Vpn up/down logging

I am trying to log the ipsec vpn up/down status of the ipsec tunnels created from my 1811. I have turned on logging and set it to log to a syslog server which is currently happening. I set the logging trap to be at level debugging. When i had it on information it didn't log the down status of one of the tunnels that went down yesterday. I've also cleared out the log and turned on ipsec debugging in hopes that this will tell me up/down status of the vpn's as well. Is there another more preferred method. thanks

Reply to
mmark751969
Loading thread data ...

Well for sure deb cry ip sa will give you logging messages when the SAs go down or come up. Quite a few messages:(

One reason that they are not logged (as I recall) might be that it is a normal occurance. If there is no traffic SAs time out and go down. There is nothing "wrong".

One approach might be to do SAA, set up a ping say, and see if that might be loggable. I don't know.

Yes it is.

Apr 16 00:21:01.400 BST: %TRACKING-5-STATE: 1 rtr 101 reachability Up-

This is not supposed to be best practice, just one I hacked together.

track 1 rtr 101 reachability delay down 20 up 20

ip sla 101 icmp-echo x.x.x.x timeout 1000

ip sla schedule 101 life forever start-time now

You will need to find out how to set the source interface to be one that will work for the crypto.

icmp-echo 1.1.1.1 source-int ....

Of course the tracking can be done on any router, not necessarily one with the crypto configured.

Reply to
bod43

Poll it with SNMP.

Reply to
alexd

If you tell how, it will be very nice. I can't find method to monitor some ipsec tunnels on one router.

Reply to
maxim.chebanenko

Have a look at the thread 'ipsec vpn logging', dated 22nd April.

Reply to
alexd

o. ok. i read this topic. but i can't find CISCO-IPSEC-FLOW-MONITOR- MIB::cipSecTunnelTable in my ios's. i use 3825, 2811 with c3825-advipservicesk9-mz.124-21 and c2800nm- advipservicesk9-mz.124-12

thanks for reply

Reply to
maxim.chebanenko

I am now doing this by setting the 1800 to log to my syslog server at logging level debugging. I'm then turning on debugging at the router with deb cry ipsec error. I did this and then cleared out a vpn to test. I was immediately getting outgoing sa deny errors repeating frequently. This should be sufficient for me to tell when they go down. I'll just need to police my syslog log file to see that it doesn't get to big.

Reply to
mmark751969

Turning on a debug seems a bit extreme. Debug will also be lost on reboot.

As regards the log file size there may be automated tools available (kiwi syslog server?) or you can schedule a job to roll over to a new file periodically. These text file will compress really well so you can keep a few.

This page describes the MIB and there is a link there to a tool that alows you to find supported images.

It looks as if you might need Advanced IP Services or better.

Post sh ver if you want assistance.

Reply to
bod43

ISTR they didn't show up in an snmpwalk from the root of the tree [ie an snmpwalk without specifying any OIDs], but when I specified that OID I did see it.

If you google for "CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunnelTable", the first hit is a page at cisco.com which has a link that says "View Supporting Images". I can only presume that if your images aren't on that list, then they don't support the MIB, and you'll have to bodge it with syslog.

Reply to
alexd

ok. thanks again

Reply to
maxim.chebanenko

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.