Monitoring the Easy VPN Server

At the top of the main SDM page is a row of buttons listed as Home, Configure, Monitor, Refresh, Save, and Help. The Home and Configure settings have been discussed in some detail in this chapter. This section discusses the monitoring of an Easy VPN Server. Figure 16-12 shows the Easy VPN Monitor page.

Figure 16-12 Easy VPN Server Monitoring

Figure 16-12 Easy VPN Server Monitoring

As shown in the figure, each individual Easy VPN Server group configured in the router will be monitored. Concurrent connections, addresses (both public and private), and encryption information are listed in the two panes of the Monitor window.

Although security best practice calls for disabling HTTP access to the router, additional monitoring can be performed via the traditional web interface, which provides access to Cisco IOS commands and output information. SDM is accessed via secure HTTP. For the most part, troubleshooting and debugging will be performed through either SDM or the CLI. Among the commands that are useful for monitoring both the web interface and the CLI is the show crypto isakmp sa command, as detailed in Example 16-1.

Example 16-1 show crypto isakmp sa Command Output

BM2821#show

crypto isakmp sa

IPv4 Crypto

ISAKMP SA

dst

src

state

conn-id slot status

172.16.0.4

172.16.1.40

QM_IDLE

1004 0 ACTIVE

IPv6 Crypto

ISAKMP SA

The example shows the ISAKMP SA that has been proposed and accepted for the duration of the connection. The information shown includes the destination and source IP addresses, the state of the connection, a connection ID, the slot, and the status.

Also of particular use in monitoring and/or troubleshooting VPN connections is the show crypt ipsec sa command, as shown in Example 16-2.

Example 16-2 show crypto ipsec sa Command Output

Example 16-2 show crypto ipsec sa Command Output

Show Crypto Ipsec

Example 16-2 show crypto ipsec sa Command Output (Continued)

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0xD35124D3(3545310419)

transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, }

conn id: 2002, flow_id: NETGX:2, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4570711/3346)

IV size: 8 bytes replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

The command output shows information pertinent to the existing connection(s). The highlighted lines draw emphasis to the assigned IP address for the connection (inside) as well as the actual source and destination IP addresses (local VPN gateway and destination client). Also of note are the inbound and outbound transform sets configured by the VPN connection.

Was this article helpful?

0 0

Post a comment