Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
318
Views
5
Helpful
9
Replies

verify IPSec VPN use/uptime on routers?

hocus-pokus-alakazoo
Level 1
Level 1

‎05-07-2024 11:43 AM - edited ‎05-07-2024 12:31 PM

Is there a way to verify VPN use and uptime?  I believe that the below command will only show output for the duration of the security association, which could be for an unknown time period.  Do you know a way to verify when counters were last cleared for the below command?

sh crypto ipsec sa peer x.x.x.x

I'm trying to determine if a VPN can be turned off and need output from the VPN headends (routers in this case) as proof of VPN inactivity.

 

FYI this is a policy based VPN.  

Cisco IOS XE Software, Version 03.16.10.S

ASR 10002

Labels:
0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎05-07-2024 12:00 PM - edited ‎05-07-2024 12:02 PM

@hocus-pokus-alakazoo if it's a policy based VPN it requires regular traffic to maintain the VPN, so if there are IPSec SAs then the VPN is in use.

 

hocus-pokus-alakazoo
Level 1
Level 1
In response to Rob Ingram

‎05-07-2024 12:26 PM

yes, this is a policy based vpn

0 Helpful

MHM Cisco World
VIP
VIP

‎05-07-2024 12:02 PM

Show crypto isakmp sa detail 

Show crypto ipsec sa detail 

Show crypto session sa detail 

Check the lifetime for phaseI and PhaseII from above three command 

MHM

hocus-pokus-alakazoo
Level 1
Level 1
In response to MHM Cisco World

‎05-07-2024 12:34 PM

this is a policy based VPN and there has been no traffic on it for a while.  I want to know how long there's been no traffic so as to tear down the SA.

0 Helpful

Rob Ingram
VIP
VIP
In response to hocus-pokus-alakazoo

‎05-07-2024 12:40 PM

@hocus-pokus-alakazoo With a policy based VPN there needs to be interesting traffic to establish and maintain the VPN. If there is no activity the lifetime timers will expire, the SA will not be renewed and the tunnel will be torn down automatically. If the tunnel goes down (due to lack of interesing traffic) only when interesting traffic is sent/received will the tunnel be re-established. SA lifetimes are 24 hours maximum, so if there are IPSec SA then the tunnel has been used recently.

MHM Cisco World
VIP
VIP
In response to hocus-pokus-alakazoo

‎05-07-2024 12:45 PM

The tunnel phaseI and phaseII 

PhaseI lifetime is 24 hours' after that vpn will delete if

there is no traffic and we use keepalive on demand 

If we use keepalive periodic then phaseI auto re-nego after 24 hrs

Now For phaseII' if you see encrypt and decrypt SPI then there is active traffic between two peer' if you dont see SPI then there is no traffic.

MHM

0 Helpful

hocus-pokus-alakazoo
Level 1
Level 1
In response to MHM Cisco World

‎05-07-2024 01:03 PM - edited ‎05-07-2024 01:28 PM

so it sounds like there is no way to tell how long the SA has been dead beyond 24 hours....we can't conclude that a VPN has been inactive for say "30 days"?

Rob Ingram
VIP
VIP
In response to hocus-pokus-alakazoo

‎05-07-2024 01:08 PM - edited ‎05-07-2024 01:08 PM

@hocus-pokus-alakazoo with a policy based VPN there will be no IPSec SA if the timers have expired due to lack of interesting traffic.

0 Helpful
Customers Also Viewed These Support Documents