The following is a
sample output from the
show aaa
sessions command. This command must be executed to identify the
IKEv2 session that needs to be terminated.
Device# show aaa sessions
Total sessions since last reload: 32
Session Id: 3
Unique Id: 14
User Name: *not available*
IP Address: 0.0.0.0
Idle Time: 0
CT Call Handle: 0
Session Id: 30
Unique Id: 41
User Name: pskuser2.g1.engdt.com
IP Address: 0.0.0.0
Idle Time: 0
CT Call Handle: 0
Session Id: 32
Unique Id: 43
User Name: pskuser4.g2.engdt.com
IP Address: 0.0.0.0
Idle Time: 0
CT Call Handle: 0
In the above
output, ID 41 and 43 pertain to IKEv2 sessions. Optionally, you can run the
show aaa user
command to view detailed information about the session.
Device# show aaa user 41
Unique id 41 is currently in use.
No data for type 0
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=0000001E Unique Id=00000029
Start Sent=0 Stop Only=N
stop_has_been_sent=N
Method List=0
Attribute list:
7FBD9783CCF0 0 00000001 session-id(408) 4 30(1E)
7FBD9783CD30 0 00000001 start_time(418) 4 Nov 04 2014 00:20:23
--------
No data for type CMD
No data for type SYSTEM
No data for type VRRS
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
No data for type DOT1X
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
IPSEC-TUNNEL: Username=pskuser2.g1.engdt.com
Session Id=0000001E Unique Id=00000029
Start Sent=1 Stop Only=N
stop_has_been_sent=N
Method List=7FBDA6E05A68 : Name = accnt_prof
Attribute list:
7FBD9783CCF0 0 00000001 session-id(408) 4 30(1E)
7FBD9783CD30 0 00000001 start_time(418) 4 Nov 04 2014 00:20:23
7FBD9783CD70 0 00000082 formatted-clid(37) 13 192.168.202.2
7FBD9783CDB0 0 0000008A audit-session-id(819) 37 L2L433010101ZO2L4C0A8CA02ZH119404ZP37
7FBD9783CDF0 0 00000081 isakmp-phase1-id(737) 21 pskuser2.g1.engdt.com
7FBD9783BF80 0 00000002 isakmp-initator-ip(738) 4 192.168.202.2
--------
No data for type MCAST
No data for type RESOURCE
No data for type SSG
No data for type IDENTITY
No data for type ConnectedApps
Accounting:
log=0x400018041
Events recorded :
CALL START
ATTR REPLACE
INTERIM START
INTERIM STOP
IPSEC TNL UP
update method(s) :
NONE
update interval = 0
Outstanding Stop Records : 0
Dynamic attribute list:
7FBD9783BF80 0 00000001 connect-progress(75) 4 No Progress
7FBD9783BFC0 0 00000001 pre-session-time(334) 4 0(0)
7FBD9783C000 0 00000001 elapsed_time(414) 4 341(155)
7FBD9783C040 0 00000001 bytes_in(146) 4 0(0)
7FBD9783C080 0 00000001 bytes_out(311) 4 0(0)
7FBD9783CCF0 0 00000001 pre-bytes-in(330) 4 0(0)
7FBD9783CD30 0 00000001 pre-bytes-out(331) 4 0(0)
7FBD9783CD70 0 00000001 paks_in(147) 4 0(0)
7FBD9783CDB0 0 00000001 paks_out(312) 4 0(0)
7FBD9783CDF0 0 00000001 pre-paks-in(332) 4 0(0)
7FBD9783BA20 0 00000001 pre-paks-out(333) 4 0(0)
Debg: No data available
Radi: No data available
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 0 Start Bytes Out = 0
Start Paks In = 0 Start Paks Out = 0
Byte/Packet Counts till Service Up:
Pre Bytes In = 0 Pre Bytes Out = 0
Pre Paks In = 0 Pre Paks Out = 0
Cumulative Byte/Packet Counts :
Bytes In = 0 Bytes Out = 0
Paks In = 0 Paks Out = 0
StartTime = 00:20:23 IST Nov 4 2014
AuthenTime = 00:20:23 IST Nov 4 2014
Component = VPN IPSEC
Authen: service=NONE type=NONE method=NONE
Kerb: No data available
Meth: No data available
Preauth: No Preauth data.
General:
Unique Id = 00000029
Session Id = 0000001E
Session Server Key = 1771D693
Attribute List:
PerU: No data available
Service Profile: No Service Profile data.
Unkn: No data available
Unkn: No data available
Note the
audit-session-id in the above output, which is
L2L433010101ZO2L4C0A8CA02ZH119404ZP37. The following sample output is displayed
on the FlexVPN server on starting an accounting session starts with a RADIUS
server.
Nov 4 00:26:49.908 IST: RADIUS/ENCODE: Best Local IP-Address 192.168.202.1 for Radius-Server 9.45.15.144
Nov 4 00:26:49.908 IST: RADIUS(0000002C): Send Accounting-Request to 9.45.15.144:1813 id 1646/231, len 288
Nov 4 00:26:49.908 IST: RADIUS: authenticator 29 63 0C 79 C1 5E F2 0E - F3 CA 36 DD A3 55 C1 DE
Nov 4 00:26:49.908 IST: RADIUS: Acct-Session-Id [44] 10 "00000021"
Nov 4 00:26:49.908 IST: RADIUS: Calling-Station-Id [31] 15 "192.168.202.2"
Nov 4 00:26:49.908 IST: RADIUS: Vendor, Cisco [26] 64
Nov 4 00:26:49.908 IST: RADIUS: Cisco AVpair [1] 58 "audit-session-id=L2L433010101ZO2L4C0A8CA02ZH11941194ZN3A"
Nov 4 00:26:49.908 IST: RADIUS: Vendor, Cisco [26] 46
Nov 4 00:26:49.908 IST: RADIUS: Cisco AVpair [1] 40 "isakmp-phase1-id=pskuser1.g1.engdt.com"
Nov 4 00:26:49.908 IST: RADIUS: Vendor, Cisco [26] 40
Nov 4 00:26:49.908 IST: RADIUS: Cisco AVpair [1] 34 "isakmp-initator-ip=192.168.202.2"
Nov 4 00:26:49.908 IST: RADIUS: User-Name [1] 23 "pskuser1.g1.engdt.com"
Nov 4 00:26:49.908 IST: RADIUS: Vendor, Cisco [26] 36
Nov 4 00:26:49.908 IST: RADIUS: Cisco AVpair [1] 30 "connect-progress=No Progress"
Nov 4 00:26:49.908 IST: RADIUS: Acct-Authentic [45] 6 Local [2]
Nov 4 00:26:49.908 IST: RADIUS: Acct-Status-Type [40] 6 Start [1]
Nov 4 00:26:49.908 IST: RADIUS: NAS-IP-Address [4] 6 192.168.202.1
Nov 4 00:26:49.908 IST: RADIUS: home-hl-prefix [151] 10 "D33648D8"
Nov 4 00:26:49.908 IST: RADIUS: Acct-Delay-Time [41] 6 0
Nov 4 00:26:49.908 IST: RADIUS(0000002C): Sending a IPv4 Radius Packet
The following
output is displayed on the FlexVPN server when disconnecting a session for a
specific audit-session-id. The terminate session request is sent to the RADIUS
server via a RADIUS client. In this example, the session for the
audit-session-ID, which is L2L433010101ZO2L4C0A8CA02ZH119404ZP37 is terminated
and, hence, not visible in the output.
Nov 4 00:32:29.004 IST: RADIUS: POD received from id 216 9.45.15.144:50567, POD Request, len 84
Nov 4 00:32:29.004 IST: POD: 9.45.15.144 request queued
Nov 4 00:32:29.004 IST: ++++++ POD Attribute List ++++++
Nov 4 00:32:29.004 IST: 7FBD9783D3A8 0 00000089 audit-session-id(819) 39 L2L433010101ZO2L4C0A8CA02ZH11941194ZN3B
Nov 4 00:32:29.004 IST:
Nov 4 00:32:29.004 IST: POD: Sending ACK from port 1812 to 9.45.15.144/50567
Nov 4 00:32:29.005 IST: IKEv2:(SESSION ID = 59,SA ID = 2):Check for existing active SA
Nov 4 00:32:29.006 IST: IKEv2:in_octets 0, out_octets 0
Nov 4 00:32:29.006 IST: IKEv2:in_packets 0, out_packets 0
Nov 4 00:32:29.006 IST: IKEv2:(SA ID = 2):[IKEv2 -> AAA] Accounting stop request sent successfully
Nov 4 00:32:29.006 IST: IKEv2:(SESSION ID = 59,SA ID = 2):Delete all IKE SAs
Nov 4 00:32:29.010 IST: RADIUS/ENCODE(0000002D):Orig. component type = VPN IPSEC
Nov 4 00:32:29.010 IST: RADIUS(0000002D): Config NAS IP: 0.0.0.0
Nov 4 00:32:29.010 IST: RADIUS(0000002D): Config NAS IPv6: ::
Nov 4 00:32:29.010 IST: RADIUS(0000002D): sending
Nov 4 00:32:29.011 IST: RADIUS/ENCODE: Best Local IP-Address 192.168.202.1 for Radius-Server 9.45.15.144
Nov 4 00:32:29.011 IST: RADIUS(0000002D): Send Accounting-Request to 9.45.15.144:1813 id 1646/246, len 356
Nov 4 00:32:29.011 IST: RADIUS: authenticator 52 88 5E CB 8B FA 1E C1 - CC EF 73 75 89 73 CA 95
Nov 4 00:32:29.011 IST: RADIUS: Acct-Session-Id [44] 10 "00000022"
Nov 4 00:32:29.011 IST: RADIUS: Calling-Station-Id [31] 15 "192.168.202.2"
Nov 4 00:32:29.011 IST: RADIUS: Vendor, Cisco [26] 64
Nov 4 00:32:29.011 IST: RADIUS: Cisco AVpair [1] 58 "audit-session-id=L2L433010101ZO2L4C0A8CA02ZH11941194ZN3B"
Nov 4 00:32:29.011 IST: RADIUS: Vendor, Cisco [26] 46
Nov 4 00:32:29.011 IST: RADIUS: Cisco AVpair [1] 40 "isakmp-phase1-id=pskuser1.g1.engdt.com"
Nov 4 00:32:29.011 IST: RADIUS: Vendor, Cisco [26] 40
Nov 4 00:32:29.011 IST: RADIUS: Cisco AVpair [1] 34 "isakmp-initator-ip=192.168.202.2"
Nov 4 00:32:29.011 IST: RADIUS: User-Name [1] 23 "pskuser1.g1.engdt.com"
Nov 4 00:32:29.011 IST: RADIUS: Acct-Authentic [45] 6 Local [2]
Nov 4 00:32:29.011 IST: RADIUS: Vendor, Cisco [26] 36
Nov 4 00:32:29.011 IST: RADIUS: Cisco AVpair [1] 30 "connect-progress=No Progress"
Nov 4 00:32:29.011 IST: RADIUS: Acct-Session-Time [46] 6 56
Nov 4 00:32:29.011 IST: RADIUS: Acct-Input-Octets [42] 6 0
Nov 4 00:32:29.011 IST: RADIUS: Acct-Output-Octets [43] 6 0
Nov 4 00:32:29.011 IST: RADIUS: Acct-Input-Packets [47] 6 0
Nov 4 00:32:29.011 IST: RADIUS: Acct-Output-Packets [48] 6 0
Nov 4 00:32:29.011 IST: RADIUS: Acct-Terminate-Cause[49] 6 none [0]
Nov 4 00:32:29.011 IST: RADIUS: Vendor, Cisco [26] 32
Nov 4 00:32:29.011 IST: RADIUS: Cisco AVpair [1] 26 "disc-cause-ext=No Reason"
Nov 4 00:32:29.011 IST: RADIUS: Acct-Status-Type [40] 6 Stop [2]
Nov 4 00:32:29.011 IST: RADIUS: NAS-IP-Address [4] 6 192.168.202.1
Nov 4 00:32:29.011 IST: RADIUS: home-hl-prefix [151] 10 "E2F80C34"
Nov 4 00:32:29.011 IST: RADIUS: Acct-Delay-Time [41] 6 0
Nov 4 00:32:29.011 IST: RADIUS(0000002D): Sending a IPv4 Radius Packet
Nov 4 00:32:29.011 IST: RADIUS(0000002D): Started 5 sec timeout
The following
output is displayed when there is no valid session for the specific
audit-session-ID. This happens if there is no session pertaining to the
specific audit-session-id when the session is terminated already. Note the NACK
message that is sent back to the FlexVPN server
Nov 4 00:30:31.905 IST: RADIUS: POD received from id 131 9.45.15.144:52986, POD Request, len 84
Nov 4 00:30:31.905 IST: POD: 9.45.15.144 request queued
Nov 4 00:30:31.905 IST: ++++++ POD Attribute List ++++++
Nov 4 00:30:31.905 IST: 7FBD9783BA20 0 00000089 audit-session-id(819) 39 L2L433010101ZO2L4C0A8CA02ZH11941194ZN3A
Nov 4 00:30:31.905 IST:
Nov 4 00:30:31.906 IST: POD: 9.45.15.144 Unsupported attribute type 26 for component
Nov 4 00:30:31.906 IST: POD: 9.45.15.144 user 0.0.0.0i sessid 0x0 key 0x0 DROPPED
Nov 4 00:30:31.906 IST: POD: Added Reply Message: No Matching Session
Nov 4 00:30:31.906 IST: POD: Added NACK Error Cause: Invalid Request
Nov 4 00:30:31.906 IST: POD: Sending NAK from port 1812 to 9.45.15.144/52986
Nov 4 00:30:31.906 IST: RADIUS: 18 21 4E6F204D61746368696E672053657373696F6E
Nov 4 00:30:31.906 IST: RADIUS: 101 6 00000194