How to check Status, Clear, Restore, and Monitor an IPSEC VPN Tunnel
Resolution
Overview
This document can be used to verify the status of an IPSEC tunnel, validate tunnel monitoring, clear the tunnel, and restore the tunnel.
Details
1. Initiate VPN ike phase1 and phase2 SA manually.
The VPN tunnel is negotiated only when there is interesting traffic destined to the tunnel.(On-demand)
In case you want to manually initiate the tunnel, without the actual traffic you could use the below commands.
Note: Manual initiation is possible only from the CLI.
> test vpn ike-sa gateway <name> Start time: Dec.04 00:03:37 Initiate 1 IKE SA. > test vpn ipsec-sa tunnel <name> Start time: Dec.04 00:03:41 Initiate 1 IPSec SA.
2. Check ike phase1 status (in case of ikev1)
GUI:
Navigate to Network->IPSec Tunnels
GREEN indicates up
RED indicates down
You can click on the IKE info to get the details of the Phase1 SA.
ike phase1 sa up:
If ike phase1 sa is down, the ike info would be empty.
CLI:
ike phase1 sa up:
> show vpn ike-sa gateway <name> IKEv1 phase-1 SAs GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2 -------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------ 38 203.0.113.100 ike-gw Init Main PSK/DH20/A256/SHA512 Dec.03 22:37:01 Dec.04 06:37:01 v1 13 1 1 Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found. IKEv1 phase-2 SAs Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt ------------ ---- ------ ------- ---- --------- ------- -------- ----- -- -- ike-gw 139 ipsec-tunnel:lab-proxy 38 Init ESP/DH20/tunl/ A25ADE56 C79A64B7 B3E9927A 9 1 Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found. There is no IKEv2 SA found.
ike phase1 sa down:
> show vpn ike-sa gateway <name> There is no IKEv1 phase-1 SA found.
OR
> show vpn ike-sa gateway <name> IKEv1 phase-1 SAs GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2 -------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------ 38 203.0.113.100 ike-gw Init Main PSK/ / / v1 3 2 0 Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.
If phase-1 SA is down you would not see the peer IP and the Established status.
For ikev2, the IKE Info details appear the same, when you click on IKE Info
GUI:
ikev2 CLI:
> show vpn ike-sa gateway <name> There is no IKEv1 phase-1 SA found. There is no IKEv1 phase-2 SA found. IKEv2 SAs Gateway ID Peer-Address Gateway Name Role SN Algorithm Established Expiration Xt Child ST ---------- ------------ ------------ ---- -- --------- ----------- ---------- -- ----- -- 38 203.0.113.100 ike-gw Resp 2 PSK/DH20/A256/SHA512 Dec.04 00:10:58 Dec.04 08:10:58 0 1 Established IKEv2 IPSec Child SAs Gateway Name TnID Tunnel ID Parent Role SPI(in) SPI(out) MsgID ST ------------ ---- ------ -- ------ ---- ------- -------- ----- -- ike-gw 139 ipsec-tunnel:lab-proxyid1 2 2 Resp DA76A187 9E1E9372 00000001 Mature Show IKEv2 SA: Total 1 gateways found. 1 ike sa found.
3. To check if phase 2 ipsec tunnel is up:
GUI:
Navigate to Network->IPSec Tunnels
GREEN indicates up
RED indicates down
You can click on the Tunnel info to get the details of the Phase2 SA.
CLI:
> show vpn ipsec-sa tunnel <name>
GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB)
-------------- ---- ------------ --------------- --------- ------- -------- ------------
38 139 203.0.113.100 ipsec-tunnel:lab-proxyid1(ike-gw) ESP/G256/ F2B7CEF0 F248D17B 2269/0
4. Check Encryption and Decryption (encap/decap) across tunnel
Find the tunnel id using below command:
> show vpn flow total tunnels configured: 1 filter - type IPSec, state any total IPSec tunnel configured: 1 total IPSec tunnel shown: 1 id name state monitor local-ip peer-ip tunnel-i/f -- ---- ----- ------- -------- ------- ---------- 139 ipsec-tunnel:lab-proxyid1 active off 198.51.100.100 203.0.113.100 tunnel.1
Note: For tunnel monitoring, a monitor status of down is an indicator that the destination IP being monitored is not reachable, off indicates that tunnel monitor is not configured.
Note the tunnel id, in this example - tunnel id is 139
> show vpn flow tunnel-id 139 tunnel ipsec-tunnel:lab-proxyid1 id: 139 type: IPSec gateway id: 38 local ip: 198.51.100.100 peer ip: 203.0.113.100 inner interface: tunnel.1 outer interface: ethernet1/1 state: active session: 568665 tunnel mtu: 1432 soft lifetime: 3579 hard lifetime: 3600 lifetime remain: 2154 sec lifesize remain: N/A latest rekey: 1446 seconds ago monitor: off monitor packets seen: 0 monitor packets reply:0 en/decap context: 736 local spi: F2B7CEF0 remote spi: F248D17B key type: auto key protocol: ESP auth algorithm: SHA512 enc algorithm: AES256GCM16 proxy-id: local ip: 10.133.133.0/24 remote ip: 10.134.134.0/24 protocol: 0 local port: 0 remote port: 0 anti replay check: yes copy tos: no enable gre encap: no authentication errors: 0 decryption errors: 0 inner packet warnings: 0 replay packets: 0 packets received when lifetime expired:0 when lifesize expired:0 sending sequence: 4280 receive sequence: 4280 encap packets: 8153 decap packets: 8153 encap bytes: 717464 decap bytes: 717464 key acquire requests: 90 owner state: 0 owner cpuid: s1dp0 ownership: 1
Run the above command show vpn flow tunnel-id <id>, multiple times to check the trend in counter values.
Constant increments in authentication errors, decryption errors, replay packets indicate an issue with the tunnel traffic.
When there is normal traffic flow across the tunnel, the encap/decap packets/bytes increment.
5. Clear The following commands will tear down the VPN tunnel:
> clear vpn ike-sa gateway <gw-name>
Delete IKEv1 IKE SA: Total 1 gateways found.
> clear vpn ipsec-sa tunnel <tunnel-name>
Delete IKEv1 IPSec SA: Total 1 tunnels found.