Cisco Site to Site VPN Monitoring

Curiosityx · 15 Jul 2008 at 17:04

Greetings, we have an issue with a site to site vpn connection that drops out at least once a day, were using an ASA 5510 the other end is a Watchguard X550e.

IKE Phase 1 - 3DES/SHA/
IKE Phase 2 - 3DES/SHA/

Using DH Group 2 and Aggressive Mode.

Does anyone know of a way to monitor the VPN Connection on the ASA and have it log only specific events relating to VPN Dropouts?

Regards

Chief Wiggum · 15 Jul 2008 at 20:19

Hi there,

I've just had a look on my PIX, IIRC it's not that different from an ASA, but I don't have access to it right now....
via the ASDM:
click configure
click the properties, expand logging, click logging filter
logging to syslog: edit
you can add an event list that will allow you to filter VPN events

Note: that will stop it from syslogging other stuff through.

Is it dropping while it's passing traffic? If not, it could be jsut timing out as there isn't traffic passing?

Kev

bigredshark · 15 Jul 2008 at 20:22

I'd just syslog everything, then script a filter on your syslog server to pick out the events...

Tui · 15 Jul 2008 at 20:57

When the VPN drops, what do you need to do to get it back up again?

Check that the settings of each endpoint is the same - there are options that if set at one end will allow a tunnel to be established if initiated by the other end, but not the other. Look specifically at the security lifetimes and if PFS is being used.

! log debug output
logging debug-trace
! debug phase 1
debug crypto isakmp 127
! debug phase 2
debug crypto ipsec 127

To stop, just begin each command with no

Chief Wiggum · 15 Jul 2008 at 21:44

I've always found that I can't get phase 2 if PFS is being used at one end? :confused:

Curiosityx · 16 Jul 2008 at 10:23

Cheers for the replies guys, initially the connection was configured for Main Mode with no DF Group used i have since changed this to aggressive DH Group 2 and enabled PFS, which seems to have helped somewhat, im thinking that the SA Lifetime may need to be extended, it is a little difficult not being able to see the connection from both ends.

I have checked that the settings are the same at both ends of the tunnel which was staying up for the majority of the day, havent yet checked back since making the changes.

Traffic is being passed consistently when the tunnel is up.