Contents

IP Security VPN Monitoring

The IP Security VPN Monitoring feature provides VPN session monitoring enhancements that will allow you to troubleshoot the Virtual Private Network (VPN) and monitor the end-user interface. Session monitoring enhancements include the following:

  • Ability to specify an Internet Key Exchange (IKE) peer description in the configuration file

  • Summary listing of crypto session status

  • Syslog notification for crypto session up or down status

  • Ability to clear both IKE and IP Security (IPsec) security associations (SAs) using one command-line interface (CLI)

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for IP Security VPN Monitoring

  • You should be familiar with IPSec and encryption.

  • Your router must support IPSec, and before using the IP Security VPN Monitoring feature, you must have configured IPSec on your router.

Restrictions for IP Security VPN Monitoring

  • You must be running Cisco IOS XE k8 or k9 crypto images on your router.

Information About IPsec VPN Monitoring

Background Crypto Sessions

A crypto session is a set of IPSec connections (flows) between two crypto endpoints. If the two crypto endpoints use IKE as the keying protocol, they are IKE peers to each other. Typically, a crypto session consists of one IKE security association (for control traffic) and at least two IPSec security associations (for data traffic--one per each direction). There may be duplicated IKE security associations (SAs) and IPSec SAs or duplicated IKE SAs or IPSec SAs for the same session in the duration of rekeying or because of simultaneous setup requests from both sides.

Per-IKE Peer Description

The Per-IKE Peer Description function allows you to enter a description of your choosing for an IKE peer. The unique peer description, which can include up to 80 characters, can be used whenever you are referencing that particular IKE peer. To add the peer description, use the description command.


Note


IKE peers that “sit” behind a Network Address Translation (NAT) device cannot be uniquely identified; therefore, they have to share the same peer description.


The primary application of this description field is for monitoring purposes (for example, when using show commands or for logging [syslog messages]). The description field is purely informational (for example, it cannot act as a substitute for the peer address or FQDN when defining crypto maps).

Summary Listing of Crypto Session Status

You can get a list of all the active VPN sessions by entering the show crypto session command. The listing will include the following:

  • Interface

  • IKE peer description, if available

  • IKE SAs that are associated with the peer by whom the IPSec SAs are created

  • IPSec SAs serving the flows of a session

Multiple IKE or IPSec SAs may be established for the same peer (for the same session), in which case IKE peer descriptions will be repeated with different values for the IKE SAs that are associated with the peer and for the IPSec SAs that are serving the flows of the session.

You can also use the show crypto session detail variant of this command to obtain more detailed information about the sessions.

Syslog Notification for Crypto Session Up or Down Status

The Syslog Notification for Crypto Session Up or Down Status function provides syslog notification every time the crypto session comes up or goes down.

The following is a sample syslog notification showing that a crypto session is up:

%CRYPTO-5-SESSION_STATUS: Crypto session is UP. Peer 10.6.6.1:500 fvrf=name10 ivrf=name20  Description: SJC24-2-VPN-Gateway Id: 10.5.5.2

The following is a sample syslog notification showing that a crypto session is down:

%CRYPTO-5-SESSION_STATUS: Crypto session is DOWN. Peer 10.6.6.1:500 fvrf=name10 ivrf=name20 Description: SJC24-2-VPN-Gateway Id: 10.5.5.2 

IKE and IPsec Security Exchange Clear Command

The clear crypto session command allows you to clear both IKE and IPsec with a single command. To clear a specific crypto session or a subset of all the sessions (for example, a single tunnel to one remote site), you need to provide session-specific parameters, such as a local or remote IP address, a local or remote port, a front door VPN routing and forwarding (FVRF) name, or an inside VRF (IVRF) name. Typically, the remote IP address will be used to specify a single tunnel to be deleted.

If a local IP address is provided as a parameter when you use the clear crypto session command, all the sessions (and their IKE SAs and IPsec SAs) that share the IP address as a local crypto endpoint (IKE local address) will be cleared. If you do not provide a parameter when you use the clear crypto session command, all IPsec SAs and IKE SAs that are in the router will be deleted.

How to Configure IP Security VPN Monitoring

Adding the Description of an IKE Peer

To add the description of an IKE peer to an IPsec VPN session, perform the following steps.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    crypto isakmp peer {ip-address ip-address}

    4.    description


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Router# configure terminal
     

    Enters global configuration mode.

     
    Step 3 crypto isakmp peer {ip-address ip-address}


    Example:
    Router (config)# crypto isakmp peer address 10.2.2.9
     

    Enables an IPsec peer for IKE querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode and enters ISAKMP peer configuration mode.

     
    Step 4 description


    Example:
    Router (config-isakmp-peer)# description connection from site A
     

    Adds a description for an IKE peer.

     

    Verifying Peer Descriptions

    To verify peer descriptions, use the show crypto isakmp peer command.

    SUMMARY STEPS

      1.    enable

      2.    show crypto isakmp peer


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Router> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 show crypto isakmp peer


      Example:
      Router# show crypto isakmp peer
       

      Displays peer descriptions.

       

      Examples

      The following output example verifies that the description “connection from site A” has been added for IKE peer 10.2.2.9:

      Router# show crypto isakmp peer
      Peer: 10.2.2.9 Port: 500
       Description: connection from site A
        flags: PEER_POLICY
      

      When the peer at address 10.2.2.9 connects and the session comes up, the syslog status will be shown as follows:

      %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP. Peer 10.2.2.9:500 Description: connection from site A Id: ezvpn

      The following output example verifies that the description “connection from site A” has been added for IKE peer 10.2.2.9:

      Router# show crypto isakmp peer
      Peer: 10.2.2.9 Port: 500
       Description: connection from site A
        flags: PEER_POLICY
      

      When the peer at address 10.2.2.9 connects and the session comes up, the syslog status will be shown as follows:

      %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP. Peer 10.2.2.9:500 Description: connection from site A Id: ezvpn

      Clearing a Crypto Session

      To clear a crypto session, use the clear crypto session command from the router command line. No configuration statements are required in the configuration file to use this command.

      SUMMARY STEPS

        1.    enable

        2.    clear crypto session


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Router> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 clear crypto session


        Example:
        Router# clear crypto session
         

        Deletes crypto sessions (IPSec and IKE SAs).

         

        Configuration Examples for IP Security VPN Monitoring

        show crypto session Command Output Examples

        The following is sample output for the show crypto session output without the detail keyword:

        Router# show crypto session
        Crypto session current status
        Interface: FastEthernet0/1
        Session status: UP-ACTIVE
        Peer: 172.0.0.2/500
           IKE SA: local 172.0.0.1/500 remote 172.0.0.2/500 Active
           IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.30.30.0/255.255.255.0
                 Active SAs: 2, origin: crypto map
        

        The following is sample output using the show crypto session command and the detail keyword:

        Router# show crypto session detail
        Interface: Tunnel0
        Session status: UP-ACTIVE
        Peer: 10.1.1.3 port 500 fvrf: (none) ivrf: (none)
              Desc: this is my peer at 10.1.1.3:500 Green
              Phase1_id: 10.1.1.3
          IKE SA: local 10.1.1.4/500 remote 10.1.1.3/500 Active
                  Capabilities:(none) connid:3 lifetime:22:03:24
          IPSEC FLOW: permit 47 host 10.1.1.4 host 10.1.1.3
                Active SAs: 0, origin: crypto map
                Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
                Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
          IPSEC FLOW: permit ip host 10.1.1.4 host 10.1.1.3
                Active SAs: 4, origin: crypto map
                Inbound:  #pkts dec'ed 4 drop 0 life (KB/Sec) 4605665/2949
                Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4605665/2949

        Additional References

        The following sections provide references related to IP Security VPN Monitoring.

        Related Documents

        Related Topic

        Document Title

        IP security, encryption, and IKE

        • Configuring Internet Key Exchange for IPsec VPNs

        • Configuring Security for VPNs with IPsec

        Security commands

        Cisco IOS Security Command Reference

        Standards

        Standards

        Title

        No new or modified standards are supported by this feature, and support for exiting standards has not been modified by this feature.

        --

        MIBs

        MIBs

        MIBs Link

        No new or modified MIBs are supported by this feature, and support for exiting MIBs has not been modified by this feature.

        To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

        http:/​/​www.cisco.com/​go/​mibs

        RFCs

        RFCs

        Title

        No new or modified RFCs are supported by this feature, and support for exiting RFCs has not been modified by this feature.

        --

        Technical Assistance

        Description

        Link

        The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

        To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

        Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

        http:/​/​www.cisco.com/​techsupport

        Feature Information for IP Security VPN Monitoring

        The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
        Table 1 Feature Information for IP Security VPN Monitoring

        Feature Name

        Releases

        Feature Information

        IP Security VPN Monitoring

        Cisco IOS XE Release 2.1

        The IP Security VPN Monitoring feature provides VPN session monitoring enhancements that will allow you to troubleshoot the VPN and monitor the end-user interface. Session monitoring enhancements include the following:

        • Ability to specify an IKE peer description in the configuration file

        • Summary listing of crypto session status

        • Syslog notification for crypto session up or down status

        Ability to clear both IKE and IPsec SAs using one CLI

        • The following commands were introduced or modified: clear crypto session, description (isakmp peer), show crypto isakmp peer, show crypto session.


        IP Security VPN Monitoring

        IP Security VPN Monitoring

        The IP Security VPN Monitoring feature provides VPN session monitoring enhancements that will allow you to troubleshoot the Virtual Private Network (VPN) and monitor the end-user interface. Session monitoring enhancements include the following:

        • Ability to specify an Internet Key Exchange (IKE) peer description in the configuration file

        • Summary listing of crypto session status

        • Syslog notification for crypto session up or down status

        • Ability to clear both IKE and IP Security (IPsec) security associations (SAs) using one command-line interface (CLI)

        Finding Feature Information

        Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

        Prerequisites for IP Security VPN Monitoring

        • You should be familiar with IPSec and encryption.

        • Your router must support IPSec, and before using the IP Security VPN Monitoring feature, you must have configured IPSec on your router.

        Restrictions for IP Security VPN Monitoring

        • You must be running Cisco IOS XE k8 or k9 crypto images on your router.

        Information About IPsec VPN Monitoring

        Background Crypto Sessions

        A crypto session is a set of IPSec connections (flows) between two crypto endpoints. If the two crypto endpoints use IKE as the keying protocol, they are IKE peers to each other. Typically, a crypto session consists of one IKE security association (for control traffic) and at least two IPSec security associations (for data traffic--one per each direction). There may be duplicated IKE security associations (SAs) and IPSec SAs or duplicated IKE SAs or IPSec SAs for the same session in the duration of rekeying or because of simultaneous setup requests from both sides.

        Per-IKE Peer Description

        The Per-IKE Peer Description function allows you to enter a description of your choosing for an IKE peer. The unique peer description, which can include up to 80 characters, can be used whenever you are referencing that particular IKE peer. To add the peer description, use the description command.


        Note


        IKE peers that “sit” behind a Network Address Translation (NAT) device cannot be uniquely identified; therefore, they have to share the same peer description.


        The primary application of this description field is for monitoring purposes (for example, when using show commands or for logging [syslog messages]). The description field is purely informational (for example, it cannot act as a substitute for the peer address or FQDN when defining crypto maps).

        Summary Listing of Crypto Session Status

        You can get a list of all the active VPN sessions by entering the show crypto session command. The listing will include the following:

        • Interface

        • IKE peer description, if available

        • IKE SAs that are associated with the peer by whom the IPSec SAs are created

        • IPSec SAs serving the flows of a session

        Multiple IKE or IPSec SAs may be established for the same peer (for the same session), in which case IKE peer descriptions will be repeated with different values for the IKE SAs that are associated with the peer and for the IPSec SAs that are serving the flows of the session.

        You can also use the show crypto session detail variant of this command to obtain more detailed information about the sessions.

        Syslog Notification for Crypto Session Up or Down Status

        The Syslog Notification for Crypto Session Up or Down Status function provides syslog notification every time the crypto session comes up or goes down.

        The following is a sample syslog notification showing that a crypto session is up:

        %CRYPTO-5-SESSION_STATUS: Crypto session is UP. Peer 10.6.6.1:500 fvrf=name10 ivrf=name20  Description: SJC24-2-VPN-Gateway Id: 10.5.5.2
        

        The following is a sample syslog notification showing that a crypto session is down:

        %CRYPTO-5-SESSION_STATUS: Crypto session is DOWN. Peer 10.6.6.1:500 fvrf=name10 ivrf=name20 Description: SJC24-2-VPN-Gateway Id: 10.5.5.2 

        IKE and IPsec Security Exchange Clear Command

        The clear crypto session command allows you to clear both IKE and IPsec with a single command. To clear a specific crypto session or a subset of all the sessions (for example, a single tunnel to one remote site), you need to provide session-specific parameters, such as a local or remote IP address, a local or remote port, a front door VPN routing and forwarding (FVRF) name, or an inside VRF (IVRF) name. Typically, the remote IP address will be used to specify a single tunnel to be deleted.

        If a local IP address is provided as a parameter when you use the clear crypto session command, all the sessions (and their IKE SAs and IPsec SAs) that share the IP address as a local crypto endpoint (IKE local address) will be cleared. If you do not provide a parameter when you use the clear crypto session command, all IPsec SAs and IKE SAs that are in the router will be deleted.

        How to Configure IP Security VPN Monitoring

        Adding the Description of an IKE Peer

        To add the description of an IKE peer to an IPsec VPN session, perform the following steps.

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    crypto isakmp peer {ip-address ip-address}

          4.    description


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Router> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.

           
          Step 2 configure terminal


          Example:
          Router# configure terminal
           

          Enters global configuration mode.

           
          Step 3 crypto isakmp peer {ip-address ip-address}


          Example:
          Router (config)# crypto isakmp peer address 10.2.2.9
           

          Enables an IPsec peer for IKE querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode and enters ISAKMP peer configuration mode.

           
          Step 4 description


          Example:
          Router (config-isakmp-peer)# description connection from site A
           

          Adds a description for an IKE peer.

           

          Verifying Peer Descriptions

          To verify peer descriptions, use the show crypto isakmp peer command.

          SUMMARY STEPS

            1.    enable

            2.    show crypto isakmp peer


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 enable


            Example:
            Router> enable
             

            Enables privileged EXEC mode.

            • Enter your password if prompted.

             
            Step 2 show crypto isakmp peer


            Example:
            Router# show crypto isakmp peer
             

            Displays peer descriptions.

             

            Examples

            The following output example verifies that the description “connection from site A” has been added for IKE peer 10.2.2.9:

            Router# show crypto isakmp peer
            Peer: 10.2.2.9 Port: 500
             Description: connection from site A
              flags: PEER_POLICY
            

            When the peer at address 10.2.2.9 connects and the session comes up, the syslog status will be shown as follows:

            %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP. Peer 10.2.2.9:500 Description: connection from site A Id: ezvpn

            The following output example verifies that the description “connection from site A” has been added for IKE peer 10.2.2.9:

            Router# show crypto isakmp peer
            Peer: 10.2.2.9 Port: 500
             Description: connection from site A
              flags: PEER_POLICY
            

            When the peer at address 10.2.2.9 connects and the session comes up, the syslog status will be shown as follows:

            %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP. Peer 10.2.2.9:500 Description: connection from site A Id: ezvpn

            Clearing a Crypto Session

            To clear a crypto session, use the clear crypto session command from the router command line. No configuration statements are required in the configuration file to use this command.

            SUMMARY STEPS

              1.    enable

              2.    clear crypto session


            DETAILED STEPS
               Command or ActionPurpose
              Step 1 enable


              Example:
              Router> enable
               

              Enables privileged EXEC mode.

              • Enter your password if prompted.

               
              Step 2 clear crypto session


              Example:
              Router# clear crypto session
               

              Deletes crypto sessions (IPSec and IKE SAs).

               

              Configuration Examples for IP Security VPN Monitoring

              show crypto session Command Output Examples

              The following is sample output for the show crypto session output without the detail keyword:

              Router# show crypto session
              Crypto session current status
              Interface: FastEthernet0/1
              Session status: UP-ACTIVE
              Peer: 172.0.0.2/500
                 IKE SA: local 172.0.0.1/500 remote 172.0.0.2/500 Active
                 IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.30.30.0/255.255.255.0
                       Active SAs: 2, origin: crypto map
              

              The following is sample output using the show crypto session command and the detail keyword:

              Router# show crypto session detail
              Interface: Tunnel0
              Session status: UP-ACTIVE
              Peer: 10.1.1.3 port 500 fvrf: (none) ivrf: (none)
                    Desc: this is my peer at 10.1.1.3:500 Green
                    Phase1_id: 10.1.1.3
                IKE SA: local 10.1.1.4/500 remote 10.1.1.3/500 Active
                        Capabilities:(none) connid:3 lifetime:22:03:24
                IPSEC FLOW: permit 47 host 10.1.1.4 host 10.1.1.3
                      Active SAs: 0, origin: crypto map
                      Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
                      Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
                IPSEC FLOW: permit ip host 10.1.1.4 host 10.1.1.3
                      Active SAs: 4, origin: crypto map
                      Inbound:  #pkts dec'ed 4 drop 0 life (KB/Sec) 4605665/2949
                      Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4605665/2949

              Additional References

              The following sections provide references related to IP Security VPN Monitoring.

              Related Documents

              Related Topic

              Document Title

              IP security, encryption, and IKE

              • Configuring Internet Key Exchange for IPsec VPNs

              • Configuring Security for VPNs with IPsec

              Security commands

              Cisco IOS Security Command Reference

              Standards

              Standards

              Title

              No new or modified standards are supported by this feature, and support for exiting standards has not been modified by this feature.

              --

              MIBs

              MIBs

              MIBs Link

              No new or modified MIBs are supported by this feature, and support for exiting MIBs has not been modified by this feature.

              To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL:

              http:/​/​www.cisco.com/​go/​mibs

              RFCs

              RFCs

              Title

              No new or modified RFCs are supported by this feature, and support for exiting RFCs has not been modified by this feature.

              --

              Technical Assistance

              Description

              Link

              The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

              To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

              Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

              http:/​/​www.cisco.com/​techsupport

              Feature Information for IP Security VPN Monitoring

              The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

              Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
              Table 1 Feature Information for IP Security VPN Monitoring

              Feature Name

              Releases

              Feature Information

              IP Security VPN Monitoring

              Cisco IOS XE Release 2.1

              The IP Security VPN Monitoring feature provides VPN session monitoring enhancements that will allow you to troubleshoot the VPN and monitor the end-user interface. Session monitoring enhancements include the following:

              • Ability to specify an IKE peer description in the configuration file

              • Summary listing of crypto session status

              • Syslog notification for crypto session up or down status

              Ability to clear both IKE and IPsec SAs using one CLI

              • The following commands were introduced or modified: clear crypto session, description (isakmp peer), show crypto isakmp peer, show crypto session.