Time Used

The total length of time that this session has had an active IP address lease, shown as HH:MM:SS.

Time Left

The time remaining until the current IP address lease expires, shown as HH:MM:SS.

DHCP Server Address

The IP address of the DHCP server that leased this IP address.

Monitoring | Statistics | DNS

This screen shows statistics for DNS (Domain Name System) activity on the VPN Concentrator since it was last booted or reset.

To configure the VPN Concentrator to communicate with DNS servers, see the Configuration | System | Servers | DNS screen.

Figure 17-12 Monitoring | Statistics | DNS Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Requests

The total number of DNS queries the VPN Concentrator made since it was last booted or reset. This number equals the sum of the numbers in the four cells below.

Responses

The number of DNS queries that were successfully resolved.

Timeouts

The number of DNS queries that failed because there was no response from the server.

Server Unreachable

The number of DNS queries that failed because the address of the server is not reachable according to the VPN Concentrator's routing table.

Other Failures

The number of DNS queries that failed for an unspecified reason.

Monitoring | Statistics | Events

This screen shows statistics for all events on the VPN Concentrator since it was last booted or reset.

To configure event handling, see the Configuration | System | Events screens.

Figure 17-13 Monitoring | Statistics | Events Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Event Class

Event class denotes the source of the event and refers to a specific hardware or software subsystem within the VPN Concentrator. For a description of event classes, see VPN 3000 Series Concentrator Reference Volume 1: Configuration.

Event Number

Event number is an Cisco-assigned reference number that denotes a specific event within the event class. For example, CONFIG event number 2 is "Reading configuration file." This reference number assists Cisco support personnel if they need to examine event statistics.

Count of Events

The number of times that specific event has occurred on the VPN Concentrator since it was last booted or reset.

Monitoring | Statistics | Filtering

This screen shows statistics for filtering of traffic that has passed through the interfaces on the VPN Concentrator since it was last booted or reset.

To configure filters, see the Configuration | Policy Management | Traffic Management screens. To apply filters to interfaces, see the Configuration | Interfaces screens. To apply filters to users and groups, see the Configuration | User Management screens.

Figure 17-14 Monitoring | Statistics | Filtering Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Interface

The VPN Concentrator network interface through which the filtered traffic has passed.

1 = Ethernet 1 (Private) interface.
2 = Ethernet 2 (Public) interface.
3 = Ethernet 3 (External) interface.

Inbound Packets Pre-Filter

The total number of inbound packets received on this interface.

Inbound Packets Filtered

The number of inbound packets that have been filtered and dropped on this interface.

Inbound Packets Post Filter

The number of inbound packets that have been filtered and forwarded on this interface. This number equals Inbound Packets Pre-Filter minus Inbound Packets Filtered.

Outbound Packets Pre-Filter

The total number of outbound packets received on this interface.

Outbound Packets Filtered

The number of outbound packets that have been filtered and dropped on this interface.

Outbound Packets Post Filter

The number of outbound packets that have been filtered and forwarded on this interface. This number equals Outbound Packets Pre-Filter minus Outbound Packets Filtered.

Monitoring | Statistics | HTTP

This screen shows statistics for HTTP activity on the VPN Concentrator since it was last booted or reset.

To configure system-wide HTTP server parameters, see the Configuration | System | Management Protocols | HTTP screen.

Figure 17-15 Monitoring | Statistics | HTTP Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Octets Sent/Received

The total number of HTTP octets (bytes) sent or received since the VPN Concentrator was last booted or reset.

Packets Sent/Received

The total number of HTTP packets sent or received since the VPN Concentrator was last booted or reset.

Packets Sent Sockets/Sessions

The number of HTTP sessions on the VPN Concentrator.

Active

The number of currently active HTTP connections on the VPN Concentrator.

Peak

The maximum number of HTTP connections that were simultaneously active on the VPN Concentrator since it was last booted or reset.

Total

The total number of HTTP connections on the VPN Concentrator since it was last booted or reset.

HTTP Sessions

This section provides information about HTTP sessions on the VPN Concentrator since it was last booted or reset.

Login Name

The name of the administrative user for the HTTP session.

IP Address

The IP address of the HTTP session.

Login Time

The time when the HTTP session began.

Encryption

The encryption method used in the HTTP session.

Octets Sent/Received

Number of octets sent or received during the HTTP session.

Packets Sent/Received

Number of packets sent or received during the HTTP session.

Sockets Active

The number of currently active sockets for the HTTP session.

Sockets Peak

The maximum number of sockets simultaneously active during the HTTP session.

Sockets Total

The total number of sockets active during the HTTP session.

Max Connections

The maximum number of concurrent HTTP connections for the VPN Concentrator since it was last rebooted or reset.

Monitoring | Statistics | IPSec

This screen shows statistics for IPSec activity—including current IPSec tunnels—on the VPN Concentrator since it was last booted or reset. These statistics conform to the IETF draft for the IPSec Flow Monitoring MIB.

The Monitoring | Sessions | Detail screens also show IPSec data.

To configure system-wide IPSec parameters and LAN-to-LAN connections, see the Configuration | System | Tunneling Protocols | IPSec screens. To configure IPSec parameters for users and groups, see Configuration | User Management. To configure IPSec parameters and SAs on rules in filters that govern data traffic, see Configuration | Policy Management | Traffic Management.

Figure 17-16 Monitoring | Statistics | IPSec Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

IKE (Phase 1) Statistics

This table provides IPSec Phase 1 (IKE: Internet Key Exchange) global statistics. During IPSec Phase 1 (IKE), the two peers establish control tunnels through which they negotiate Security Associations.

Active Tunnels

The number of currently active IKE control tunnels, both for LAN-to-LAN connections and remote access.

Total Tunnels

The cumulative total of all currently and previously active IKE control tunnels, both for LAN-to-LAN connections and remote access.

Received Bytes

The cumulative total of bytes (octets) received by all currently and previously active IKE tunnels.

Sent Bytes

The cumulative total of bytes (octets) sent by all currently and previously active IKE tunnels.

Received Packets

The cumulative total of packets received by all currently and previously active IKE tunnels.

Sent Packets

The cumulative total of packets sent by all currently and previously active IKE tunnels.

Received Packets Dropped

The cumulative total of packets that were dropped during receive processing by all currently and previously active IKE tunnels. If there is a problem with the content of a packet (such as hash failure, parsing error, or encryption failure) received in Phase 1 or the negotiation of Phase 2, the system drops the packet. This number should be zero or very small; if not, check for misconfiguration.

Sent Packets Dropped

The cumulative total of packets that were dropped during send processing by all currently and previously active IKE tunnels. This number should be zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support.

Received Notifies

The cumulative total of notify packets received by all currently and previously active IKE tunnels. A notify packet is an informational packet that is sent in response to a bad packet or to indicate status, for example: error packets, keepalive packets, etc.

Sent Notifies

The cumulative total of notify packets sent by all currently and previously active IKE tunnels. See comments for Received Notifies.

Received Phase-2 Exchanges

The cumulative total of IPSec Phase-2 exchanges received by all currently and previously active IKE tunnels, in other words, the total of Phase-2 negotiations received that were initiated by a remote peer. A complete exchange consists of three packets.

Sent Phase-2 Exchanges

The cumulative total of IPSec Phase-2 exchanges that were sent by all currently and previously active and IKE tunnels, in other words, the total of Phase-2 negotiations initiated by this VPN Concentrator.

Invalid Phase-2 Exchanges Received

The cumulative total of IPSec Phase-2 exchanges that were received, found to be invalid because of protocol errors, and dropped, by all currently and previously active IKE tunnels. In other words, the total of Phase-2 negotiations that were initiated by a remote peer but that this VPN Concentrator dropped because of protocol errors.

Invalid Phase-2 Exchanges Sent

The cumulative total of IPSec Phase-2 exchanges that were sent and were found to be invalid, by all currently and previously active IKE tunnels.

Rejected Received Phase-2 Exchanges

The cumulative total of IPSec Phase-2 exchanges that were initiated by a remote peer, received, and rejected by all currently and previously active IKE tunnels. Rejected exchanges indicate policy-related failures, such as configuration problems.

Rejected Sent Phase-2 Exchanges

The cumulative total of IPSec Phase-2 exchanges that were initiated by this VPN Concentrator, sent, and rejected, by all currently and previously active IKE tunnels. See the previous comment.

Phase-2 SA Delete Requests Received

The cumulative total of requests to delete IPSec Phase-2 Security Associations received by all currently and previously active IKE tunnels.

Phase-2 SA Delete Requests Sent

The cumulative total of requests to delete IPSec Phase-2 Security Associations sent by all currently and previously active IKE tunnels.

Initiated Tunnels

The cumulative total of IKE tunnels that this VPN Concentrator initiated. The VPN Concentrator initiates tunnels only for LAN-to-LAN connections.

Failed Initiated Tunnels

The cumulative total of IKE tunnels that this VPN Concentrator initiated and that failed to activate.

Failed Remote Tunnels

The cumulative total of IKE tunnels that remote peers initiated and that failed to activate.

Authentication Failures

The cumulative total of authentication attempts that failed, by all currently and previously active IKE tunnels. Authentication failures indicate problems with preshared keys, digital certificates, or user-level authentication.

Decryption Failures

The cumulative total of decryptions that failed, by all currently and previously active IKE tunnels. This number should be at or near zero; if not, check for misconfiguration or SEP module problems.

Hash Validation Failures

The cumulative total of hash validations that failed, by all currently and previously active IKE tunnels. Hash validation failures usually indicate misconfiguration or mismatched preshared keys or digital certificates.

System Capability Failures

The cumulative total of system capacity failures that occurred during processing of all currently and previously active IKE tunnels. These failures indicate that the system has run out of memory, or that the tunnel count exceeds the system maximum.

No-SA Failures

The cumulative total of nonexistent-Security Association failures that occurred during processing of all currently and previously active IKE tunnels. These failures occur when the system receives a packet for which it has no Security Association, and might indicate synchronization problems.

IPSec (Phase 2) Statistics

This table provides IPSec Phase 2 global statistics. During IPSec Phase 2, the two peers negotiate Security Associations that govern traffic within the tunnel.

Active Tunnels

The number of currently active IPSec Phase-2 tunnels, both for LAN-to-LAN connections and remote access.

Total Tunnels

The cumulative total of all currently and previously active IPSec Phase-2 tunnels, both for LAN-to-LAN connections and remote access.

Received Bytes

The cumulative total of bytes (octets) received by all currently and previously active IPSec Phase-2 tunnels, before decompression. In other words, total bytes of IPSec-only data received by the IPSec subsystem, before decompressing the IPSec payload.

Sent Bytes

The cumulative total of bytes (octets) sent by all currently and previously active IPSec Phase-2 tunnels, after compression. In other words, total bytes of IPSec-only data sent by the IPSec subsystem, after compressing the IPSec payload.

Received Packets

The cumulative total of packets received by all currently and previously active IPSec Phase-2 tunnels.

Sent Packets

The cumulative total of packets sent by all currently and previously active IPSec Phase-2 tunnels.

Received Packets Dropped

The cumulative total of packets dropped during receive processing by all currently and previously active IPSec Phase-2 tunnels, excluding packets dropped due to anti-replay processing. If there is a problem with the content of a packet, the system drops the packet. This number should be zero or very small; if not, check for misconfiguration.

Received Packets Dropped (Anti-Replay)

The cumulative total of packets dropped during receive processing due to anti-replay errors, by all currently and previously active IPSec Phase-2 tunnels. If the sequence number of a packet is a duplicate or out of bounds, there might be a faulty network or a security breach, and the system drops the packet.

Sent Packets Dropped

The cumulative total of packets dropped during send processing by all currently and previously active IPSec Phase-2 tunnels. This number should be zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support.

Inbound Authentications

The cumulative total number of inbound individual packet authentications performed by all currently and previously active IPSec Phase-2 tunnels.

Failed Inbound Authentications

The cumulative total of inbound packet authentications that failed, by all currently and previously active IPSec Phase-2 tunnels. Failed authentications could indicate corrupted packets or a potential security attack ("man in the middle").

Outbound Authentications

The cumulative total of outbound individual packet authentications performed by all currently and previously active IPSec Phase-2 tunnels.

Failed Outbound Authentications

The cumulative total of outbound packet authentications that failed, by all currently and previously active IPSec Phase-2 tunnels. This number should be zero or very small; if not, check the event log for an internal IPSec subsystem problem.

Decryptions

The cumulative total of inbound decryptions performed by all currently and previously active IPSec Phase-2 tunnels.

Failed Decryptions

The cumulative total of inbound decryptions that failed, by all currently and previously active IPSec Phase-2 tunnels. This number should be zero or very small; if not, check for misconfiguration or SEP module problems.

Encryptions

The cumulative total of outbound encryptions performed by all currently and previously active IPSec Phase-2 tunnels.

Failed Encryptions

The cumulative total of outbound encryptions that failed, by all currently and previously active IPSec Phase-2 tunnels. This number should be zero or very small; if not, check for IPSec subsystem or SEP module problems.

System Capability Failures

The total number of system capacity failures that occurred during processing of all currently and previously active IPSec Phase-2 tunnels. These failures indicate that the system has run out of memory or some other critical resource; check the event log.

No-SA Failures

The cumulative total of nonexistent-Security Association failures which occurred during processing of all currently and previously active IPSec Phase-2 tunnels. These failures occur when the system receives an IPSec packet for which it has no Security Association, and might indicate synchronization problems.

Protocol Use Failures

The cumulative total of protocol use failures that occurred during processing of all currently and previously active IPSec Phase-2 tunnels. These failures indicate errors parsing IPSec packets.

Monitoring | Statistics | L2TP

This screen shows statistics for L2TP activity on the VPN Concentrator since it was last booted or reset, and for current L2TP sessions.

The Monitoring | Sessions | Detail screens also show L2TP data.

To configure system-wide L2TP parameters, see the Configuration | System | Tunneling Protocols | L2TP screen. To configure L2TP parameters for users and groups, see Configuration | User Management. To configure L2TP on rules in filters that govern data traffic, see Configuration | Policy Management | Traffic Management.

Figure 17-17 Monitoring | Statistics | L2TP Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Total Tunnels

The total number of L2TP tunnels successfully established since the VPN Concentrator was last booted or reset.

Active Tunnels

The number of L2TP tunnels that are currently active.

Maximum Tunnels

The maximum number of L2TP tunnels that have been simultaneously active on the VPN Concentrator since it was last booted or reset.

Failed Tunnels

The number of L2TP tunnels that failed to become established since the VPN Concentrator was last booted or reset.

Total Sessions

The total number of user sessions successfully established through L2TP tunnels since the VPN Concentrator was last booted or reset.

Active Sessions

The number of user sessions that are currently active through PPTP tunnels. The L2TP Sessions table shows statistics for these sessions.

Maximum Sessions

The maximum number of user sessions that have been simultaneously active through L2TP tunnels on the VPN Concentrator since it was last booted or reset.

Failed Sessions

The number of sessions that failed to become established through L2TP tunnels since the VPN Concentrator was last booted or reset.

Rx Octets Control / Data

The number of L2TP control / data channel octets (bytes) received by the VPN Concentrator since it was last booted or reset.

Rx Packets Control / Data

The number of L2TP control / data channel packets received by the VPN Concentrator since it was last booted or reset.

Rx Discards Control / Data

The number of L2TP control / data channel packets received and discarded by the VPN Concentrator since it was last booted or reset.

Tx Octets Control / Data

The number of L2TP control/data channel octets (bytes) transmitted by the VPN Concentrator since it was last booted or reset.

Tx Packets Control / Data

The number of L2TP control/data channel packets transmitted by the VPN Concentrator since it was last booted or reset.

L2TP Sessions

This table shows statistics for active L2TP sessions on the VPN Concentrator. Each active session is a row.

Remote IP

The IP address of the remote host that established the L2TP tunnel for this session, in other words, the tunnel endpoint IP address. The Monitoring | Sessions screen shows the IP address assigned to the client using the tunnel.

Username

The username for the session within an L2TP tunnel. This is typically the login name of the remote user.

Serial

The serial number of the session within an L2TP tunnel. If there are multiple sessions using a tunnel, each session has a unique serial number.

Receive Octets

The total number L2TP data octets (bytes) received by this session.

Receive Packets

The total number of L2TP data packets received by this session.

Receive Discards

The total number of L2TP data packets received and discarded by this session.

Receive ZLB

The total number of L2TP Zero Length Body acknowledgement data packets received by this session. ZLB packets are sent as acknowledgement packets when there is no data packet on which to piggyback an acknowledgement.

Transmit Octets

The total number of L2TP data octets (bytes) transmitted by this session.

Transmit Packets

The total number of L2TP data packets transmitted by this session.

Transmit ZLB

The total number of L2TP Zero Length Body acknowledgement packets transmitted by this session. ZLB packets are sent as acknowledgement packets when there is no data packet on which to piggyback an acknowledgement.

Monitoring | Statistics | Load Balancing

This screen shows statistics for load balancing on the VPN Concentrator since it was last booted or reset.

Figure 17-18 Monitoring | Statistics | Load Balancing Screen

Enabled?

Indicates whether load balancing has been enabled on this VPN Concentrator.

Role

The role of this VPN Concentrator within the virtual cluster. It is either a virtual cluster master or a secondary device.

Load

The percentage of the cluster's total session load that this VPN Concentrator is carrying.

Number of Peers

The number of other VPN Concentrators in the virtual cluster.

Peers

The peers chart shows configuration details and session statistics of the other VPN Concentrators in the virtual cluster.

Private IP Address

The private IP address of the peer.

Public IP Address

The public IP address of the peer.

Mapped IP Address

The NAT address of the peer, if it has one.

Role

The role of the peer within the virtual cluster. It is either a virtual cluster master or a secondary device.

Device Type

The VPN Concentrator model (such as 3005 or 3015) of the peer.

Load

The percentage of the cluster's total session load that the peer is carrying. You can view this information only from the virtual cluster master device. If you are viewing this field from a secondary device, its value is N/A.

Sessions

The number of currently active sessions on the peer. You can view this information only from the virtual cluster master device. If you are viewing this field from a secondary device, its value is N/A.

Priority

The likelihood that this peer will become the master at power-up or if the current master fails. For more information on priorities, see the Configuration | System | Load Balancing section.

Duration

The length of time this device has been connected to the virtual cluster.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Monitoring | Statistics | NAT

This screen shows statistics for NAT (Network Address Translation) activity on the VPN Concentrator since it was last booted or reset.

Figure 17-19 Monitoring | Statistics | NAT screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Packets In/Out

The total of NAT packets inbound and outbound since the last time the VPN Concentrator was rebooted or reset.

Translations Active

The number of currently active NAT sessions.

Translations Peak

The maximum number of NAT sessions that were simultaneously active on the VPN Concentrator since it was last booted or reset.

Translations Total

The total number of NAT sessions on the VPN Concentrator since it was last booted or reset.

NAT Sessions

The following sections provide detailed information about active NAT sessions on the VPN Concentrator.

Source IP Address/Port

The source IP address and port for the NAT session.

Destination IP Address/Port

The destination IP address and port for the NAT session.

Translated IP Address/Port

The translated IP address and port for the NAT session. The VPN Concentrator uses this port number to keep track of which devices initiate data transfer; by keeping this record, the VPN Concentrator is able to correctly route responses.

Direction

The direction, inbound or outbound, of the data transferred for the NAT session.

Age

The number of half seconds remaining until the NAT session times out.

Type

The type of packets for the NAT session. The possible types are:

TCP NAT session
UDP NAT session
FTP session
TFTP session
NetBIOS over TCP Proxy
NetBIOS over UDP Proxy
NetBIOS Datagram Service

Translated Bytes/Packets

The total number of translated bytes and packets for the NAT session.

Monitoring | Statistics | PPTP

This screen shows statistics for PPTP activity on the VPN Concentrator since it was last booted or reset, and for current PPTP sessions.

The Monitoring | Sessions | Detail screens also show PPTP data.

To configure system-wide PPTP parameters, see the Configuration | System | Tunneling Protocols | PPTP screen. To configure PPTP parameters for users and groups, see Configuration | User Management. To configure PPTP on rules in filters that govern data traffic, see Configuration | Policy Management | Traffic Management.

Figure 17-20 Monitoring | Statistics | PPTP Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Total Tunnels

The total number of PPTP tunnels created since the VPN Concentrator was last booted or reset, including those tunnels that failed to be established.

Active Tunnels

The number of PPTP tunnels that are currently active.

Maximum Tunnels

The maximum number of PPTP tunnels that have been simultaneously active on the VPN Concentrator since it was last booted or reset.

Total Sessions

The total number of user sessions through PPTP tunnels since the VPN Concentrator was last booted or reset.

Active Sessions

The number of user sessions that are currently active through PPTP tunnels. The PPTP Sessions table shows statistics for these sessions.

Maximum Sessions

The maximum number of user sessions that have been simultaneously active through PPTP tunnels on the VPN Concentrator since it was last booted or reset.

Rx Octets Control / Data

The number of PPTP control/data octets (bytes) received by the VPN Concentrator since it was last booted or reset.

Rx Packets Control / Data

The number of PPTP control/data packets received by the VPN Concentrator since it was last booted or reset.

Rx Discards Control / Data

The number of PPTP control/data packets received and discarded by the VPN Concentrator since it was last booted or reset.

Tx Octets Control / Data

The number of PPTP control/data octets (bytes) transmitted by the VPN Concentrator since it was last booted or reset.

Tx Packets Control / Data

The number of PPTP control/data packets transmitted by the VPN Concentrator since it was last booted or reset.

PPTP Sessions

This table shows statistics for active PPTP sessions on the VPN Concentrator. Each active session is a row.

Peer IP

The IP address of the peer host that established the PPTP tunnel for this session, in other words, the tunnel endpoint IP address. The Monitoring | Sessions screen shows the IP address assigned to the client using the tunnel.

Username

The username for the session within a PPTP tunnel. This is typically the login name of the remote user.

Receive Octets

The total number of PPTP data octets (bytes) received by this session.

Receive Packets

The total number of PPTP data packets received by this session.

Receive Discards

The total number of PPTP data packets received and discarded by this session.

Receive ZLB

The total number of PPTP Zero Length Body acknowledgement data packets received by this session. ZLB packets are sent as GRE acknowledgement packets when there is no data packet on which to piggyback an acknowledgement.

Transmit Octets

The total number of PPTP data octets (bytes) transmitted by this session.

Transmit Packets

The total number of PPTP data packets transmitted by this session.

Transmit ZLB

The total number of PPTP Zero Length Body acknowledgement packets transmitted by this session. ZLB packets are sent as GRE acknowledgement packets when there is no data packet on which to piggyback an acknowledgement.

ACK Timeouts

The total number of acknowledgement timeouts seen on PPTP data packets for this session. When the system times out waiting for a data packet on which to piggyback an acknowledgement, it sends a ZLB instead. Therefore, this number should equal the Transmit ZLB number.

Flow

The state of packet flow control for this PPTP session:

Local = The local buffer is full. Packet flow for the local end of the session is OFF because the number of outstanding unacknowledged packets received from the peer is equal to the local window size.
Peer = The peer buffer is full. Packet flow for the peer end of the session is OFF because the number of outstanding unacknowledged packets sent to the peer is equal to the peer's window size.
Both = Both buffers are full. Packet flow for both ends of the session is OFF because the number of outstanding unacknowledged packets is equal to the window size on both ends.
None = Neither end of the session has a full buffer. Packet flow for the session is ON. This is the normal operating state.

Monitoring | Statistics | SSH

This screen shows statistics for SSH (Secure Shell) protocol traffic on the VPN Concentrator since it was last booted or reset.

To configure SSH, see Configuration | System | Management Protocols | SSH.

Figure 17-21 Monitoring | Statistics | SSH Screen

Octets Sent / Received

The total number of SSH octets (bytes) sent / received since the VPN Concentrator was last booted or reset.

Packets Sent / Received

The total number of SSH packets sent / received since the VPN Concentrator was last booted or reset.

Total Sessions

The total number of SSH sessions since the VPN Concentrator was last booted or reset.

Active Sessions

The number of currently active SSH sessions.

Max Sessions

The maximum number of simultaneously active SSH sessions on the VPN Concentrator.

Monitoring | Statistics | SSL

This screen shows statistics for SSL (Secure Sockets Layer) protocol traffic on the VPN Concentrator since it was last booted or reset.

To configure SSL, see Configuration | System | Management Protocols | SSL.

Figure 17-22 Monitoring | Statistics | SSL Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Unencrypted Inbound Octets

The number of octets (bytes) of inbound traffic output by the decryption engine.

Encrypted Inbound Octets

The number of octets (bytes) of encrypted inbound traffic sent to the decryption engine. This number includes negotiation traffic.

Unencrypted Outbound Octets

The number of unencrypted outbound octets (bytes) sent to the encryption engine.

Encrypted Outbound Octets

The number of octets (bytes) of outbound traffic output by the encryption engine. This number includes negotiation traffic.

Total Sessions

The total number of SSL sessions.

Active Sessions

The number of currently active SSL sessions.

Max Active Sessions

The maximum number of SSL sessions simultaneously active at any one time.

Monitoring | Statistics | Telnet

This screen shows statistics for Telnet activity on the VPN Concentrator since it was last booted or reset, and for current Telnet sessions.

To configure the VPN Concentrator's Telnet server, see the Configuration | System | Management Protocols | Telnet screen.

Figure 17-23 Monitoring | Statistics | Telnet Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Active Sessions

The number of active Telnet sessions. The Telnet Sessions table shows statistics for these sessions.

Attempted Sessions

The total number of attempts to establish Telnet sessions on the VPN Concentrator since it was last booted or reset.

Successful Sessions

The total number of Telnet sessions successfully established on the VPN Concentrator since it was last booted or reset.

Telnet Sessions

This table shows statistics for active Telnet sessions on the VPN Concentrator. Each active session is a row.

Client IP Address:Port

The IP address and TCP source port number of this session's remote Telnet client.

Inbound Octets Total

The total number of Telnet octets (bytes) received by this session.

Inbound Octets Command

The number of octets (bytes) containing Telnet commands or options, received by this session.

Inbound Octets Discarded

The number of Telnet octets (bytes) received and dropped during input processing by this session.

Outbound Octets Total

The total number of Telnet octets (bytes) transmitted by this session.

Outbound Octets Dropped

The number of outbound Telnet octets dropped during output processing by this session.

Monitoring | Statistics | VRRP

This screen shows status and statistics for VRRP (Virtual Router Redundancy Protocol) activity on the VPN Concentrator since it was last booted or reset.

To configure VRRP, see the Configuration | System | IP Routing | Redundancy screen.

Figure 17-24 Monitoring | Statistics | VRRP Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Checksum Errors

The total number of VRRP packets received with an invalid VRRP checksum value.

Version Errors

The total number of VRRP packets received with an unknown or unsupported version number. The VPN Concentrator supports VRRP version 2 as defined in RFC 2338.

VRID Errors

The total number of VRRP packets received with an invalid VRRP Group ID number.

VRID

The identification number that uniquely identifies the group of virtual routers to which this VPN Concentrator belongs.

Not Configured = VRRP has not been configured or enabled.

Virtual Routers

This table shows statistics for the virtual router on each configured VRRP interface on this VPN Concentrator.

Interface: 1 (Private), 2 (Public), 3 (External)

The Ethernet interface configured for VRRP.

Status

The status of the VRRP router in this VPN Concentrator:

Master = VRRP is enabled and the router is functioning as the Master router.
Backup = VRRP is enabled and the router is functioning as a Backup router, monitoring the status of the Master router.
Init = VRRP has been configured but is disabled. The router is waiting to be enabled (initialized).

Became Master

The total number of times that this VPN Concentrator has become a VRRP Master router after having a different role. This number should be the same in all columns.

Advertisements Received

The total number of VRRP advertisements received by this interface.

Advertisement Interval Errors

The total number of VRRP advertisement packets received by this interface, in which the advertisement interval differs from the interval configured on this VPN Concentrator.

Authentication Failures

The total number of VRRP packets received by this interface that do not pass the authentication check.

Time-to-Live Errors

The total number of VRRP packets received by this interface with IP TTL (Time-To-Live) not equal to 255. All VRRP packets must have TTL = 255.

Priority 0 Packets Received

The total number of VRRP packets received by this interface with a priority of 0. Priority 0 packets indicate that the current Master router has stopped participating in VRRP.

Priority 0 Packets Sent

The total number of VRRP packets sent by this interface with a priority of 0. Priority 0 packets indicate that the current Master router has stopped participating in VRRP.

Invalid Type Received

The number of VRRP packets received by this interface with an invalid value in the Type field. For VRRP version 2, the only valid Type value is 1, which indicates an advertisement packet.

Address List Errors

The total number of packets received for which the address list does not match the list configured on this VPN Concentrator.

Invalid Authentication Errors

The total number of packets received by this interface with an unknown authentication type.

Mismatch Authentication Errors

The total number of packets received by this interface with an authentication type that differs from the configured authentication type.

Packet Length Errors

The total number of packets received by this interface with a packet length less than the length of the VRRP header.

Monitoring | Statistics | MIB-II

This section of the Manager lets you view statistics that are recorded in standard MIB-II objects on the VPN Concentrator. MIB-II (Management Information Base, version 2) objects are variables that contain data about the system. They are defined as part of the Simple Network Management Protocol (SNMP); and SNMP-based network management systems can query the VPN Concentrator to gather the data.

Each subsequent screen displays the data for a standard MIB-II group of objects:

Interfaces: packets sent and received on network interfaces and VPN tunnels.
TCP/UDP: Transmission Control Protocol and User Datagram Protocol segments and datagrams sent and received, etc.
IP: Internet Protocol packets sent and received, fragmentation and reassembly data, etc.
RIP: Routing Information Protocol global route changes, bad packets and bad routes received, etc.
OSPF: Open Shortest Path First protocol LSA data, Area data, etc.
ICMP: Internet Control Message Protocol ping, timestamp, and address mask requests and replies, etc.
ARP Table: Address Resolution Protocol physical (MAC) addresses, IP addresses, and mapping types.
Ethernet: errors and collisions, MAC errors, etc.
SNMP: Simple Network Management Protocol requests, bad community strings, parsing errors, etc.

To configure and enable the VPN Concentrator's SNMP server, see the Configuration | System | Management Protocols | SNMP screen.

Figure 17-25 Monitoring | Statistics | MIB-II Screen

Monitoring | Statistics | MIB-II | Interfaces

This screen shows statistics in MIB-II objects for VPN Concentrator interfaces since the system was last booted or reset. This screen also shows statistics for VPN tunnels as logical interfaces. RFC 2233 defines interface MIB objects.

Figure 17-26 Monitoring | Statistics | MIB-II | Interfaces Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Interface

The VPN Concentrator interface:

Ethernet 1 (Private) = Ethernet 1 (Private) interface.
Ethernet 2 (Public) = Ethernet 2 (Public) interface.
Ethernet 3 (External) = Ethernet 3 (External) interface.
1000 and up = VPN tunnels, which are treated as logical interfaces.

Status

The operational status of this interface:

UP = configured and enabled, ready to pass data traffic.
DOWN = configured but disabled.
Testing = in test mode; no regular data traffic can pass.
Dormant = configured and enabled but waiting for an external action, such as an incoming connection.
Not Present = missing hardware components.
Lower Layer Down = not operational because a lower-layer interface is down.
Unknown = not configured.

Unicast In

The number of unicast packets that were received by this interface. Unicast packets are those addressed to a single host.

Unicast Out

The number of unicast packets that were routed to this interface for transmission, including those that were discarded or not sent. Unicast packets are those addressed to a single host.

Multicast In

The number of multicast packets that were received by this interface. Multicast packets are those addressed to a specific group of hosts.

Multicast Out

The number of multicast packets that were routed to this interface for transmission, including those that were discarded or not sent. Multicast packets are those addressed to a specific group of hosts.

Broadcast In

The number of broadcast packets that were received by this interface. Broadcast packets are those addressed to all hosts on a network.

Broadcast Out

The number of broadcast packets that were routed to this interface for transmission, including those that were discarded or not sent. Broadcast packets are those addressed to all hosts on a network.

Monitoring | Statistics | MIB-II | TCP/UDP

This screen shows statistics in MIB-II objects for TCP and UDP traffic on the VPN Concentrator since it was last booted or reset. RFC 2012 defines TCP MIB objects, and RFC 2013 defines UDP MIB objects.

Figure 17-27 Monitoring | Statistics | MIB-II | TCP/UDP Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

TCP Segments Received

The total number of segments received, including those received in error and those received on currently established connections. Segment is the official TCP name for what is often called a data packet.

TCP Segments Transmitted

The total number of segments sent, including those on currently established connections but excluding those containing only retransmitted bytes. Segment is the official TCP name for what is casually called a data packet.

TCP Segments Retransmitted

The total number of segments retransmitted; that is, the number of TCP segments transmitted containing one or more previously transmitted bytes. Segment is the official TCP name for what is casually called a data packet.

TCP Timeout Min

The minimum value permitted for TCP retransmission timeout, measured in milliseconds.

TCP Timeout Max

The maximum value permitted for TCP retransmission timeout, measured in milliseconds.

TCP Connection Limit

The limit on the total number of TCP connections that the system can support. A value of -1 means there is no limit.

TCP Active Opens

The number of TCP connections that went directly from an unconnected state to a connection-synchronizing state, bypassing the listening state. These connections are allowed, but they are usually in the minority.

TCP Passive Opens

The number of TCP connections that went from a listening state to a connection-synchronizing state. These connections are usually in the majority.

TCP Attempt Failures

The number of TCP connection attempts that failed. Technically this is the number of TCP connections that went to an unconnected state, plus the number that went to a listening state, from a connection-synchronizing state.

TCP Established Resets

The number of established TCP connections that abruptly closed, bypassing graceful termination.

TCP Current Established

The number of TCP connections that are currently established or are gracefully terminating.

UDP Datagrams Received

The total number of UDP datagrams received. Datagram is the official UDP name for what is casually called a data packet.

UDP Datagrams Transmitted

The total number of UDP datagrams sent. Datagram is the official UDP name for what is casually called a data packet.

UDP Errored Datagrams

The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port (UDP No Port). Datagram is the official UDP name for what is casually called a data packet.

UDP No Port

The total number of received UDP datagrams that could not be delivered because there was no application at the destination port. Datagram is the official UDP name for what is casually called a data packet.

Go to top of help page.

Monitoring | Statistics | MIB-II | IP

This screen shows statistics in MIB-II objects for IP traffic on the VPN Concentrator since it was last booted or reset. RFC 2011 defines IP MIB objects.

Figure 17-28 Monitoring | Statistics | MIB-II | IP Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Packets Received (Total)

The total number of IP data packets received by the VPN Concentrator, including those received with errors.

Packets Received (Header Errors)

The number of IP data packets received and discarded due to errors in IP headers, including bad check sums, version number mismatches, other format errors, etc.

Packets Received (Address Errors)

The number of IP data packets received and discarded because the IP address in the destination field was not a valid address for the VPN Concentrator. This count includes invalid addresses (for example, 0.0.0.0) and addresses of unsupported classes (for example, Class E).

Packets Received (Unknown Protocols)

The number of IP data packets received and discarded because of an unknown or unsupported protocol.

Packets Received (Discarded)

The number of IP data packets received that had no problems preventing continued processing, but that were discarded (for example, for lack of buffer space). This number does not include any packets discarded while awaiting reassembly.

Packets Received (Delivered)

The number of IP data packets received and successfully delivered to IP user protocols (including ICMP) on the VPN Concentrator; i.e., the VPN Concentrator was the final destination.

Packets Forwarded

The number of IP data packets received and forwarded to destinations other than the VPN Concentrator.

Outbound Packets Discarded

The number of outbound IP data packets that had no problems preventing their transmission to a destination, but that were discarded (for example, for lack of buffer space).

Outbound Packets with No Route

The number of outbound IP data packets discarded because no route could be found to transmit them to their destination. This number includes any packets that the VPN Concentrator could not route because all of its default routers are down.

Packets Transmitted (Requests)

The number of IP data packets that local IP user protocols (including ICMP) supplied to transmission requests. This number does not include any packets counted in Packets Forwarded.

Fragments Needing Reassembly

The number of IP fragments received by the VPN Concentrator that needed to be reassembled.

Reassembly Successes

The number of IP data packets successfully reassembled.

Reassembly Failures

The number of failures detected by the IP reassembly algorithm (for whatever reason: timed out, errors, etc.). This number is not necessarily a count of discarded IP fragments since some algorithms can lose track of the number of fragments by combining them as they are received.

Fragmentation Successes

The number of IP data packets that have been successfully fragmented by the VPN Concentrator.

Fragmentation Failures

The number of IP data packets that have been discarded because they needed to be fragmented but could not be fragmented (for example, because the Don't Fragment flag was set).

Fragments Created

The number of IP data packet fragments that have been generated by the VPN Concentrator.

Monitoring | Statistics | MIB-II | RIP

This screen shows statistics in MIB-II objects for RIP version 2 traffic on the VPN Concentrator since it was last booted or reset. RFC 1724 defines RIP version 2 MIB objects.

To configure RIP on interfaces, see Configuration | Interfaces.

Figure 17-29 Monitoring | Statistics | MIB-II | RIP Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Global Route Changes

The total number of route changes made to the IP route database by RIP. This number does not include changes that only refresh the age route of a route.

Global Queries

The total number of responses sent to RIP queries from other systems.

Interfaces

This table shows a row of statistics for each configured interface.

Interface Address

The IP address configured on the interface.

Received Bad Packets

The number of RIP response packets received by this interface that were subsequently discarded for any reason (such as wrong version or unknown command type).

Received Bad Routes

The number of routes in valid RIP packets received by this interface that were ignored for any reason (such as unknown address family or invalid metric).

Sent Updates

The number of triggered RIP updates actually sent by this interface. This number does not include full updates sent containing new information.

Monitoring | Statistics | MIB-II | OSPF

This screen shows statistics in MIB-II objects for OSPF version 2 traffic on the VPN Concentrator since it was last booted or reset. RFC 1850a defines OSPF version 2 MIB objects.

To configure OSPF on interfaces, see Configuration | Interfaces. To configure system-wide OSPF parameters, see Configuration | System | IP Routing.

Figure 17-30 Monitoring | Statistics | MIB-II | OSPF Screen

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Router ID

The VPN Concentrator OSPF router ID. This ID uniquely identifies the VPN Concentrator to other OSPF routers in its domain. While the format is that of an IP address, it functions only as an identifier and not an address. By convention, however, this identifier is the same as the IP address of the interface that is connected to the OSPF router network. 0.0.0.0 means no router is configured.

Version

The current version number of the OSPF protocol running on the VPN Concentrator.

External LSA Count

The number of external Link-State Advertisements (LSAs) in the link-state database. LSAs from neighboring OSPF Autonomous Systems (AS) describe the state of the AS router's interfaces and routing paths.

External LSA Checksum

The sum of the check sums of the external Link-State Advertisements in the link-state database. You can use this sum to determine if there has been a change in the OSPF router link-state database of the system, and to compare its database with other routers.

LSAs Originated

The number of new Link-State Advertisements that the system has originated. This number increments each time the OSPF router originates a new LSA.

New LSAs Received

The number of Link-State Advertisements received that are completely new LSAs. This number does not include newer instances of self-originated LSAs.

LSA Database Limit

The maximum number of external LSAs that can be stored in the link-state database. A value of -1 means there is no limit.

Designated Routers

This table shows a row of statistics for each enabled VPN Concentrator interface. When OSPF routing is enabled on an interface, that interface communicates with other OSPF routers in its area, and each area elects one OSPF router to be the Designated Router.

Interface Address

The IP address of the VPN Concentrator interface that communicates with its area.

Interface Name

The VPN Concentrator interface that communicates with its area:

Ethernet 1 (Private) = Ethernet 1 (Private) interface.
Ethernet 2 (Public) = Ethernet 2 (Public) interface.
Ethernet 3 (External) = Ethernet 3 (External) interface.

Designated Router

The IP address of the Designated Router in this OSPF area.

Backup Designated Router

The IP address of the backup Designated Router in this OSPF area.

Neighbors

This table shows a row of statistics for each OSPF neighbor, for all areas in which the VPN Concentrator participates. A neighbor is another OSPF router in an OSPF area, and this table includes all such areas for the VPN Concentrator.

IP Address

The IP address of the neighboring OSPF router.

Router ID

The router ID of the neighboring OSPF router, which uniquely identifies it to other OSPF routers in its domain. While the format is that of an IP address, it functions only as an identifier. By convention, however, it is the same as the IP address of the interface that is connected to the OSPF router network.

State

The state of the relationship with this neighboring OSPF router:

Down = (Red) The VPN Concentrator has received no recent information from this neighbor. The neighbor might be out of service, or it might not have been in service long enough to establish its presence (at startup).
Initializing = The VPN Concentrator has received a Hello packet from this neighbor, but it has not yet established bidirectional communication.
Attempting = This state applies only to neighbors in an NBMA (Non-Broadcast Multi-Access) OSPF network. It indicates that the VPN Concentrator has received no recent information from this neighbor, but it is trying to establish contact by sending Hello packets at the Hello Interval.
Two Way = The VPN Concentrator has established bidirectional communication with this neighbor, but has not established adjacency, in other words, they are not exchanging routing information.
Exchange Start = The VPN Concentrator and this neighbor are in the first step of establishing an adjacency relationship.
Exchanging = The VPN Concentrator is describing its entire link state database by sending Database Description packets to this neighbor, to establish an adjacency relationship.
Loading = The VPN Concentrator is sending Link State Request packets to this neighbor asking for the more recent LSAs that have been discovered but not yet received in the Exchange state.
Full = (Green) The VPN Concentrator is in a fully adjacent relationship with this neighbor. This adjacency now appears in router LSAs and network LSAs.

Areas

This table shows a row of statistics for each OSPF Area.

Area ID

The Area ID identifies the subnet area within the OSPF Autonomous System or domain. While its format is the same as an IP address, it functions only as an identifier and not an address. 0.0.0.0 identifies a special area—the backbone—that contains all area border routers.

SPF Runs

The number of times that the system has calculated the intra-area route table (SPF, or Shortest Path First table) using the link-state database of this area.

AS Border Routers

The total number of Autonomous System border routers reachable within this area.

Area Border Routers

The total number of area border routers reachable within this area.

Area LSA Count

The total number of Link-State Advertisements in the link-state database of this area, excluding AS external LSAs.

Area LSA Checksum

The sum of the check sums of the Link-State Advertisements in the link-state database of this area. This sum excludes external LSAs. You can use this sum to determine if there has been a change in the link-state database of the area, and to compare its database with other routers.

External LSAs

This table shows a row for each external Link-State Advertisement in the link-state database.

Area ID

The Area ID identifies the Area from which the LSA was received.

Type

The LSA type. Each LSA type has a different format:

Router Link = Describes the states of the router's interfaces (LS Type 1).
Network Link = Describes the set of routers attached to the network (LS Type 2).
Summary Link = Describes routes to networks (LS Type 3).
AS Summary Link = Describes routes to AS boundary routers (LS Type 4).
AS External Link = Describes routes to destinations external to the AS (LS Type 5).
Multicast Link = Describes group membership for multicast OSPF routing (LS Type 6).
NSSA External Link = Describes routing for NSSAs: Not-So-Stubby-Areas (LS Type 7).

Link State ID

Either a router ID or an IP address that identifies the piece of the routing domain being described by the LSA.

Router ID

The identifier of the router in the Autonomous System that originated this LSA.

Sequence

The sequence number of this LSA. Sequence numbers are linear. They are used to detect old and duplicate LSAs. The larger the number, the more recent the LSA.

Age

The age of the LSA in seconds.

Monitoring | Statistics | MIB-II | ICMP

This screen shows statistics in MIB-II objects for ICMP traffic on the VPN Concentrator since it was last booted or reset. RFC 2011 defines ICMP MIB objects.

Figure 17-31 Monitoring | Statistics | MIB-II | ICMP Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Total Received / Transmitted

The total number of ICMP messages that the VPN Concentrator received / sent. This number includes messages counted as Errors Received / Transmitted. ICMP messages solicit and provide information about the network environment.

Errors Received / Transmitted

The number of ICMP messages that the VPN Concentrator received but determined to have ICMP-specific errors (bad ICMP check sums, bad length, etc.).

The number of ICMP messages that the VPN Concentrator did not send due to problems within ICMP such as a lack of buffers.

Destination Unreachable Received / Transmitted

The number of ICMP Destination Unreachable messages received / sent. Destination Unreachable messages apply to many network situations, including inability to determine a route, an unusable source route specified, and the Don't Fragment flag set for a packet that must be fragmented.

Time Exceeded Received / Transmitted

The number of ICMP Time Exceeded messages received / sent. Time Exceeded messages indicate that the lifetime of the packet has expired, or that a router cannot reassemble a packet within a time limit.

Parameter Problems Received / Transmitted

The number of ICMP Parameter Problem messages received / sent. Parameter Problem messages indicate a syntactic or semantic error in an IP header.

Source Quench Received / Transmitted

The number of ICMP Source Quench messages received / sent. Source Quench messages provide rudimentary flow control; they request a reduction in the rate of sending traffic on the network.

Redirects Received / Transmitted

The number of ICMP Redirect messages received / sent. Redirect messages advise that there is a better route to a particular destination.

Echo Requests (PINGs) Received / Transmitted

The number of ICMP Echo (request) messages received / sent. Echo messages are probably the most visible ICMP messages. They test the communication path between network entities by asking for Echo Reply response messages.

Echo Replies (PINGs) Received / Transmitted

The number of ICMP Echo Reply messages received / sent. Echo Reply messages are sent in response to Echo messages, to test the communication path between network entities.

Timestamp Requests Received / Transmitted

The number of ICMP Timestamp (request) messages received / sent. Timestamp messages measure the propagation delay between network entities by including the originating time in the message, and asking for the receipt time in a Timestamp Reply message.

Timestamp Replies Received / Transmitted

The number of ICMP Timestamp Reply messages received / sent. Timestamp Reply messages are sent in response to Timestamp messages, to measure propagation delay in the network.

Address Mask Requests Received / Transmitted

The number of ICMP Address Mask Request messages received / sent. Address Mask Request messages ask for the address (subnet) mask for the LAN to which a router connects.

Address Mask Replies Received / Transmitted

The number of ICMP Address Mask Reply messages received / sent. Address Mask Reply messages respond to Address Mask Request messages by supplying the address (subnet) mask for the LAN to which a router connects.

Monitoring | Statistics | MIB-II | ARP Table

This screen shows entries in the Address Resolution Protocol mapping table since the VPN Concentrator was last booted or reset. ARP matches IP addresses with physical MAC addresses, so the system can forward traffic to computers on its network. RFC 2011 defines MIB entries in the ARP table.

The entries are sorted first by Interface, then by IP Address. To speed display, the Manager might construct multiple 64-row tables. Use the scroll controls (if present) to view the entire series of tables.

You can also delete dynamic, or learned, entries in the mapping table.

Figure 17-32 Monitoring | Statistics | MIB-II | ARP Table Screen

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Arp Entries

The total number of entries in the ARP table.

Interface

The VPN Concentrator network interface on which this mapping applies:

1 = Ethernet 1 (Private) interface.
2 = Ethernet 2 (Public) interface.
3 = Ethernet 3 (External) interface.
1000 and up = VPN tunnels, which are treated as logical interfaces.

Physical Address

The hardwired MAC (Medium Access Control) address of a physical network interface card, in 6-byte hexadecimal notation, that maps to the IP Address. Exceptions are:

00 = a virtual address for a tunnel.
FF.FF.FF.FF.FF.FF = a network broadcast address.

IP Address

The IP address that maps to the physical address.

Mapping Type

The type of mapping:

Other = none of the following.
Invalid = an invalid mapping.
Dynamic = a learned mapping.
Static = a static mapping on the VPN Concentrator.

Action / Delete

To remove a dynamic, or learned, mapping from the table, click Delete. There is no confirmation or undo. The Manager deletes the entry and refreshes the screen.

To delete an entry, you must have the administrator privilege to Modify Config under General Access Rights. See Administration | Access Rights | Administrators.

You cannot delete static mappings.

Monitoring | Statistics | MIB-II | Ethernet

This screen shows statistics in MIB-II objects for Ethernet interface traffic on the VPN Concentrator since it was last booted or reset. IEEE standard 802.3 describes Ethernet networks, and RFC 1650 defines Ethernet interface MIB objects.

To configure Ethernet interfaces, see Configuration | Interfaces.

Figure 17-33 Monitoring | Statistics | MIB-II | Ethernet Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Interface

The Ethernet interface to which the data in this row applies. Only configured interfaces are shown.

Alignment Errors

The number of frames received on this interface that are not an integral number of bytes long and do not pass the FCS (Frame Check Sequence; used for error detection) check.

FCS Errors

The number of frames received on this interface that are an integral number of bytes long but do not pass the FCS (Frame Check Sequence) check.

Carrier Sense Errors

The number of times that the carrier sense signal was lost or missing when trying to transmit a frame on this interface.

SQE Test Errors

The number of times that the SQE (Signal Quality Error) Test Error message was generated for this interface. The SQE message tests the collision circuits on an interface.

Frame Too Long Errors

The number of frames received on this interface that exceed the maximum permitted frame size.

Deferred Transmits

The number of frames for which the first transmission attempt on this interface is delayed because the medium is busy. This number does not include frames involved in collisions.

Single Collisions

The number of successfully transmitted frames on this interface for which transmission is inhibited by exactly one collision. This number is not included in the Multiple Collisions number.

Multiple Collisions

The number of successfully transmitted frames on this interface for which transmission is inhibited by more than one collision. This number does not include the Single Collisions number.

Late Collisions

The number of times that a collision is detected on this interface later than 512 bit-times into the transmission of a packet. 512 bit-times = 51.2 microseconds on a 10-Mbps system.

Excessive Collisions

The number of frames for which transmission on this interface failed due to excessive collisions.

MAC Errors: Transmit

The number of frames for which transmission on this interface failed due to an internal MAC sublayer transmit error. This number does not include Carrier Sense Errors, Late Collisions, or Excessive Collisions.

MAC Errors: Receive

The number of frames for which reception on this interface failed due to an internal MAC sublayer receive error. This number does not include Alignment Errors, FCS Errors, or Frame Too Long Errors.

Speed (Mbps)

This interface's nominal bandwidth in megabits per second.

Duplex

The current LAN duplex transmission mode for this interface:

Full = Full-Duplex: transmission in both directions at the same time.
Half = Half-Duplex: transmission in only one direction at a time.

Monitoring | Statistics | MIB-II | SNMP

This screen shows statistics in MIB-II objects for SNMP traffic on the VPN Concentrator since it was last booted or reset. RFC 1907 defines SNMP version 2 MIB objects.

To configure the VPN Concentrator SNMP server, see Configuration | System | Management Protocols | SNMP.

Figure 17-34 Monitoring | Statistics | MIB-II | SNMP Screen

Reset

Restore

To restore the screen contents to their actual statistical values, click Restore. This icon displays only if you previously clicked the Reset icon.

Refresh

To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.

Requests Received

The total number of SNMP messages received by the VPN Concentrator.

Bad Version

The total number of SNMP messages received that were for an unsupported SNMP version. The VPN Concentrator supports SNMP version 2.

Bad Community String

The total number of SNMP messages received that used an SNMP community string the VPN Concentrator did not recognize. See Configuration | System | Management Protocols | SNMP Communities to configure permitted community strings. To protect security, the VPN Concentrator does not include the usual default public community string.

Parsing Errors

The total number of syntax or transmission errors encountered by the VPN Concentrator when decoding received SNMP messages.

Silent Drops

The total number of SNMP request messages that were silently dropped because the reply exceeded the maximum allowable message size.

Proxy Drops

The total number of SNMP request messages that were silently dropped because the transmission of the reply message to a proxy target failed for some reason (other than a timeout).

Table of Contents

Statistics

Monitoring | Statistics

Monitoring | Statistics | Accounting

Reset

Restore

Refresh

Server IP Address: Port

Group

Requests

Retransmissions

Responses

Malformed Responses

Bad Authenticators

Pending Requests

Timeouts

Unknown Type

Monitoring | Statistics | Address Pools

Reset

Restore

Refresh

IP Address Range: Start / End

Total Addresses

Available Addresses

Allocated Addresses

Max Allocated Addresses

Group

IP Address Range: Start / End

Total Addresses

Available Addresses

Allocated Addresses

Max Allocated Addresses

Monitoring | Statistics | Administrative AAA

Reset

Restore

Refresh

IP Address

Requests

Accepts

Rejects

Challenge

Pending Requests

Timeouts

Refresh

Monitoring | Statistics | Authentication

Reset

Restore

Refresh

Server IP Address:Port

Group

Requests

Retransmissions

Accepts

Rejects

Challenges

Malformed Responses

Bad Authenticators

Pending Requests

Timeouts

Unknown Type

Monitoring | Statistics | Authentication | Replicas

Server IP Address:Port

Group

Retransmissions

Accepts

Rejects

Timeouts

BadCodeSent

BadPinSent

Monitoring | Statistics | Authorization

Reset

Restore

Refresh

Server IP Address:Port

Group

Requests

Retransmissions

Accepts

Rejects

Challenges