Prev: IOS Version - Which one do I need?
Next: Downgrading an Aeronet 1242 from Lightweight to autonomous?
From: Mike Gauthier on 27 Nov 2007 03:42
On Fri, 16 Nov 2007 03:43:03 -0600, Mike Gauthier wrote:

> On Wed, 14 Nov 2007 02:40:26 -0800, Merv wrote:
>
>> Mike,
>>
>> Please post your results as the Cisco docs are pretty thin when it
>> comes to VTI especially in the presence of NAT.
>>
>> Merv
>
> It's been one fire after another this week (down lines in the
> Philippines, AC out in our lab, etc.). Hopefully I'll get to play
> around on Friday.
>
> MikeG

I was finally able to devote some time to this! YAY!

Here is my bottom line: monitoring VPN status on IOS routers pretty much
sucks.

I cannot convert my crypto maps to static VTIs because the crypto ACL
cannot be modified. Usually this would not be a big deal, but I do not
control the other end of the tunnel. Because of the static VTIs inherent
"permit ip any any" encryption domain, this is not an option.

I tried to use dynamic VTIs, but the encryption domain is a problem with
this as well. With a DVTI, one can have *ONLY* a single line crypto
ACL. Again, a problem because I do not control the other end of the
tunnel.

It really looks to me like it's best if I stick with the crypto map
tunnels. They are definitely the most flexible and are pretty much
guaranteed to work with whatever may be on the other end (given it does
proper IPSEC).

So... my new problem. My lab router is running 12.4(17) (c3825-
advipservicek9-mz.124-17.bin). I have a working crypto map VPN running.
I make the VPN go up. I make the VPN go down (clear crypto session).
What happened to the %CRYPTO-5-SESSION_STATUS log messages? They used to
show up (I set crazy debugging, but they're gone). I guess this no
longer applies?

http://cisco.com/en/US/products/ps6350/
products_configuration_guide_chapter09186a0080455af9.html

How can I monitor these tunnels now without the log entries?

Thanks again for the help Merv. If anyone can shed some light on this,
I'd really appreciate it.

MikeG
From: Mike Gauthier on 27 Nov 2007 19:39
On Tue, 27 Nov 2007 02:42:08 -0600, Mike Gauthier wrote:

> On Fri, 16 Nov 2007 03:43:03 -0600, Mike Gauthier wrote:
>
>> On Wed, 14 Nov 2007 02:40:26 -0800, Merv wrote:
>>
>>> Mike,
>>>
>>> Please post your results as the Cisco docs are pretty thin when it
>>> comes to VTI especially in the presence of NAT.
>>>
>>> Merv
>>
>> It's been one fire after another this week (down lines in the
>> Philippines, AC out in our lab, etc.). Hopefully I'll get to play
>> around on Friday.
>>
>> MikeG
>
> I was finally able to devote some time to this! YAY!
>
> Here is my bottom line: monitoring VPN status on IOS routers pretty much
> sucks.
>
> I cannot convert my crypto maps to static VTIs because the crypto ACL
> cannot be modified. Usually this would not be a big deal, but I do not
> control the other end of the tunnel. Because of the static VTIs
> inherent "permit ip any any" encryption domain, this is not an option.
>
> I tried to use dynamic VTIs, but the encryption domain is a problem with
> this as well. With a DVTI, one can have *ONLY* a single line crypto
> ACL. Again, a problem because I do not control the other end of the
> tunnel.
>
> It really looks to me like it's best if I stick with the crypto map
> tunnels. They are definitely the most flexible and are pretty much
> guaranteed to work with whatever may be on the other end (given it does
> proper IPSEC).
>
> So... my new problem. My lab router is running 12.4(17) (c3825-
> advipservicek9-mz.124-17.bin). I have a working crypto map VPN running.
> I make the VPN go up. I make the VPN go down (clear crypto session).
> What happened to the %CRYPTO-5-SESSION_STATUS log messages? They used
> to show up (I set crazy debugging, but they're gone). I guess this no
> longer applies?
>
> http://cisco.com/en/US/products/ps6350/
> products_configuration_guide_chapter09186a0080455af9.html
>
> How can I monitor these tunnels now without the log entries?
>
> Thanks again for the help Merv. If anyone can shed some light on this,
> I'd really appreciate it.CRYPTO-5-SESSION_STATUS
>
> MikeG

After speaking with TAC and their doing a little research, it turns out
that the CRYPTO-5-SESSION_STATUS log messages must be turned on.
According to TAC, this doesn't appear to be documented anywhere. Huh...
interesting.

conf t
crypto logging session
end

Mike
First  |  Prev  | 
Pages: 1 2 3 4
Prev: IOS Version - Which one do I need?
Next: Downgrading an Aeronet 1242 from Lightweight to autonomous?