Specifications

ManualsBrandsCisco ManualsComputer equipment3005 - VPN Concentrator - Gateway

Corporate Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA

http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 526-4100

VPN 3000 Series Concentrator Reference

Volume II: Administration and Monitoring

Release 3.1

August 2001

Customer Order Number: DOC-7813274=

Text Part Number: 78-13274-01

Summary of content (298 pages)

PAGE 1
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring Release 3.1 August 2001 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
PAGE 2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
PAGE 3
C O N T E N T S Preface ix Audience ix Prerequisites x Organization x Related Documentation Conventions xii xiv Obtaining Documentation xvi Obtaining Technical Assistance PART Administration 1 CHAPTER 1 Administration 1-1 Administration CHAPTER 2 1-1 Administer Sessions 2-1 Administer Sessions 2-1 Administer Sessions | Detail CHAPTER xvii 3 Software Update 2-7 3-1 Software Update 3-1 Software Update | Concentrator Software Update | Clients CHAPTER 4 System Reboot 5
PAGE 4
Contents CHAPTER 7 Access Rights 7-1 Access Rights 7-1 Access Rights | Administrators 7-2 Access Rights | Administrators | Modify Properties Access Rights | Access Control List 7-4 7-7 Access Rights | Access Control List | Add or Modify Access Rights | Access Settings Access Rights | AAA Servers 7-9 7-11 7-13 Access Rights | AAA Servers | Authentication 7-14 Access Rights | AAA Servers | Add or Modify 7-16 Access Rights | AAA Servers | Test 7-18 Access Rights | AAA Servers | Authentica
PAGE 5
Contents PART Monitoring 2 CHAPTER CHAPTER 10 11 Monitoring 10-1 Monitoring 10-1 Routing Table 11-1 Routing Table CHAPTER 12 11-1 Filterable Event Log 12-1 Filterable Event Log Live Event Log CHAPTER 13 System Status 12-1 12-6 13-1 System Status 13-1 System Status | Ethernet Interface 13-5 System Status | Dual T1/E1 WAN Slot N System Status | Power System Status | SEP 13-13 13-15 System Status | LED Status CHAPTER 14 Sessions 13-8 13-21 14-1 Sessions 14-1 Sessions |
PAGE 6
Contents CHAPTER 15 Statistics 15-1 Statistics 15-1 Statistics | PPTP 15-3 Statistics | L2TP 15-7 Statistics | IPSec 15-11 Statistics | HTTP 15-18 Statistics | Events 15-21 Statistics | Telnet 15-23 Statistics | DNS 15-25 Statistics | Authentication Statistics | Accounting Statistics | Filtering Statistics | VRRP Statistics | SSL Statistics | DHCP 15-26 15-28 15-30 15-32 15-35 15-37 Statistics | Address Pools Statistics | SSH 15-38 15-40 Statistics | Load Balancing Statistics |
PAGE 7
Contents APPENDIX A Using the Command-Line Interface A-1 APPENDIX B Troubleshooting and System Errors B-1 APPENDIX C Copyrights, Licenses, and Notices INDEX C-1 Index VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring 78-13274-01 vii
PAGE 8
Contents VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring viii 78-13274-01
PAGE 9
Preface The VPN Concentrator provides an HTML-based graphic interface, called the VPN Concentrator Manager, that allows you to configure, administer, and monitor your device easily. The VPN Concentrator Manager has three sets of screens that correspond to these tasks: Configuration screens, Administration screens, and Monitoring screens. VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring is the second in the two volume VPN 3000 Series Concentrator Reference.
PAGE 10
Preface Prerequisites Prerequisites We assume you have read the VPN 3000 Series Concentrator Getting Started manual, set up your VPN Concentrator, and followed the minimal configuration steps in quick configuration. Organization Note This guide is the second volume of the complete VPN Concentrator Manager reference. It documents only administration and monitoring tasks. For information on configuring your VPN Concentrator, refer to VPN 3000 Series Concentrator Reference Volume I: Configuration.
PAGE 11
Preface Organization Chapter Title Description Chapter 9 Certificate Management Explains how to manage digital certificates. It describes how to create a certificate request to enroll with a Certificate Authority (CA); how to install certificates on the VPN Concentrator; how to view, delete, and generate certificates; and how to configure revocation checking. Part Two Monitoring Chapter 10 Monitoring Explains how to access the Monitoring screens.
PAGE 12
Preface Related Documentation Related Documentation Refer to the following documents for further information about Cisco VPN applications and products. VPN 3000 Series Concentrator Documentation The VPN 3000 Series Concentrator Reference Volume I: Configuration explains how to start and use the VPN Concentrator Manager. It details the Configuration screens and explains how to configure your device beyond the minimal parameters you set during quick configuration.
PAGE 13
Preface Related Documentation Documentation on VPN Software Distribution CDs The VPN 3000 Series Concentrator and VPN 3002 Hardware Client documentation are provided on the VPN 3000 Concentrator software distribution CD-ROM in PDF format. The VPN Client documentation is included on the VPN Client software distribution CD-ROM, also in PDF format.
PAGE 14
Preface Conventions Conventions This document uses the following conventions: Convention Description boldface font Commands and keywords are in boldface. italic font Arguments for which you supply values are in italics. screen font boldface screen font ^ Terminal sessions and information the system displays are in screen font. Information you must enter is in boldface screen font. The symbol ^ represents the key labeled Control.
PAGE 15
Preface Conventions Data Formats As you configure and manage the system, enter data in the following formats unless the instructions indicate otherwise: Type of Data Format IP Addresses IP addresses use 4-byte dotted decimal notation (for example, 192.168.12.34); as the example indicates, you can omit leading zeros in a byte position. Subnet Masks and Wildcard Masks Subnet masks use 4-byte dotted decimal notation (for example, 255.255.255.0). Wildcard masks use the same notation (for example, 0.0.0.
PAGE 16
Preface Obtaining Documentation Obtaining Documentation The following sections provide sources for obtaining documentation from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites: • http://www.cisco.com • http://www-china.cisco.com • http://www-europe.cisco.com Documentation CD-ROM Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product.
PAGE 17
Preface Obtaining Technical Assistance To submit your comments by mail, for your convenience many documents contain a response card behind the front cover. Otherwise, you can mail your comments to the following address: Cisco Systems, Inc. Document Resource Connection 170 West Tasman Drive San Jose, CA 95134-9883 We appreciate your comments. Obtaining Technical Assistance Cisco provides Cisco.com as a starting point for all technical assistance.
PAGE 18
Preface Obtaining Technical Assistance Technical Assistance Center The Cisco TAC website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract. Contacting TAC by Using the Cisco TAC Website If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website: http://www.cisco.
PAGE 19
P A R T 1 Administration
PAGE 20
PAGE 21
C H A P T E R 1 Administration Administering the VPN 3000 Concentrator Series involves activities that keep the system operational and secure. Configuring the system sets the parameters that govern its use and functionality as a VPN device, but administration involves higher level activities such as who is allowed to configure the system, and what software runs on it. Only administrators can use the VPN Concentrator Manager.
PAGE 22
Chapter 1 Administration Administration This section of the Manager lets you control administrative functions on the VPN Concentrator: • Administer Sessions: View statistics for, log out, and ping sessions. • Software Update: – Concentrator: Upload and update the VPN Concentrator software image. – Clients: Upload and update the VPN client software image. • System Reboot: Set options for VPN Concentrator shutdown and reboot. • Ping: Use ICMP ping to determine connectivity.
PAGE 23
C H A P T E R 2 Administer Sessions Administration | Administer Sessions This screen shows comprehensive statistics for all active sessions on the VPN Concentrator. You can also click the name of a session to see detailed parameters and statistics for that session. See Administration | Sessions | Detail.
PAGE 24
Chapter 2 Administer Sessions Administration | Administer Sessions Refresh To refresh the statistics, click Refresh. Group Choose a group from the menu to monitor statistics for that group only. The default is --All-- which displays statistics for all groups.
PAGE 25
Chapter 2 Administer Sessions Administration | Administer Sessions Session Summary table This table shows summary totals for LAN-to-LAN, remote access, and management sessions. A session is a VPN tunnel established with a specific peer. In most cases, one user connection = one tunnel = one session. However, one IPSec LAN-to-LAN tunnel counts as one session, but it allows many host-to-host connections through the tunnel.
PAGE 26
Chapter 2 Administer Sessions Administration | Administer Sessions LAN-to-LAN Sessions table This table shows parameters and statistics for all active IPSec LAN-to-LAN sessions. Each session here identifies only the outer LAN-to-LAN connection or tunnel, not individual host-to-host sessions within the tunnel. [ Remote Access Sessions | Management Sessions ] Click these active links to go to the other session tables on this Manager screen. Connection Name The name of the IPSec LAN-to-LAN connection.
PAGE 27
Chapter 2 Administer Sessions Administration | Administer Sessions Public IP Address The public IP address of the client for this remote-access session. This is also known as the “outer” IP address. It is typically assigned to the client by the ISP, and it lets the client function as a host on the public network. Assigned IP Address The private IP address assigned to the remote client for this session.
PAGE 28
Chapter 2 Administer Sessions Administration | Administer Sessions Protocol, Encryption, Login Time, Duration, Actions See Table 2-1 for definitions of these parameters. Table 2-1 Parameter definitions for Administration | Administer Sessions Screen Parameter Definition Protocol The protocol this session is using. Console indicates a direct connection through the Console port on the system. Encryption The data encryption algorithm this session is using, if any.
PAGE 29
Chapter 2 Administer Sessions Administration | Administer Sessions | Detail Administration | Administer Sessions | Detail These Manager screens show detailed parameters and statistics for a specific remote-access or LAN-to-LAN session. The parameters and statistics differ depending on the session protocol.
PAGE 30
Chapter 2 Administer Sessions Administration | Administer Sessions | Detail Figure 2-4 Administration | Administer Sessions | Detail Screen: IPSec Remote Access User VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring 2-8 78-13274-01
PAGE 31
Chapter 2 Administer Sessions Administration | Administer Sessions | Detail Figure 2-5 Administration | Administer Sessions | Detail Screen: IPSec Through NAT Figure 2-6 Administration | Administer Sessions | Detail Screen: L2TP VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring 78-13274-01 2-9
PAGE 32
Chapter 2 Administer Sessions Administration | Administer Sessions | Detail Figure 2-7 Administration | Administer Sessions | Detail Screen: L2TP Over IPSec VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring 2-10 78-13274-01
PAGE 33
Chapter 2 Administer Sessions Administration | Administer Sessions | Detail Figure 2-8 Administration | Administer Sessions | Detail Screen: PPTP Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Back to Sessions To return to the Administration | Administer Sessions screen, click Back to Sessions.
PAGE 34
Chapter 2 Administer Sessions Administration | Administer Sessions | Detail Administration | Administer Sessions | Detail Parameters Table 2-2 Parameter Definitions for Administration | Administer Sessions | Detail Screens Parameter Definition Assigned IP Address The private IP address assigned to the remote client for this session. This is also known as the “inner” or “virtual” IP address, and it lets the client appear to be a host on the private network.
PAGE 35
Chapter 2 Administer Sessions Administration | Administer Sessions | Detail Table 2-2 Parameter Definitions for Administration | Administer Sessions | Detail Screens (continued) Parameter Definition Login Time The date and time (MMM DD HH:MM:SS) that the session logged in. Time is displayed in 24-hour notation. Perfect Forward Secrecy Group The Diffie-Hellman algorithm and key size used to generate IPSec SA encryption keys using Perfect Forward Secrecy.
PAGE 36
Chapter 2 Administer Sessions Administration | Administer Sessions | Detail VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring 2-14 78-13274-01
PAGE 37
C H A P T E R 3 Software Update Administration | Software Update This section of the Manager lets you update the VPN Concentrator executable system software and the VPN Client software.
PAGE 38
Chapter 3 Software Update Administration | Software Update | Concentrator Administration | Software Update | Concentrator This process uploads the executable system software to the VPN Concentrator, which then verifies the integrity of the software image. The new image file must be accessible by the workstation you are using to manage the VPN Concentrator. Software image files ship on the Cisco VPN 3000 Concentrator CD-ROM. Updated or patched versions are available from the Cisco website, www.cisco.
PAGE 39
Chapter 3 Software Update Administration | Software Update | Concentrator Current Software Revision The name, version number, and date of the software image currently running on the system. Browse... Enter the complete pathname of the new image file, or click Browse... to find and select the file from your workstation or network. Cisco-supplied VPN 3000 Concentrator software image files are named: • For model 3005 = vpn3005-...-k9.bin.
PAGE 40
Chapter 3 Software Update Administration | Software Update | Concentrator Software Update Success The Manager displays this screen when it completes the software upload and verifies the integrity of the software. To go to the Administration | System Reboot screen, click the highlighted link. We strongly recommend that you clear the cache of your browser after you update the software image: delete all the browser’s temporary internet files, history files, and location bar references.
PAGE 41
Chapter 3 Software Update Administration | Software Update | Clients Administration | Software Update | Clients Figure 3-6 Administration| Software Update | Clients Screen Group Lets you select the VPN 3002 Hardware Client group for this update (the automatic update feature works on a group basis). The default is --All--, which lets you update the software for all groups. The Concentrator updates clients by group, in batches of ten, at 5-minute intervals.
PAGE 42
Chapter 3 Software Update Administration | Software Update | Clients VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring 3-6 78-13274-01
PAGE 43
C H A P T E R 4 System Reboot Administration | System Reboot This screen lets you reboot or shutdown (halt) the VPN Concentrator with various options. Caution We strongly recommend that you shut down the VPN Concentrator before you turn power off. If you just turn power off without shutting down, you may corrupt flash memory and affect subsequent operation of the system. If you are logged in the Manager when the system reboots or halts, it automatically logs you out and displays the main login screen.
PAGE 44
Chapter 4 System Reboot Administration | System Reboot Figure 4-1 Administration | System Reboot Screen Action Click a radio button to select the desired action. You can select only one action. • Reboot = Reboot the VPN Concentrator. Rebooting terminates all sessions, resets the hardware, loads and verifies the software image, executes system diagnostics, and initializes the system. A reboot takes about 60-75 seconds. (This is the default selection.
PAGE 45
Chapter 4 System Reboot Administration | System Reboot Configuration Click a radio button to select the configuration file handling at reboot. These selections apply to reboot only. You can select only one option. • Save the active configuration at time of reboot = Save the active configuration to the CONFIG file, and reboot using that new file. • Reboot without saving the active configuration = Reboot using the existing CONFIG file and without saving the active configuration.
PAGE 46
Chapter 4 System Reboot Administration | System Reboot VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring 4-4 78-13274-01
PAGE 47
C H A P T E R 5 Ping Administration | Ping This screen lets you use the ICMP ping (Packet Internet Groper) utility to test network connectivity. Specifically, the VPN Concentrator sends an ICMP Echo Request message to a designated host. If the host is reachable, it returns an Echo Reply message, and the Manager displays a Success screen. If the host is not reachable, the Manager displays an Error screen. You can also Ping hosts from the Administration | Sessions screen.
PAGE 48
Chapter 5 Ping Administration | Ping Success (Ping) If the system is reachable, the Manager displays a Success screen with the name of the tested host. Figure 5-2 Administration | Ping | Success Screen Continue To return to the Administration | Ping screen, click Continue.
PAGE 49
C H A P T E R 6 Monitoring Refresh Administration | Monitoring Refresh This screen lets you enable automatic refresh of all status and statistics screens in the Monitoring section of the VPN Concentrator Manager except the Event Log. Figure 6-1 Administration | Monitoring Refresh Screen Enable To enable automatic refresh, check the Enable check box. The box is unchecked by default. Refresh Period Enter the refresh period in seconds. The minimum period is 1 second. The default period is 30 seconds.
PAGE 50
Chapter 6 Monitoring Refresh Administration | Monitoring Refresh Apply / Cancel To save your settings in the active configuration, click Apply. The Manager goes to the main Administration screen. Reminder: To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window. To discard your settings, click Cancel. The Manager goes to the main Administration screen.
PAGE 51
C H A P T E R 7 Access Rights Administration | Access Rights This section of the Manager lets you configure and control administrative access to the VPN Concentrator. • Administrators: Configure administrator usernames, passwords, and rights. • Access Control List: Configure IP addresses for workstations with access rights. • Access Settings: Set administrative session timeout and limits. • AAA Servers: Set administrative authentication using TACACS+.
PAGE 52
Chapter 7 Access Rights Administration | Access Rights | Administrators Administration | Access Rights | Administrators Administrators are special users who can access and change the configuration, administration, and monitoring functions on the VPN Concentrator. Only administrators can use the VPN Concentrator Manager. Cisco provides five predefined administrators: • 1 - admin = System administrator with access to, and rights to change, all areas. This is the only administrator enabled by default.
PAGE 53
Chapter 7 Access Rights Administration | Access Rights | Administrators Group Number This is a reference number for the administrator. Cisco assigns these numbers so you can refer to administrators by groups of properties. The numbers cannot be changed. Username The username, or login name, of the administrator. You can change this name on the Administration | Access Rights | Administrators | Modify Properties screen. Note The default passwords that Cisco supplies are the same as the usernames.
PAGE 54
Chapter 7 Access Rights Administration | Access Rights | Administrators | Modify Properties Administration | Access Rights | Administrators | Modify Properties This screen lets you modify the username, password, and rights for an administrator. Any changes affect new sessions as soon as you click Apply or Default. Figure 7-3 Administration | Access Rights | Administrators | Modify Properties Screen Table 7-1 shows the matrix of Cisco-supplied default rights for the five administrators.
PAGE 55
Chapter 7 Access Rights Administration | Access Rights | Administrators | Modify Properties Username Enter or edit the unique username for this administrator. The maximum length is 31 characters. Password Enter or edit the unique password for this administrator. The maximum length is 31 characters. The field displays only asterisks. Note The default password that Cisco supplies is the same as the username. We strongly recommend that you change this password. Verify Re-enter the password to verify it.
PAGE 56
Chapter 7 Access Rights Administration | Access Rights | Administrators | Modify Properties SNMP This parameter governs limited changes to the VPN Concentrator Manager via SNMP, using a network management system. In other words, it determines what the administrator can do via SNMP. Files This parameter governs rights to access and manage files in VPN Concentrator Flash memory, and to save the active configuration in a file. (Flash memory acts like a disk.
PAGE 57
Chapter 7 Access Rights Administration | Access Rights | Access Control List Administration | Access Rights | Access Control List This section of the Manager lets you configure and prioritize the systems (workstations) that are allowed to access the VPN Concentrator Manager. For example, you might want to allow access only from one or two PCs that are in a locked room.
PAGE 58
Chapter 7 Access Rights Administration | Access Rights | Access Control List Manager Workstations The Manager Workstations list shows the configured workstations that are allowed to access the VPN Concentrator Manager, in priority order. Each entry shows the priority number, IP address/ mask, and administrator group number, for example: 1. 10.10.1.35/255.255.255.255 Group=1. If no workstations have been configured, the list shows --Empty--.
PAGE 59
Chapter 7 Access Rights Administration | Access Rights | Access Control List | Add or Modify Administration | Access Rights | Access Control List | Add or Modify These screens let you: • Add a manager workstation to the list of those that are allowed to access the VPN Concentrator Manager. • Modify a previously configured workstation that is allowed to access the VPN Concentrator Manager.
PAGE 60
Chapter 7 Access Rights Administration | Access Rights | Access Control List | Add or Modify Access Group To assign rights of an administrator group to this IP address, click the appropriate radio button. The default choice is Group 1 (admin). You can assign only one group, or you can specify No Access. Add or Apply / Cancel To add this workstation to the list, click Add. Or to apply your changes to this workstation, click Apply. Both actions include your entry in the active configuration.
PAGE 61
Chapter 7 Access Rights Administration | Access Rights | Access Settings Administration | Access Rights | Access Settings This screen lets you configure general options for administrator access to the VPN Concentrator Manager. Figure 7-6 Administration | Access Rights | Access Settings Screen Session Idle Timeout Enter the idle timeout period in seconds for administrative sessions. If there is no activity for this period, the VPN Concentrator Manager session terminates. The minimum period is 1 second.
PAGE 62
Chapter 7 Access Rights Administration | Access Rights | Access Settings Encrypt Config File To encrypt sensitive entries in the CONFIG file, check the Encrypt Config File check box (default). The CONFIG file is in ASCII text format (.INI format). Check this box to encrypt entries such as passwords, keys, and user information. To use clear text for all CONFIG file entries, clear the box. For maximum security, we do not recommend this option.
PAGE 63
Chapter 7 Access Rights Administration | Access Rights | AAA Servers Administration | Access Rights | AAA Servers This section lets you configure AAA servers to authenticate administrators for this VPN Concentrator. Before you configure a TACACS+ server here, be sure that the server you reference is itself properly configured and that you know how to access it (IP address or host name, TCP/UDP port, secret/password, etc.). The VPN Concentrator functions as the client of these servers.
PAGE 64
Chapter 7 Access Rights Administration | Access Rights | AAA Servers | Authentication Administration | Access Rights | AAA Servers | Authentication The Manager displays the Administration | Access Rights | AAA Servers | Authentication screen. This screen lets you add, modify, delete, or change the priority order of TACACS+ administrator authentication servers.
PAGE 65
Chapter 7 Access Rights Administration | Access Rights | AAA Servers | Authentication Add / Modify / Delete / Move / Test To configure and add a new TACACS server, click Add. The Manager opens the Administration | Access Rights | AAA Servers | Add screen. To modify parameters for an authentication server that has been configured, select the server from the list and click Modify. The Manager opens the Administration | Access Rights | AAA Servers | Modify screen.
PAGE 66
Chapter 7 Access Rights Administration | Access Rights | AAA Servers | Add or Modify Administration | Access Rights | AAA Servers | Add or Modify These screens let you add or modify TACACS+ administration authentication servers. Figure 7-9 Administration | Access Rights | AAA Servers | Add or Modify Screens Authentication Server Enter the IP address or host name of the RADIUS authentication server, for example: 192.168.12.34. The maximum length is 32 characters.
PAGE 67
Chapter 7 Access Rights Administration | Access Rights | AAA Servers | Add or Modify Retries Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next TACACS+ authentication server in the list. The minimum number of retries is 0. The default number is 2. The maximum is number is 10.
PAGE 68
Chapter 7 Access Rights Administration | Access Rights | AAA Servers | Test Administration | Access Rights | AAA Servers | Test This screen lets you test a configured TACACS+ server to determine that: Caution • The VPN Concentrator is communicating properly with the TACACS+ server. • The server correctly authenticates a valid administrator. • The server correctly rejects an invalid user. Misconfiguration of TACACS+ can lock an administrator out of the Concentrator HTML interface.
PAGE 69
Chapter 7 Access Rights Administration | Access Rights | AAA Servers | Authentication Success Administration | Access Rights | AAA Servers | Authentication Success If the authentication succeeds, the Manager displays a Success screen. Figure 7-11 Administration | Access Rights | AAA Servers | Authentication Success Screen Continue To return to the Administration | Access Rights | AAA Servers screen, click Continue.
PAGE 70
Chapter 7 Access Rights Administration | Access Rights | AAA Servers | Authentication Error Administration | Access Rights | AAA Servers | Authentication Error If the authentication is unsuccessful for any reason—invalid username or password, no active server, etc.—the Manager displays an Error screen.
PAGE 71
C H A P T E R 8 File Management Administration | File Management This section of the Manager lets you manage files in VPN Concentrator Flash memory. (Flash memory acts like a disk.) • Files: Copy, view, and delete system files. • Swap Configuration Files: Swap backup and boot configuration files. • TFTP Transfer: Use TFTP to transfer files to and from the VPN Concentrator. • File Upload: Use HTTP to transfer files to the VPN Concentrator.
PAGE 72
Chapter 8 File Management Administration | File Management | Files Administration | File Management | Files This screen lets you manage files in VPN Concentrator Flash memory. (Flash memory acts like a disk.) Such files include CONFIG, CONFIG.BAK, LOGNNNNN.TXT files, and copies of them that you have saved under different names. The screen shows a table listing all files in Flash memory, one file per table row. Use the frame scroll controls (if present) to display more files in the table.
PAGE 73
Chapter 8 File Management Administration | File Management | Files Date/Time The date and time the file was created. The format is MM/DD/YY HH:MM:SS, with time in 24-hour notation. For example, 05/07/99 15:20:24 is May 7, 1999 at 3:20:24 PM. Actions For a selected file, click the desired action link. The actions available to you depend on your Access Rights to Files; see the Administration | Access Rights | Administrators | Modify Properties screen. View (Save) To view the selected file, click View.
PAGE 74
Chapter 8 File Management Administration | File Management | Swap Configuration Files Administration | File Management | Swap Configuration Files This screen lets you swap the boot configuration file with the backup configuration file. Every time you save the active configuration, the system writes it to the CONFIG file, which is the boot configuration file; and it saves the previous CONFIG file as CONFIG.BAK, the backup configuration file.
PAGE 75
Chapter 8 File Management Administration | File Management | TFTP Transfer Administration | File Management | TFTP Transfer This screen lets you use TFTP (Trivial File Transfer Protocol) to transfer files to and from VPN Concentrator Flash memory. (Flash memory acts like a disk.) The VPN Concentrator acts as a TFTP client for these functions, accessing a TFTP server running on a remote system. All transfers are made in binary (octet) mode, and they copy—rather than move—files.
PAGE 76
Chapter 8 File Management Administration | File Management | TFTP Transfer TFTP Server File Enter the name of the file on the remote system. This filename must conform to naming conventions applicable to the remote system. Do not include a path; the configuration of the remote TFTP server determines the location (path) of the file. Caution If either filename is the same as an existing file, TFTP overwrites the existing file without asking for confirmation. OK / Cancel To transfer the file, click OK.
PAGE 77
Chapter 8 File Management Administration | File Management | TFTP Transfer Error (TFTP) If the TFTP transfer is unsuccessful for any reason—no such file, incorrect action, remote system unreachable, TFTP server not running, incorrect server address, etc.—the Manager displays an Error screen. Figure 8-6 Administration | File Management | TFTP Transfer | Error Screen To return to the Administration | File Management | TFTP Transfer screen, click Retry the operation.
PAGE 78
Chapter 8 File Management Administration | File Management | File Upload Administration | File Management | File Upload This screen lets you use HTTP (Hypertext Transfer Protocol) to transfer a configuration file from your PC—or a system accessible from your PC—to the VPN Concentrator Flash memory. This function provides special handling for configuration (config) files. If the uploaded file has the VPN Concentrator filename config, the system deletes any existing config.
PAGE 79
Chapter 8 File Management Administration | File Management | File Upload File Upload Progress This window shows the progress of the file upload. It refreshes the number of bytes transferred at 10-second intervals. Figure 8-8 Administration | File Management | File Upload Progress Window When the upload is finished, or if the upload is cancelled, the progress window closes. File Upload Success The Manager displays this screen to confirm that the file upload was successful.
PAGE 80
Chapter 8 File Management Administration | File Management | File Upload File Upload Error The Manager displays this screen if there was an error during the file upload and the transfer was not successful. Flash memory might be full, or the file transfer might have been interrupted or cancelled.
PAGE 81
C H A P T E R 9 Certificate Management Administration | Certificate Management This section of the Manager lets you manage digital certificates: • Enrollment: Create a certificate request to enroll with a Certificate Authority (CA). • Installation: Install certificates on the VPN Concentrator. • Certificates: View, delete, configure revocation checking, and generate certificates. Digital certificates are a form of digital identification used for authentication.
PAGE 82
Chapter 9 Certificate Management Administration | Certificate Management For information on using SSL certificates, see the “Installing the SSL Certificate in your Browser” section in Chapter 1. See also Configuration | System | Management Protocols | HTTP/HTTPS and Telnet, and Configuration | System | Management Protocols | SSL. Digital certificates carry a timestamp that determines a time frame for their validity.
PAGE 83
Chapter 9 Certificate Management Administration | Certificate Management | Enrollment Administration | Certificate Management | Enrollment This screen lets you generate a certificate request to send to a CA (Certificate Authority), to enroll the VPN Concentrator in a PKI. The entries you make on this screen are governed by PKI standards and practices. The fields conform to ITU-T Recommendation X.520: Selected Attribute Types.
PAGE 84
Chapter 9 Certificate Management Administration | Certificate Management | Enrollment Common Name (CN) Enter the name for the VPN Concentrator that identifies it in the PKI, for example: Engineering VPN. Spaces are allowed. You must enter a name in this field. If you are requesting an SSL certificate, enter the IP address or domain name you use to connect to this VPN Concentrator, for example: 10.10.147.2.
PAGE 85
Chapter 9 Certificate Management Administration | Certificate Management | Enrollment Subject Alternative Name (FQDN) Enter the fully qualified domain name for this VPN Concentrator that identifies it in this PKI, for example: vpn3030.cisco.com. This field is optional. The alternative name is an additional data field in the certificate, and it provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN connections.
PAGE 86
Chapter 9 Certificate Management Administration | Certificate Management | Enrollment | Request Generated Administration | Certificate Management | Enrollment | Request Generated The Manager displays this screen when the system has successfully generated a certificate request. The request is a Base-64 encoded file in PKCS-10 format (Public Key Certificate Syntax-10), which most CAs recognize or require.
PAGE 87
Chapter 9 Certificate Management Administration | Certificate Management | Enrollment | Request Generated Enrolling with a Certificate Authority To send the certificate request to a CA, enroll, and receive your digital certificates, follow these steps. (These are cut-and-paste steps; your CA might follow different procedures. In any case, you must end up with certificates saved as text files on your PC or other reachable network host.
PAGE 88
Chapter 9 Certificate Management Administration | Certificate Management | Installation Administration | Certificate Management | Installation This Manager screen lets you install digital certificates on the VPN Concentrator. You can install certificates obtained via enrollment with a CA in a PKI (where the private key is generated on—and stays hidden on—the VPN Concentrator, or you can install certificates imported along with the private key from some source (PKCS-12 format).
PAGE 89
Chapter 9 Certificate Management Administration | Certificate Management | Installation Certificate Type Click the Certificate Type drop-down menu button and choose the type of digital certificate to install. (Please note that --Select a Certificate Type-- is an instruction reminder, not a choice.) • Issuing or Root Certificate Authority = Root and subordinate certificates obtained via enrollment with a CA in a PKI.
PAGE 90
Chapter 9 Certificate Management Administration | Certificate Management | Installation OK / Cancel To install the certificate, click OK. The Manager displays the Administration | Certificate Management | Certificates screen. If you select the Server Identity (import with Private Key) certificate type, the Manager displays a warning message and asks you confirm. To discard your entries and cancel the operation, click Cancel. The Manager returns to the Administration | Certificate Management screen.
PAGE 91
Chapter 9 Certificate Management Administration | Certificate Management | Certificates Administration | Certificate Management | Certificates This screen shows all the certificates installed in the VPN Concentrator and lets you view, enable revocation checking, and delete certificates. You can also generate a self-signed SSL server certificate. The Manager displays this screen each time you install a digital certificate.
PAGE 92
Chapter 9 Certificate Management Administration | Certificate Management | Certificates Certificate Authorities This table shows installed root and subordinate (trusted) certificates issued by Certificate Authorities (CAs). Identity Certificates This table shows installed server identity certificates. SSL Certificate / [ Generate ] This table shows the SSL server certificate installed on the VPN Concentrator.
PAGE 93
Chapter 9 Certificate Management Administration | Certificate Management | Certificates | View Administration | Certificate Management | Certificates | View The Manager displays this screen of certificate details when you click View for a certificate on the Administration | Certificate Management | Certificates screen. The details vary depending on the certificate content. The content and format for certificate details are governed by ITU (International Telecommunication Union) X.
PAGE 94
Chapter 9 Certificate Management Administration | Certificate Management | Certificates | View CN= Common Name: the name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy. For the VPN Concentrator self-signed SSL certificate, the CN is the IP address on the Ethernet 1 (Private) interface at the time the certificate is generated.
PAGE 95
Chapter 9 Certificate Management Administration | Certificate Management | Certificates | View MD5 Thumbprint A 128-bit MD5 hash of the complete certificate contents, shown as a 16-byte string. This value is unique for every certificate, and it positively identifies the certificate. If you question a certificate’s authenticity, you can check this value with the issuer. SHA1 Thumbprint A 160-bit SHA-1 hash of the complete certificate contents, shown as a 20-byte string.
PAGE 96
Chapter 9 Certificate Management Administration | Certificate Management | Certificates | CRL Administration | Certificate Management | Certificates | CRL This screen lets you enable Certificate Revocation List (CRL) checking for CA certificates installed in the VPN Concentrator. A certificate is normally expected to be valid for its entire validity period. However, if a certificate becomes invalid due to a name change, change of association between the subject and the CA, security compromise, etc.
PAGE 97
Chapter 9 Certificate Management Administration | Certificate Management | Certificates | CRL Server Enter the IP address or hostname of the CRL distribution point server (LDAP server). Maximum 32 characters. Server Port Enter the port number for the CRL server. Enter 0 (the default) to have the system supply the default port number, 389 (LDAP). Filter Enter the filename filter (wildcard) to use with the Base DN to select the appropriate CRLs in the database. Maximum 128 characters.
PAGE 98
Chapter 9 Certificate Management Administration | Certificate Management | Certificates | Delete Administration | Certificate Management | Certificates | Delete The Manager displays this confirmation screen when you click Delete for a certificate on the Administration | Certificate Management | Certificates screen. The screen shows the same certificate details as on the Administration | Certificate Management | Certificates | View screen.
PAGE 99
P A R T 2 Monitoring
PAGE 100
PAGE 101
C H A P T E R 10 Monitoring The VPN 3000 Concentrator tracks many statistics and the status of many items essential to system administration and management. Use the Concentrator Manager Monitoring windows to view all those status items and statistics. You can even see the state of LEDs that show the status of hardware subsystems in the device. You can also see statistics that are stored and available in standard MIB-II data objects.
PAGE 102
Chapter 10 Monitoring Monitoring This section of the Manager lets you view VPN Concentrator status, sessions, statistics, and event logs. • Routing Table: Current valid routes, protocols, and metrics. • Filterable Event Log: Current event log in memory, filterable by event class, severity, IP address, etc. – Live Event Log: Current event log, continuously updated.
PAGE 103
C H A P T E R 11 Routing Table Monitoring | Routing Table This screen shows the VPN Concentrator routing table at the time the screen displays. The IP routing subsystem examines the destination IP address of packets coming through the VPN Concentrator and forwards or drops them in accordance with configured parameters. The routing table shows the valid forwarding paths that the IP routing subsystem knows about, from whatever source: static routes, learned via routing protocols, interface addresses, etc.
PAGE 104
Chapter 11 Routing Table Monitoring | Routing Table Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Clear Routes Click the Clear Routes button to clear the dynamic routing entries, such as RIP and OSPF, from the display. Clicking this button does not affect the display of static routing entries. Valid Routes The total number of current valid routes that the VPN Concentrator knows about.
PAGE 105
Chapter 11 Routing Table Monitoring | Routing Table Protocol The protocol or source of this routing table entry: • RIP = Learned via Routing Information Protocol. • OSPF = Learned via Open Shortest Path First protocol. • Static = Configured static route. • Local = Local VPN Concentrator interface address. • ICMP = Learned from an ICMP (Internet Control Message Protocol) redirect message. • Default = The default gateway.
PAGE 106
Chapter 11 Routing Table Monitoring | Routing Table VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring 11-4 78-13274-01
PAGE 107
C H A P T E R 12 Filterable Event Log Monitoring | Filterable Event Log This screen shows the events in the current event log, lets you filter and display events by various criteria, and lets you manage the event log file. For troubleshooting any system difficulty, or just to examine details of system activity, consult the event log first. The VPN Concentrator records events in nonvolatile memory, thus the event log persists even if the system is powered off.
PAGE 108
Chapter 12 Filterable Event Log Monitoring | Filterable Event Log Select Filter Options You can select any or all of the following options for filtering and displaying the event log. After selecting the option(s), click any one of the four Page buttons. The Manager refreshes the screen and displays the event log in accordance with your selections. Your filter options remain in effect as long as you continue working within and viewing Monitoring | Filterable Event Log screens.
PAGE 109
Chapter 12 Filterable Event Log Monitoring | Filterable Event Log Direction To display events in a different chronological order, click the Direction drop-down menu button and choose the order. Choices are: • Oldest to Newest = Display events in actual chronological order, with oldest events at the top of the screen. This is the default selection. • Newest to Oldest = Display events in reverse chronological order, with newest events at the top of the screen.
PAGE 110
Chapter 12 Filterable Event Log Monitoring | Filterable Event Log Save Log To save a copy of the current event log as a file on the VPN Concentrator, click the Save Log button. The browser prompts you for a filename, which must conform to the 8.3 naming convention. Caution If the filename you enter is the same as an existing file, the browser overwrites the existing file without asking for confirmation. To list and manage files on the VPN Concentrator, see the Administration | File Management screen.
PAGE 111
Chapter 12 Filterable Event Log Monitoring | Filterable Event Log Event Time The time of the event: hour:minute:second.millisecond. The hour is based on a 24-hour clock. For example, 14:37:06.680 identifies an event that occurred at 2:37:06.680 PM. Event Severity The severity level of the event; for example: SEV=4 identifies an event of severity level 4. For an explanation of event severity levels, refer to VPN 3000 Series Concentrator Reference Volume 1: Configuration.
PAGE 112
Chapter 12 Filterable Event Log Monitoring | Live Event Log Monitoring | Live Event Log Note The live event log requires Netscape versions 4.5- 4.7 or 6.0. It does not run on other versions of Netscape. This screen shows events in the current event log and automatically updates the display every 5 seconds. The events might take a few seconds to load when you first open the screen. The screen always displays the most recent event at the bottom. Use the scroll bar to view earlier events.
PAGE 113
Chapter 12 Filterable Event Log Monitoring | Live Event Log Pause Display / Resume Display To pause the display, click Pause Display. While paused, the screen does not display new events, the button changes to Resume Display, and the timer counts down to 0 and stops. You can still scroll through the event log. Click the button to resume the display of new events and restart the timer. Clear Display To clear the event display, click Clear Display.
PAGE 114
Chapter 12 Filterable Event Log Monitoring | Live Event Log VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring 12-8 78-13274-01
PAGE 115
C H A P T E R 13 System Status Monitoring | System Status This screen shows the status of several software and hardware variables at the time the screen displays. From this screen you can also display the status and statistics for SEP modules, system power supplies, and network interfaces.
PAGE 116
Chapter 13 System Status Monitoring | System Status Figure 13-2 Monitoring | System Status Screen (Models 3015-3080) Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. VPN Concentrator Type The type, or model number, of this VPN Concentrator. Bootcode Rev The version name, number, and date of the VPN Concentrator bootcode software file.
PAGE 117
Chapter 13 System Status Monitoring | System Status Software Rev The version name, number, and date of the VPN Concentrator system software image file. You can update this image file from the Administration | Software Update screen. Up Since The date and time that the VPN Concentrator was last booted or reset. RAM Size The total amount of SDRAM memory installed in the VPN Concentrator. Front Panel On models 3015-3080, the front panel image is an active link.
PAGE 118
Chapter 13 System Status Monitoring | System Status CPU, Cage The VPN Concentrator Model 3015–3080 includes two temperature sensors on the main printed circuit board: one near the CPU and one near the power supply cage. The Model 3005 has one sensor near the CPU. This table shows the temperature at the sensor(s). Temperatures between 0° and 50°C (32° and 122°F) are acceptable. Values outside this range trigger a hardware event.
PAGE 119
Chapter 13 System Status Monitoring | System Status | Ethernet Interface Monitoring | System Status | Ethernet Interface This screen displays status and statistics for a VPN Concentrator Ethernet interface. To configure an interface, see Configuration | Interfaces. Figure 13-3 Monitoring | System Status | Ethernet Interface Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
PAGE 120
Chapter 13 System Status Monitoring | System Status | Ethernet Interface IP Address The IP address configured on this interface. Status The operational status of this interface: • UP = configured and enabled, ready to pass data traffic. • DOWN = configured but disabled. • Testing = in test mode; no regular data traffic can pass. • Dormant = configured and enabled but waiting for an external action, such as an incoming connection. • Not Present = missing hardware components.
PAGE 121
Chapter 13 System Status Monitoring | System Status | Ethernet Interface Tx Multicast The number of multicast packets that were routed to this interface for transmission since the VPN Concentrator was last booted or reset, including those that were discarded or not sent. Multicast packets are those addressed to a specific group of hosts. Rx Broadcast The number of broadcast packets that were received by this interface since the VPN Concentrator was last booted or reset.
PAGE 122
Chapter 13 System Status Monitoring | System Status | Dual T1/E1 WAN Slot N Monitoring | System Status | Dual T1/E1 WAN Slot N This screen displays status and statistics for a VPN Concentrator WAN module. To configure a WAN module interface, see Configuration | Interfaces. Figure 13-4 Monitoring | System Status | Dual T1/E1 WAN Slot N Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
PAGE 123
Chapter 13 System Status Monitoring | System Status | Dual T1/E1 WAN Slot N Port The interface port on the WAN module (A or B). Status The current status of this port: • Up = (Green) Configured, enabled, and operational; synchronized with the network and ready to pass data traffic. • Red = (Red) Red alarm: Port has lost synchronization or signal. This alarm indicates out of frame errors or a mismatched framing format, or a disconnected line.
PAGE 124
Chapter 13 System Status Monitoring | System Status | Dual T1/E1 WAN Slot N Severely Errored Framing Seconds The number of seconds during which one or more out-of-frame defects or an AIS defect were detected on this port. Unavailable Seconds The number of seconds during which this port has not been available. Basically, unavailable seconds begin with 10 contiguous severely errored seconds, or with a condition leading to failure.
PAGE 125
Chapter 13 System Status Monitoring | System Status | Dual T1/E1 WAN Slot N Synchronous Statistics This table shows statistics for the synchronous traffic (frames) through the WAN interface ports, with a column of statistics for each configured port. Slot The physical slot in the VPN Concentrator (1 through 4) that houses the WAN module. Port The interface port on the WAN module (A or B). IfIndex The unique interface index (an integer) that identifies this WAN port.
PAGE 126
Chapter 13 System Status Monitoring | System Status | Dual T1/E1 WAN Slot N Bytes Transmitted The number of bytes (octets) transmitted on this interface port. Received Frame Too Long The number of received frame too long errors on this interface port. The size of the packets received exceeds the MTU (Maximum Transmission Unit).
PAGE 127
Chapter 13 System Status Monitoring | System Status | Power Monitoring | System Status | Power This screen displays status and data for VPN Concentrator power supplies and voltage sensors in the system. To configure alarm thresholds for system voltages, see the Configuration | Interfaces | Power screen.
PAGE 128
Chapter 13 System Status Monitoring | System Status | Power Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Back To return to the Monitoring | System Status screen, click Back. CPU Voltage and status for the voltage sensor on the CPU chip. The screen shows either 1.9 or 2.5 volts, depending on the CPU chip in the system. Power Supply A, B Voltages and status of the 3.3- and 5-volt outputs from the power supplies.
PAGE 129
Chapter 13 System Status Monitoring | System Status | SEP Monitoring | System Status | SEP Note This screen appears on models 3015–3080 only. This screen displays status and statistics for a VPN Concentrator SEP (Scalable Encryption Processing) module, which performs hardware-based cryptographic functions: • Random-number generation. • Hash transforms (MD5 and SHA-1) for authentication. • Encryption and decryption (DES and Triple-DES).
PAGE 130
Chapter 13 System Status Monitoring | System Status | SEP Figure 13-7 Monitoring | System Status | SEP Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Back To return to the Monitoring | System Status screen, click Back.
PAGE 131
Chapter 13 System Status Monitoring | System Status | SEP SEP The chassis slot number where this SEP is inserted, and the type of hardware in this SEP: • CryptSet = first-release hardware using a set of integrated circuits. • CryptIC = second-release hardware using a single integrated circuit. • Unknown = hardware could not be determined. This is an error condition; please contact Cisco Customer Support. Status The functional state of this SEP module: • Operational = module is operating correctly.
PAGE 132
Chapter 13 System Status Monitoring | System Status | SEP Outbound Hash: Octets The number of outbound octets (bytes) to which this SEP applied a hashing algorithm for authentication. Outbound Hash: Packets The number of outbound authentication-only hashed packets processed by this SEP. Only hashing algorithms are applied to authentication-only traffic; there is no encryption or decryption. Encrypted: Octets The number of octets (bytes) that this SEP encrypted.
PAGE 133
Chapter 13 System Status Monitoring | System Status | SEP Drops: Packets The number of packets intended for processing by this SEP, but dropped due to the SEP being overloaded. Random Requests The number of requests to this SEP to generate random numbers. When needed (requested), the SEP generates a 2-KB block of random numbers and caches them on the VPN Concentrator. Various cryptographic functions require random numbers of different sizes, and they get them from the cache.
PAGE 134
Chapter 13 System Status Monitoring | System Status | SEP RSA Digital Verifications The number of times this SEP has verified an RSA digital signature. When the VPN Concentrator receives a signed digital certificate for authentication, it must verify the digital signature by computing a hash of the certificate and comparing it with the received-certificate hash. RSA Encryptions: Octets / Packets The number of RSA-encrypted octets (bytes) / packets this SEP has generated.
PAGE 135
Chapter 13 System Status Monitoring | System Status | LED Status Monitoring | System Status | LED Status Note This screen appears on models 3015–3080 only. This screen shows the status of VPN Concentrator front-panel LED indicators, exactly as they appear on the unit itself. LED indicators on the VPN Concentrator are normally green, and the usage graph LEDs are blue. LEDs that are amber, red, or off might indicate an error condition.
PAGE 136
Chapter 13 System Status Monitoring | System Status | LED Status VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring 13-22 78-13274-01
PAGE 137
C H A P T E R 14 Sessions Monitoring | Sessions The following screen shows comprehensive data for all active user and administrator sessions on the VPN Concentrator.
PAGE 138
Chapter 14 Sessions Monitoring | Sessions Figure 14-1 Monitoring | Sessions Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Group Choose a group from the menu to monitor sessions for that group only. The default value is --All--, which displays sessions for all groups.
PAGE 139
Chapter 14 Sessions Monitoring | Sessions Session Summary Table This table shows summary totals for LAN-to-LAN, remote access, and management sessions. A session is a VPN tunnel established with a specific peer. In most cases, one user connection = one tunnel = one session. However, one IPSec LAN-to-LAN tunnel counts as one session, but it allows many host-to-host connections through the tunnel. Active LAN-to-LAN Sessions The number of IPSec LAN-to-LAN sessions that are currently active.
PAGE 140
Chapter 14 Sessions Monitoring | Sessions LAN-to-LAN Sessions Table This table shows parameters and statistics for all active IPSec LAN-to-LAN sessions. Each session here identifies only the outer LAN-to-LAN connection or tunnel, not individual host-to-host sessions within the tunnel. [ Remote Access Sessions | Management Sessions ] Click these active links to go to the other session tables on this Manager screen. Connection Name The name of the IPSec LAN-to-LAN connection.
PAGE 141
Chapter 14 Sessions Monitoring | Sessions Remote Access Sessions Table This table shows parameters and statistics for all active remote-access sessions. Each session is a single-user connection from a remote client to the VPN Concentrator. Remote-access sessions include PPTP, L2TP, IPSec remote-access user, L2TP over IPSec, and IPSec through NAT sessions. [ LAN-to-LAN Sessions | Management Sessions ] Click these active links to go to the other session tables on this Manager screen.
PAGE 142
Chapter 14 Sessions Monitoring | Sessions Management Sessions Table This table shows parameters and statistics for all active administrator management sessions on the VPN Concentrator. [ LAN-to-LAN Sessions | Remote Access Sessions ] Click these active links to go to the other session tables on this Manager screen. Administrator The administrator username or login name for the session. IP Address The IP address of the manager workstation that is accessing the system.
PAGE 143
Chapter 14 Sessions Monitoring | Sessions | Detail Monitoring | Sessions | Detail These Manager screens show detailed parameters and statistics for a specific remote-access or LAN-to-LAN session. The parameters and statistics differ depending on the session protocol.
PAGE 144
Chapter 14 Sessions Monitoring | Sessions | Detail Figure 14-2 Monitoring | Sessions | Detail Screen: IPSec LAN-to-LAN Figure 14-3 Monitoring | Sessions | Detail Screen: IPSec Remote Access User VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring 14-8 78-13274-01
PAGE 145
Chapter 14 Sessions Monitoring | Sessions | Detail Figure 14-4 Monitoring | Sessions | Detail Screen: IPSec through NAT Figure 14-5 Monitoring | Sessions | Detail Screen: L2TP VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring 78-13274-01 14-9
PAGE 146
Chapter 14 Sessions Monitoring | Sessions | Detail Figure 14-6 Monitoring | Sessions | Detail Screen: L2TP Over IPSec Figure 14-7 Monitoring | Sessions | Detail Screen: PPTP VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring 14-10 78-13274-01
PAGE 147
Chapter 14 Sessions Monitoring | Sessions | Detail Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Back to Sessions To return to the Monitoring | Sessions screen, click Back to Sessions.
PAGE 148
Chapter 14 Sessions Monitoring | Sessions | Detail Monitoring | Sessions | Detail Parameters Table 14-2 Parameter Definitions for Monitoring | Sessions | Detail Screens Parameter Definition Assigned IP Address The private IP address assigned to the remote client for this session. This is also known as the “inner” or “virtual” IP address, and it lets the client appear to be a host on the private network. Authentication Mode The protocol or mode used to authenticate this session.
PAGE 149
Chapter 14 Sessions Monitoring | Sessions | Detail Table 14-2 Parameter Definitions for Monitoring | Sessions | Detail Screens (continued) Parameter Definition Login Time The date and time (MMM DD HH:MM:SS) that the session logged in. Time is displayed in 24-hour notation. Perfect Forward Secrecy Group The Diffie-Hellman algorithm and key size used to generate IPSec SA encryption keys using Perfect Forward Secrecy. PFS Group The Perfect Forward Secrecy group: 1, 2, 3, 4, or 7.
PAGE 150
Chapter 14 Sessions Monitoring | Sessions | Protocols Monitoring | Sessions | Protocols This screen graphically displays the protocols used by currently active user and administrator sessions on the VPN Concentrator. Figure 14-8 Monitoring | Sessions | Protocols Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Group Choose a group from the menu to show protocols used by currently active users in that group only.
PAGE 151
Chapter 14 Sessions Monitoring | Sessions | Protocols Total Sessions The total number of sessions since the VPN Concentrator was last booted or reset. Protocol The protocol that the session is using: • Other = Protocol other than those listed here. • PPTP = Point-to-Point Tunneling Protocol. • L2TP = Layer 2 Tunneling Protocol. • IPSec = Internet Protocol Security tunneling protocol (remote-access users). • HTTP = Hypertext Transfer Protocol (web browser). • FTP = File Transfer Protocol.
PAGE 152
Chapter 14 Sessions Monitoring | Sessions | SEPs Monitoring | Sessions | SEPs Note This screen appears on models 3015–3080 only. This screen graphically displays the SEP (Scalable Encryption Processing) modules used by currently active user and administrator sessions on the VPN Concentrator. SEP modules perform data encryption functions in hardware. Figure 14-9 Monitoring | Sessions | SEPs Screen Refresh To update the screen and its data, click Refresh.
PAGE 153
Chapter 14 Sessions Monitoring | Sessions | SEPs SEP The SEP module that the sessions are using. • Not on SEP = using software encryption, or not using encryption. • 1, 2, 3, 4 = SEP module 1, 2, 3, and 4, respectively. Sessions The number of active sessions using this SEP module. The sum of this column equals the total number of Active Sessions shown above. Bar Graph The percentage of sessions using this SEP module relative to the total active sessions, as a horizontal bar graph.
PAGE 154
Chapter 14 Sessions Monitoring | Sessions | Encryption Monitoring | Sessions | Encryption This screen graphically displays the data encryption algorithms used by currently active user and administrator sessions on the VPN Concentrator. Figure 14-10 Monitoring | Sessions | Encryption Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
PAGE 155
Chapter 14 Sessions Monitoring | Sessions | Encryption Encryption The data encryption algorithm that the sessions are using: • Other = other than listed below. • None = no data encryption. • DES-56 = Data Encryption Standard algorithm with a 56-bit key. • DES-40 = DES encryption with a 56-bit key, 40 bits of which are private. • 3DES-168 = Triple-DES encryption with a 168-bit key. • RC4-40 Stateless = RSA RC4 encryption with a 40-bit key, and with keys changed on every packet.
PAGE 156
Chapter 14 Sessions Monitoring | Sessions | Top Ten Lists Monitoring | Sessions | Top Ten Lists This section of the Manager shows statistics for the top 10 currently active VPN Concentrator sessions, sorted by: • Data: total bytes transmitted and received. • Duration: total time connected. • Throughput: average throughput (bytes/sec).
PAGE 157
Chapter 14 Sessions Monitoring | Sessions | Top Ten Lists | Data Monitoring | Sessions | Top Ten Lists | Data This screen shows statistics for the top 10 currently active VPN Concentrator sessions, sorted by data, total bytes transmitted and received. Figure 14-12 Monitoring | Sessions | Top Ten Lists | Data Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
PAGE 158
Chapter 14 Sessions Monitoring | Sessions | Top Ten Lists | Data Username The login username for the session. Group The user’s group. IP Address The IP address of the session user. This is the address assigned to or supplied by a remote user, or the host address of a networked user. Local identifies the console directly connected to the VPN Concentrator. Protocol The protocol that the session is using: • Console = Directly connected console; no protocol.
PAGE 159
Chapter 14 Sessions Monitoring | Sessions | Top Ten Lists | Data Encryption The data encryption algorithm that the session is using: • None = No data encryption. • DES-40 = Data Encryption Standard algorithm with a 56-bit key, 40 bits of which are private. • DES-56 = DES encryption with a 56-bit key. • 3DES-168 = Triple-DES encryption with a 168-bit key. • RC4-40 Stateless = RSA RC4 encryption with a 40-bit key, and with keys changed on every packet.
PAGE 160
Chapter 14 Sessions Monitoring | Sessions | Top Ten Lists | Duration Monitoring | Sessions | Top Ten Lists | Duration This screen shows statistics for the top 10 currently active VPN Concentrator sessions, sorted by duration: total time connected. Figure 14-13 Monitoring | Sessions | Top Ten Lists | Duration Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
PAGE 161
Chapter 14 Sessions Monitoring | Sessions | Top Ten Lists | Duration Username The login username for the session. Group The user’s group. IP Address The IP address of the session user. This is the address assigned to or supplied by a remote user, or the host address of a networked user. Local identifies the console directly connected to the VPN Concentrator. Protocol The protocol that the session is using: • Console = Directly connected console; no protocol.
PAGE 162
Chapter 14 Sessions Monitoring | Sessions | Top Ten Lists | Duration Encryption The data encryption algorithm that the session is using. • None = no data encryption. • DES-40 = Data Encryption Standard algorithm with a 56-bit key, 40 bits of which are private. • DES-56 = DES encryption with a 56-bit key. • 3DES-168 = Triple-DES encryption with a 168-bit key. • RC4-40 Stateless = RSA RC4 encryption with a 40-bit key, and with keys changed on every packet.
PAGE 163
Chapter 14 Sessions Monitoring | Sessions | Top Ten Lists | Throughput Monitoring | Sessions | Top Ten Lists | Throughput This screen shows statistics for the top 10 currently active VPN Concentrator sessions, sorted by average throughput (bytes/sec). Figure 14-14 Monitoring | Sessions | Top Ten Lists | Throughput Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
PAGE 164
Chapter 14 Sessions Monitoring | Sessions | Top Ten Lists | Throughput Username The login username for the session. Group The user’s group. IP Address The IP address of the session user. This is the address assigned to or supplied by a remote user, or the host address of a networked user. Local identifies the console directly connected to the VPN Concentrator. Protocol The protocol that the session is using: • Console = Directly connected console; no protocol.
PAGE 165
Chapter 14 Sessions Monitoring | Sessions | Top Ten Lists | Throughput Encryption The data encryption algorithm that the session is using. • None = No data encryption. • DES-40 = Data Encryption Standard algorithm with a 56-bit key, 40 bits of which are private. • DES-56 = DES encryption with a 56-bit key. • 3DES-168 = Triple-DES encryption with a 168-bit key. • RC4-40 Stateless = RSA RC4 encryption with a 40-bit key, and with keys changed on every packet.
PAGE 166
Chapter 14 Sessions Monitoring | Sessions | Top Ten Lists | Throughput VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring 14-30 78-13274-01
PAGE 167
C H A P T E R 15 Statistics Monitoring | Statistics This section of the Manager shows statistics for traffic and activity on the VPN Concentrator since it was last booted or reset, and for current tunneled sessions, plus statistics in standard MIB-II objects for interfaces, TCP/UDP, IP, ICMP, and the ARP table.
PAGE 168
Chapter 15 Statistics Monitoring | Statistics Statistics include: • PPTP: total tunnels, sessions, received and transmitted control and data packets; and detailed current session data. • L2TP: total tunnels, sessions, received and transmitted control and data packets; and detailed current session data. • IPSec: total Phase 1 and Phase 2 tunnels, received and transmitted packets, failures, drops, etc. • HTTP: total data traffic and connection statistics.
PAGE 169
Chapter 15 Statistics Monitoring | Statistics | PPTP Monitoring | Statistics | PPTP This screen shows statistics for PPTP activity on the VPN Concentrator since it was last booted or reset, and for current PPTP sessions. The Monitoring | Sessions | Detail screens also show PPTP data. To configure system-wide PPTP parameters, see the Configuration | System | Tunneling Protocols | PPTP screen. To configure PPTP parameters for users and groups, see Configuration | User Management.
PAGE 170
Chapter 15 Statistics Monitoring | Statistics | PPTP Maximum Tunnels The maximum number of PPTP tunnels that have been simultaneously active on the VPN Concentrator since it was last booted or reset. Total Sessions The total number of user sessions through PPTP tunnels since the VPN Concentrator was last booted or reset. Active Sessions The number of user sessions that are currently active through PPTP tunnels. The PPTP Sessions table shows statistics for these sessions.
PAGE 171
Chapter 15 Statistics Monitoring | Statistics | PPTP Tx Octets Control / Data The number of PPTP control/data octets (bytes) transmitted by the VPN Concentrator since it was last booted or reset. Tx Packets Control / Data The number of PPTP control/data packets transmitted by the VPN Concentrator since it was last booted or reset. PPTP Sessions This table shows statistics for active PPTP sessions on the VPN Concentrator. Each active session is a row.
PAGE 172
Chapter 15 Statistics Monitoring | Statistics | PPTP Transmit Octets The total number of PPTP data octets (bytes) transmitted by this session. Transmit Packets The total number of PPTP data packets transmitted by this session. Transmit ZLB The total number of PPTP Zero Length Body acknowledgement packets transmitted by this session. ZLB packets are sent as GRE acknowledgement packets when there is no data packet on which to piggyback an acknowledgement.
PAGE 173
Chapter 15 Statistics Monitoring | Statistics | L2TP Monitoring | Statistics | L2TP This screen shows statistics for L2TP activity on the VPN Concentrator since it was last booted or reset, and for current L2TP sessions. The Monitoring | Sessions | Detail screens also show L2TP data. To configure system-wide L2TP parameters, see the Configuration | System | Tunneling Protocols | L2TP screen. To configure L2TP parameters for users and groups, see Configuration | User Management.
PAGE 174
Chapter 15 Statistics Monitoring | Statistics | L2TP Maximum Tunnels The maximum number of L2TP tunnels that have been simultaneously active on the VPN Concentrator since it was last booted or reset. Failed Tunnels The number of L2TP tunnels that failed to become established since the VPN Concentrator was last booted or reset. Total Sessions The total number of user sessions successfully established through L2TP tunnels since the VPN Concentrator was last booted or reset.
PAGE 175
Chapter 15 Statistics Monitoring | Statistics | L2TP Rx Packets Control / Data The number of L2TP control / data channel packets received by the VPN Concentrator since it was last booted or reset. Rx Discards Control / Data The number of L2TP control / data channel packets received and discarded by the VPN Concentrator since it was last booted or reset. Tx Octets Control / Data The number of L2TP control/data channel octets (bytes) transmitted by the VPN Concentrator since it was last booted or reset.
PAGE 176
Chapter 15 Statistics Monitoring | Statistics | L2TP Receive Octets The total number L2TP data octets (bytes) received by this session. Receive Packets The total number of L2TP data packets received by this session. Receive Discards The total number of L2TP data packets received and discarded by this session. Receive ZLB The total number of L2TP Zero Length Body acknowledgement data packets received by this session.
PAGE 177
Chapter 15 Statistics Monitoring | Statistics | IPSec Monitoring | Statistics | IPSec This screen shows statistics for IPSec activity—including current IPSec tunnels—on the VPN Concentrator since it was last booted or reset. These statistics conform to the IETF draft for the IPSec Flow Monitoring MIB. The Monitoring | Sessions | Detail screens also show IPSec data. To configure system-wide IPSec parameters and LAN-to-LAN connections, see the Configuration | System | Tunneling Protocols | IPSec screens.
PAGE 178
Chapter 15 Statistics Monitoring | Statistics | IPSec IKE (Phase 1) Statistics This table provides IPSec Phase 1 (IKE: Internet Key Exchange) global statistics. During IPSec Phase 1 (IKE), the two peers establish control tunnels through which they negotiate Security Associations. Active Tunnels The number of currently active IKE control tunnels, both for LAN-to-LAN connections and remote access.
PAGE 179
Chapter 15 Statistics Monitoring | Statistics | IPSec Received Notifies The cumulative total of notify packets received by all currently and previously active IKE tunnels. A notify packet is an informational packet that is sent in response to a bad packet or to indicate status, for example: error packets, keepalive packets, etc. Sent Notifies The cumulative total of notify packets sent by all currently and previously active IKE tunnels. See comments for Received Notifies.
PAGE 180
Chapter 15 Statistics Monitoring | Statistics | IPSec Phase-2 SA Delete Requests Sent The cumulative total of requests to delete IPSec Phase-2 Security Associations sent by all currently and previously active IKE tunnels. Initiated Tunnels The cumulative total of IKE tunnels that this VPN Concentrator initiated. The VPN Concentrator initiates tunnels only for LAN-to-LAN connections.
PAGE 181
Chapter 15 Statistics Monitoring | Statistics | IPSec IPSec (Phase 2) Statistics This table provides IPSec Phase 2 global statistics. During IPSec Phase 2, the two peers negotiate Security Associations that govern traffic within the tunnel. Active Tunnels The number of currently active IPSec Phase-2 tunnels, both for LAN-to-LAN connections and remote access. Total Tunnels The cumulative total of all currently and previously active IPSec Phase-2 tunnels, both for LAN-to-LAN connections and remote access.
PAGE 182
Chapter 15 Statistics Monitoring | Statistics | IPSec Received Packets Dropped (Anti-Replay) The cumulative total of packets dropped during receive processing due to anti-replay errors, by all currently and previously active IPSec Phase-2 tunnels. If the sequence number of a packet is a duplicate or out of bounds, there might be a faulty network or a security breach, and the system drops the packet.
PAGE 183
Chapter 15 Statistics Monitoring | Statistics | IPSec Encryptions The cumulative total of outbound encryptions performed by all currently and previously active IPSec Phase-2 tunnels. Failed Encryptions The cumulative total of outbound encryptions that failed, by all currently and previously active IPSec Phase-2 tunnels. This number should be zero or very small; if not, check for IPSec subsystem or SEP module problems.
PAGE 184
Chapter 15 Statistics Monitoring | Statistics | HTTP Monitoring | Statistics | HTTP This screen shows statistics for HTTP activity on the VPN Concentrator since it was last booted or reset. To configure system-wide HTTP server parameters, see the Configuration | System | Management Protocols | HTTP screen. Figure 15-5 Monitoring | Statistics | HTTP Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
PAGE 185
Chapter 15 Statistics Monitoring | Statistics | HTTP Active The number of currently active HTTP connections on the VPN Concentrator. Peak The maximum number of HTTP connections that were simultaneously active on the VPN Concentrator since it was last booted or reset. Total The total number of HTTP connections on the VPN Concentrator since it was last booted or reset. HTTP Sessions This section provides information about HTTP sessions on the VPN Concentrator since it was last booted or reset.
PAGE 186
Chapter 15 Statistics Monitoring | Statistics | HTTP Octets Sent/Received Number of octets sent or received during the HTTP session. Packets Sent/Received Number of packets sent or received during the HTTP session. Sockets Active The number of currently active sockets for the HTTP session. Sockets Peak The maxmum number of sockets simultaneously active during the HTTP session. Sockets Total The total number of sockets active durng the HTTP session.
PAGE 187
Chapter 15 Statistics Monitoring | Statistics | Events Monitoring | Statistics | Events This screen shows statistics for all events on the VPN Concentrator since it was last booted or reset. To configure event handling, see the Configuration | System | Events screens.
PAGE 188
Chapter 15 Statistics Monitoring | Statistics | Events Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Use the scroll controls (if present) to view the entire table. Event Class Event class denotes the source of the event and refers to a specific hardware or software subsystem within the VPN Concentrator. For a description of event classes, see VPN 3000 Series Concentrator Reference Volume 1: Configuration.
PAGE 189
Chapter 15 Statistics Monitoring | Statistics | Telnet Monitoring | Statistics | Telnet This screen shows statistics for Telnet activity on the VPN Concentrator since it was last booted or reset, and for current Telnet sessions. To configure the VPN Concentrator’s Telnet server, see the Configuration | System | Management Protocols | Telnet screen. Figure 15-7 Monitoring | Statistics | Telnet Screen Refresh To update the screen and its data, click Refresh.
PAGE 190
Chapter 15 Statistics Monitoring | Statistics | Telnet Telnet Sessions This table shows statistics for active Telnet sessions on the VPN Concentrator. Each active session is a row. Client IP Address:Port The IP address and TCP source port number of this session’s remote Telnet client. Inbound Octets Total The total number of Telnet octets (bytes) received by this session. Inbound Octets Command The number of octets (bytes) containing Telnet commands or options, received by this session.
PAGE 191
Chapter 15 Statistics Monitoring | Statistics | DNS Monitoring | Statistics | DNS This screen shows statistics for DNS (Domain Name System) activity on the VPN Concentrator since it was last booted or reset. To configure the VPN Concentrator to communicate with DNS servers, see the Configuration | System | Servers | DNS screen. Figure 15-8 Monitoring | Statistics | DNS Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
PAGE 192
Chapter 15 Statistics Monitoring | Statistics | Authentication Monitoring | Statistics | Authentication This screen shows statistics for user authentication activity on the VPN Concentrator since it was last booted or reset. To configure the VPN Concentrator to communicate with authentication servers, see the Configuration | System | Servers | Authentication screens. Figure 15-9 Monitoring | Statistics | Authentication Screen Refresh To update the screen and its data, click Refresh.
PAGE 193
Chapter 15 Statistics Monitoring | Statistics | Authentication Accepts The number of authentication acceptance packets received from this server. Rejects The number of authentication rejection packets received from this server. Challenges The number of authentication challenge packets received from this server. Malformed Responses The number of malformed authentication response packets received from this server. Malformed packets include packets with an invalid length.
PAGE 194
Chapter 15 Statistics Monitoring | Statistics | Accounting Monitoring | Statistics | Accounting This screen shows statistics for RADIUS user accounting activity on the VPN Concentrator since it was last booted or reset. To configure the VPN Concentrator to communicate with RADIUS accounting servers, see the Configuration | System | Servers | Accounting screens. Figure 15-10 Monitoring | Statistics | Accounting Screen Refresh To update the screen and its data, click Refresh.
PAGE 195
Chapter 15 Statistics Monitoring | Statistics | Accounting Malformed Responses The number of malformed accounting response packets received from this RADIUS accounting server. Malformed packets include packets with an invalid length. Bad authenticators are not included in this number. Bad Authenticators The number of accounting response packets received from this server that contained invalid authenticators.
PAGE 196
Chapter 15 Statistics Monitoring | Statistics | Filtering Monitoring | Statistics | Filtering This screen shows statistics for filtering of traffic that has passed through the interfaces on the VPN Concentrator since it was last booted or reset. To configure filters, see the Configuration | Policy Management | Traffic Management screens. To apply filters to interfaces, see the Configuration | Interfaces screens. To apply filters to users and groups, see the Configuration | User Management screens.
PAGE 197
Chapter 15 Statistics Monitoring | Statistics | Filtering Inbound Packets Post Filter The number of inbound packets that have been filtered and forwarded on this interface. This number equals Inbound Packets Pre-Filter minus Inbound Packets Filtered. Outbound Packets Pre-Filter The total number of outbound packets received on this interface. Outbound Packets Filtered The number of outbound packets that have been filtered and dropped on this interface.
PAGE 198
Chapter 15 Statistics Monitoring | Statistics | VRRP Monitoring | Statistics | VRRP This screen shows status and statistics for VRRP (Virtual Router Redundancy Protocol) activity on the VPN Concentrator since it was last booted or reset. To configure VRRP, see the Configuration | System | IP Routing | Redundancy screen. Figure 15-12 Monitoring | Statistics | VRRP Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
PAGE 199
Chapter 15 Statistics Monitoring | Statistics | VRRP VRID Errors The total number of VRRP packets received with an invalid VRRP Group ID number for this VPN Concentrator. VRID The identification number that uniquely identifies the group of virtual routers to which this VPN Concentrator belongs. • Not Configured = VRRP has not been configured or enabled. Virtual Routers This table shows statistics for the virtual router on each configured VRRP interface on this VPN Concentrator.
PAGE 200
Chapter 15 Statistics Monitoring | Statistics | VRRP Time-to-Live Errors The total number of VRRP packets received by this interface with IP TTL (Time-To-Live) not equal to 255. All VRRP packets must have TTL = 255. Priority 0 Packets Received The total number of VRRP packets received by this interface with a priority of 0. Priority 0 packets indicate that the current Master router has stopped participating in VRRP.
PAGE 201
Chapter 15 Statistics Monitoring | Statistics | SSL Monitoring | Statistics | SSL This screen shows statistics for SSL (Secure Sockets Layer) protocol traffic on the VPN Concentrator since it was last booted or reset. To configure SSL, see Configuration | System | Management Protocols | SSL. Figure 15-13 Monitoring | Statistics | SSL Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
PAGE 202
Chapter 15 Statistics Monitoring | Statistics | SSL Encrypted Outbound Octets The number of octets (bytes) of outbound traffic output by the encryption engine. This number includes negotiation traffic. Total Sessions The total number of SSL sessions. Active Sessions The number of currently active SSL sessions. Max Active Sessions The maximum number of SSL sessions simultaneously active at any one time.
PAGE 203
Chapter 15 Statistics Monitoring | Statistics | DHCP Monitoring | Statistics | DHCP This screen shows statistics for DHCP (Dynamic Host Configuration Protocol) activity on the VPN Concentrator since it was last booted or reset. Each row of the table shows data for each session using an IP address via DHCP. To identify DHCP servers to the VPN Concentrator, see Configuration | System | Servers | DHCP.
PAGE 204
Chapter 15 Statistics Monitoring | Statistics | Address Pools Monitoring | Statistics | Address Pools This screen shows statistics for address pool activity on the VPN Concentrator since it was last booted or reset. This data appears if the VPN Concentrator is configured to assign IP addresses to clients from an internal address pool. To configure address pools, see the Configuration | System | Address Management screens.
PAGE 205
Chapter 15 Statistics Monitoring | Statistics | Address Pools Max Allocated Addresses The maximum number of IP addresses assigned from this pool at any one time. Group The names of configured groups. IP Address Range: Start / End The starting and ending IP addresses in the group’s address pool. Each configured range is a row in the table. Total Addresses The total number of IP addresses in the address pool of this group.
PAGE 206
Chapter 15 Statistics Monitoring | Statistics | SSH Monitoring | Statistics | SSH This screen shows statistics for SSH (Secure Shell) protocol traffic on the VPN Concentrator since it was last booted or reset. To configure SSH, see Configuration | System | Management Protocols | SSH. Figure 15-16 Monitoring | Statistics | SSH Screen Octets Sent / Received The total number of SSH octets (bytes) sent / received since the VPN Concentrator was last booted or reset.
PAGE 207
Chapter 15 Statistics Monitoring | Statistics | Load Balancing Monitoring | Statistics | Load Balancing This screen shows statistics for load balancing on the VPN Concentrator since it was last booted or reset. Figure 15-17 Monitoring | Statistics | Load Balancing Screen Enabled? Indicates whether load balancing has been enabled on this VPN Concentrator. Role The role of this VPN Concentrator within the virtual cluster. It is either a virtual cluster master or a secondary device.
PAGE 208
Chapter 15 Statistics Monitoring | Statistics | Load Balancing Private IP Address The private IP address of the peer. Public IP Address The public IP address of the peer. Mapped IP Address The NAT address of the peer, if it has one. Role The role of the peer within the virtual cluster. It is either a virtual cluster master or a secondary device. Device Type The VPN Concentrator model (such as 3005 or 3015) of the peer.
PAGE 209
Chapter 15 Statistics Monitoring | Statistics | Compression Monitoring | Statistics | Compression If you have enabled data compression, this screen shows statistics for data compression on the VPN Concentrator since it was last booted or reset. Figure 15-18 Monitoring | Statistics | Compression Screen IPSec Using IPComp This screen shows statistics for IPSec data compression using the IPComp compression protocol.
PAGE 210
Chapter 15 Statistics Monitoring | Statistics | Compression Inbound Pre-Decompression The total number of bytes of all incoming data before any of it is decompressed. Inbound Post-Decompression The total number of bytes of all incoming data after decompression. Ratio The ratio of Inbound Post-Decompression to Inbound Pre-Decompression. L2TP/PPTP Using MPPC This table shows statistics for L2TP and PPTP data compression using the MPPC compression protocol.
PAGE 211
Chapter 15 Statistics Monitoring | Statistics | Compression Outbound Post-Compression The total number of bytes of outbound data actually compressed. (“A1” in Figure 15-19.) Outbound Not Compressed The total number of bytes of data intended for compression that were not compressed. The compression process would actually cause certain data to expand, so this data is left uncompressed. (“A2” in Figure 15-19.
PAGE 212
Chapter 15 Statistics Monitoring | Statistics | Administrative AAA Monitoring | Statistics | Administrative AAA If you have configured a TACACS+ server, this screen shows statistics for communications between the VPN Concentrator and the TACACS+ server since the VPN Concentrator was last booted or reset. Figure 15-20 Monitoring | Statistics | Administrative AAA Screen IP Address The IP address of the TACACS+ server.
PAGE 213
Chapter 15 Statistics Monitoring | Statistics | Administrative AAA Pending Requests The number of requests that have not yet been answered. Timeouts The number of times the VPN Concentrator timed out waiting for a request. Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
PAGE 214
Chapter 15 Statistics Monitoring | Statistics | MIB-II Monitoring | Statistics | MIB-II This section of the Manager lets you view statistics that are recorded in standard MIB-II objects on the VPN Concentrator. MIB-II (Management Information Base, version 2) objects are variables that contain data about the system. They are defined as part of the Simple Network Management Protocol (SNMP); and SNMP-based network management systems can query the VPN Concentrator to gather the data.
PAGE 215
Chapter 15 Statistics Monitoring | Statistics | MIB-II | Interfaces Monitoring | Statistics | MIB-II | Interfaces This screen shows statistics in MIB-II objects for VPN Concentrator interfaces since the system was last booted or reset. This screen also shows statistics for VPN tunnels as logical interfaces. RFC 2233 defines interface MIB objects. Figure 15-22 Monitoring | Statistics | MIB-II | Interfaces Screen Refresh To update the screen and its data, click Refresh.
PAGE 216
Chapter 15 Statistics Monitoring | Statistics | MIB-II | Interfaces • Lower Layer Down = not operational because a lower-layer interface is down. • Unknown = not configured. Unicast In The number of unicast packets that were received by this interface. Unicast packets are those addressed to a single host. Unicast Out The number of unicast packets that were routed to this interface for transmission, including those that were discarded or not sent. Unicast packets are those addressed to a single host.
PAGE 217
Chapter 15 Statistics Monitoring | Statistics | MIB-II | TCP/UDP Monitoring | Statistics | MIB-II | TCP/UDP This screen shows statistics in MIB-II objects for TCP and UDP traffic on the VPN Concentrator since it was last booted or reset. RFC 2012 defines TCP MIB objects, and RFC 2013 defines UDP MIB objects. Figure 15-23 Monitoring | Statistics | MIB-II | TCP/UDP Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
PAGE 218
Chapter 15 Statistics Monitoring | Statistics | MIB-II | TCP/UDP TCP Segments Retransmitted The total number of segments retransmitted; that is, the number of TCP segments transmitted containing one or more previously transmitted bytes. Segment is the official TCP name for what is casually called a data packet. TCP Timeout Min The minimum value permitted for TCP retransmission timeout, measured in milliseconds.
PAGE 219
Chapter 15 Statistics Monitoring | Statistics | MIB-II | TCP/UDP TCP Established Resets The number of established TCP connections that abruptly closed, bypassing graceful termination. TCP Current Established The number of TCP connections that are currently established or are gracefully terminating. UDP Datagrams Received The total number of UDP datagrams received. Datagram is the official UDP name for what is casually called a data packet.
PAGE 220
Chapter 15 Statistics Monitoring | Statistics | MIB-II | IP Monitoring | Statistics | MIB-II | IP This screen shows statistics in MIB-II objects for IP traffic on the VPN Concentrator since it was last booted or reset. RFC 2011 defines IP MIB objects. Figure 15-24 Monitoring | Statistics | MIB-II | IP Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
PAGE 221
Chapter 15 Statistics Monitoring | Statistics | MIB-II | IP Packets Received (Address Errors) The number of IP data packets received and discarded because the IP address in the destination field was not a valid address for the VPN Concentrator. This count includes invalid addresses (for example, 0.0.0.0) and addresses of unsupported classes (for example, Class E). Packets Received (Unknown Protocols) The number of IP data packets received and discarded because of an unknown or unsupported protocol.
PAGE 222
Chapter 15 Statistics Monitoring | Statistics | MIB-II | IP Packets Transmitted (Requests) The number of IP data packets that local IP user protocols (including ICMP) supplied to transmission requests. This number does not include any packets counted in Packets Forwarded. Fragments Needing Reassembly The number of IP fragments received by the VPN Concentrator that needed to be reassembled. Reassembly Successes The number of IP data packets successfully reassembled.
PAGE 223
Chapter 15 Statistics Monitoring | Statistics | MIB-II | RIP Monitoring | Statistics | MIB-II | RIP This screen shows statistics in MIB-II objects for RIP version 2 traffic on the VPN Concentrator since it was last booted or reset. RFC 1724 defines RIP version 2 MIB objects. To configure RIP on interfaces, see Configuration | Interfaces. Figure 15-25 Monitoring | Statistics | MIB-II | RIP Screen Refresh To update the screen and its data, click Refresh.
PAGE 224
Chapter 15 Statistics Monitoring | Statistics | MIB-II | RIP Interfaces This table shows a row of statistics for each configured interface. Interface Address The IP address configured on the interface. Received Bad Packets The number of RIP response packets received by this interface that were subsequently discarded for any reason (such as wrong version or unknown command type).
PAGE 225
Chapter 15 Statistics Monitoring | Statistics | MIB-II | OSPF Monitoring | Statistics | MIB-II | OSPF This screen shows statistics in MIB-II objects for OSPF version 2 traffic on the VPN Concentrator since it was last booted or reset. RFC 1850a defines OSPF version 2 MIB objects. To configure OSPF on interfaces, see Configuration | Interfaces. To configure system-wide OSPF parameters, see Configuration | System | IP Routing.
PAGE 226
Chapter 15 Statistics Monitoring | Statistics | MIB-II | OSPF Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated. Router ID The VPN Concentrator OSPF router ID. This ID uniquely identifies the VPN Concentrator to other OSPF routers in its domain. While the format is that of an IP address, it functions only as an identifier and not an address.
PAGE 227
Chapter 15 Statistics Monitoring | Statistics | MIB-II | OSPF Designated Routers This table shows a row of statistics for each enabled VPN Concentrator interface. When OSPF routing is enabled on an interface, that interface communicates with other OSPF routers in its area, and each area elects one OSPF router to be the Designated Router. Interface Address The IP address of the VPN Concentrator interface that communicates with its area.
PAGE 228
Chapter 15 Statistics Monitoring | Statistics | MIB-II | OSPF State The state of the relationship with this neighboring OSPF router: • Down = (Red) The VPN Concentrator has received no recent information from this neighbor. The neighbor might be out of service, or it might not have been in service long enough to establish its presence (at startup). • Initializing = The VPN Concentrator has received a Hello packet from this neighbor, but it has not yet established bidirectional communication.
PAGE 229
Chapter 15 Statistics Monitoring | Statistics | MIB-II | OSPF AS Border Routers The total number of Autonomous System border routers reachable within this area. Area Border Routers The total number of area border routers reachable within this area. Area LSA Count The total number of Link-State Advertisements in the link-state database of this area, excluding AS external LSAs. Area LSA Checksum The sum of the checksums of the Link-State Advertisements in the link-state database of this area.
PAGE 230
Chapter 15 Statistics Monitoring | Statistics | MIB-II | OSPF Link State ID Either a router ID or an IP address that identifies the piece of the routing domain being described by the LSA. Router ID The identifier of the router in the Autonomous System that originated this LSA. Sequence The sequence number of this LSA. Sequence numbers are linear. They are used to detect old and duplicate LSAs. The larger the number, the more recent the LSA. Age The age of the LSA in seconds.
PAGE 231
Chapter 15 Statistics Monitoring | Statistics | MIB-II | ICMP Monitoring | Statistics | MIB-II | ICMP This screen shows statistics in MIB-II objects for ICMP traffic on the VPN Concentrator since it was last booted or reset. RFC 2011 defines ICMP MIB objects. Figure 15-27 Monitoring | Statistics | MIB-II | ICMP Screen Refresh To update the screen and its data, click Refresh. The date and time indicate when the screen was last updated.
PAGE 232
Chapter 15 Statistics Monitoring | Statistics | MIB-II | ICMP Errors Received / Transmitted The number of ICMP messages that the VPN Concentrator received but determined to have ICMP-specific errors (bad ICMP checksums, bad length, etc.). The number of ICMP messages that the VPN Concentrator did not send due to problems within ICMP such as a lack of buffers. Destination Unreachable Received / Transmitted The number of ICMP Destination Unreachable messages received / sent.
PAGE 233
Chapter 15 Statistics Monitoring | Statistics | MIB-II | ICMP Echo Requests (PINGs) Received / Transmitted The number of ICMP Echo (request) messages received / sent. Echo messages are probably the most visible ICMP messages. They test the communication path between network entities by asking for Echo Reply response messages. Echo Replies (PINGs) Received / Transmitted The number of ICMP Echo Reply messages received / sent.
PAGE 234
Chapter 15 Statistics Monitoring | Statistics | MIB-II | ARP Table Monitoring | Statistics | MIB-II | ARP Table This screen shows entries in the Address Resolution Protocol mapping table since the VPN Concentrator was last booted or reset. ARP matches IP addresses with physical MAC addresses, so the system can forward traffic to computers on its network. RFC 2011 defines MIB entries in the ARP table. The entries are sorted first by Interface, then by IP Address.
PAGE 235
Chapter 15 Statistics Monitoring | Statistics | MIB-II | ARP Table Interface The VPN Concentrator network interface on which this mapping applies: • 1 = Ethernet 1 (Private) interface. • 2 = Ethernet 2 (Public) interface. • 3 = Ethernet 3 (External) interface. • 8 or greater = WAN interface. • 1000 and up = VPN tunnels, which are treated as logical interfaces.
PAGE 236
Chapter 15 Statistics Monitoring | Statistics | MIB-II | Ethernet Monitoring | Statistics | MIB-II | Ethernet This screen shows statistics in MIB-II objects for Ethernet interface traffic on the VPN Concentrator since it was last booted or reset. IEEE standard 802.3 describes Ethernet networks, and RFC 1650 defines Ethernet interface MIB objects. To configure Ethernet interfaces, see Configuration | Interfaces.
PAGE 237
Chapter 15 Statistics Monitoring | Statistics | MIB-II | Ethernet Carrier Sense Errors The number of times that the carrier sense signal was lost or missing when trying to transmit a frame on this interface. SQE Test Errors The number of times that the SQE (Signal Quality Error) Test Error message was generated for this interface. The SQE message tests the collision circuits on an interface.
PAGE 238
Chapter 15 Statistics Monitoring | Statistics | MIB-II | Ethernet Excessive Collisions The number of frames for which transmission on this interface failed due to excessive collisions. MAC Errors: Transmit The number of frames for which transmission on this interface failed due to an internal MAC sublayer transmit error. This number does not include Carrier Sense Errors, Late Collisions, or Excessive Collisions.
PAGE 239
Chapter 15 Statistics Monitoring | Statistics | MIB-II | SNMP Monitoring | Statistics | MIB-II | SNMP This screen shows statistics in MIB-II objects for SNMP traffic on the VPN Concentrator since it was last booted or reset. RFC 1907 defines SNMP version 2 MIB objects. To configure the VPN Concentrator SNMP server, see Configuration | System | Management Protocols | SNMP. Figure 15-30 Monitoring | Statistics | MIB-II | SNMP Screen Refresh To update the screen and its data, click Refresh.
PAGE 240
Chapter 15 Statistics Monitoring | Statistics | MIB-II | SNMP Silent Drops The total number of SNMP request messages that were silently dropped because the reply exceeded the maximum allowable message size. Proxy Drops The total number of SNMP request messages that were silently dropped because the transmission of the reply message to a proxy target failed for some reason (other than a timeout).
PAGE 241
A P P E N D I X A Using the Command-Line Interface The VPN 3000 Concentrator Series Command-Line Interface (CLI) is a menu- and command-line-based configuration, administration, and monitoring system built into the VPN Concentrator. You use it via the system console or a Telnet (SSL Telnet or SSH) session. You can use the CLI to completely manage the system. You can access and configure the same parameters as the HTML-based VPN 3000 Concentrator Series Manager, except for IPSec LAN-to-LAN configuration.
PAGE 242
Appendix A Using the Command-Line Interface Accessing the CLI Accessing the CLI You can access the CLI in two ways: via the system console or a Telnet (or Telnet over SSL) client. Console access To access the CLI via console: Step 1 Connect a PC to the VPN Concentrator via a straight-through RS-232 serial cable (which Cisco supplies with the system) between the Console port on the VPN Concentrator and the COM1 or serial port on the PC.
PAGE 243
Appendix A Using the Command-Line Interface Accessing the CLI SSH Access To access the CLI via an SSH client: Step 1 Enable the SSH server on the VPN Concentrator. (It is enabled by default.) See the Configuration | System | Management Protocols | SSH screen on the VPN Concentrator Manager. Step 2 Start the SSH client, and connect to the remote system using these parameters: • Host Name or Session Name = The IP address on the VPN Concentrator Ethernet 1 (Private) interface; e.g., 10.10.147.
PAGE 244
Appendix A Using the Command-Line Interface Starting the CLI Starting the CLI You start the CLI by logging in. CLI login usernames and passwords for both console and Telnet access are the same as those configured and enabled for administrators. See the Administration | Access Rights | Administrators screen. By default, only admin is enabled. This example uses the factory-supplied default admin login and password. If you have changed them, use your entries.
PAGE 245
Appendix A Using the Command-Line Interface Using the CLI Using the CLI This section explains how to: • Choose menu items. • Enter values for parameters and options. • Specify configured items by number or name. • Navigate quickly—using shortcuts—through the menus. • Display a brief help message. • Save entries to the system configuration file. • Stop the CLI. • Understand CLI administrator access rights.
PAGE 246
Appendix A Using the Command-Line Interface Using the CLI Specifying Configured Items Many menus give choices that act on configured items—such as groups, users, filter rules, etc.—and the CLI lists those items with a number and their name. To specify an item, you can usually enter either its number or its name. The CLI indicates when you must use a specific identifier (usually the item’s number).
PAGE 247
Appendix A Using the Command-Line Interface Using the CLI Navigating Quickly through the CLI There are two ways to move quickly through the CLI: shortcut numbers, and the Back/Home options. Both ways work only when you are at a menu, not when you are at a value entry. Using Shortcut Numbers Once you become familiar with the structure of the CLI—which parallels the HTML-based VPN Concentrator Manager—you can quickly access any level by entering a series of numbers separated by periods.
PAGE 248
Appendix A Using the Command-Line Interface Using the CLI As a shortcut, you can just enter 1.3.1.1 at the Main-> prompt, and move directly to the Base Group General Parameters menu: 1) 2) 3) 4) 5) 6) Configuration Administration Monitoring Save changes to Config file Help Information Exit Main -> 1.3.1.1 1) 2) 3) 4) Access Parameters Tunneling Protocols SEP Config Back Base Group -> _ The prompt always shows the current context in the menu structure.
PAGE 249
Appendix A Using the Command-Line Interface Using the CLI Saving the Configuration File Configuration and administration entries take effect immediately and are included in the active, or running, configuration. However, if you reboot the VPN Concentrator without saving the active configuration, you lose any changes. To save changes to the system configuration (CONFIG) file, navigate to the main menu. At the prompt, enter 4 for Save changes to Config file.
PAGE 250
Appendix A Using the Command-Line Interface CLI Menu Reference CLI Menu Reference This section shows all the menus in the first three levels below the CLI main menu. (There are many additional menus below the third level; and within the first three levels, there are some non-menu parameter settings. To keep this chapter at a reasonable size, we show only the menus here.) The numbers in each heading are the keyboard shortcut to reach that menu from the main menu. For example, entering 1.3.
PAGE 251
Appendix A Using the Command-Line Interface CLI Menu Reference 1 Configuration 1) 2) 3) 4) 5) Interface Configuration System Management User Management Policy Management Back Config -> _ 1.1 Configuration > Interface Configuration This table shows current IP addresses. . . . Note The following menu appears on models 3015–3080 only.
PAGE 252
Appendix A Using the Command-Line Interface CLI Menu Reference 1.1.4 Configuration > Interface Configuration > Configure Power Supplies Note The following menu appears on models 3015–3080 only. Alarm Thresholds in centivolts (e.g. 361 = 3.61V) Voltages will be adjusted to conform to the hardware. 1) 2) 3) 4) 5) Configure Configure Configure Configure Back CPU voltage thresholds Power Supply 1 voltage thresholds Power Supply 2 voltage thresholds Board voltage thresholds Interfaces -> _ 1.1.
PAGE 253
Appendix A Using the Command-Line Interface CLI Menu Reference 1.1.4 Configuration > Interface Configuration > Configure Expansion Cards Note The following menu appears on model 3005 only. Expansion Card: 1) Configure Expansion Card 2) Back Interfaces -> _ 1.2 Configuration > System Management 1) Servers (Authentication, Accounting, etc.) 2) Address Management 3) Tunneling Protocols (PPTP, L2TP, etc.) 4) IP Routing (static routes, OSPF, etc.) 5) Management Protocols (Telnet, TFTP, FTP, etc.
PAGE 254
Appendix A Using the Command-Line Interface CLI Menu Reference 1.2.3 Configuration > System Management > Tunneling Protocols 1) 2) 3) 4) PPTP L2TP IKE Proposals Back Tunnel -> _ Note The CLI does not include IPSec LAN-to-LAN configuration. 1.2.4 Configuration > System Management > IP Routing 1) 2) 3) 4) 5) 6) 7) Static Routes Default Gateways OSPF OSPF Areas DHCP Redundancy Back Routing -> _ 1.2.
PAGE 255
Appendix A Using the Command-Line Interface CLI Menu Reference 1.2.7 Configuration > System Management > General Config 1) 2) 3) 4) 5) System Identification System Time and Date Session Configuration Global Authentication Parameters Back General -> _ 1.2.8 Configuration > System Management > Client Update 1) Client Update Enable 2) Client Update Entries 3) Back Client Update -> _ 1.2.
PAGE 256
Appendix A Using the Command-Line Interface CLI Menu Reference 1.3.2 Configuration > User Management > Groups Current User Groups . . . 1) Add a Group 2) Modify a Group 3) Delete a Group 4) Back Groups -> _ 1.3.3 Configuration > User Management > Users Current Users . . . 1) Add a User 2) Modify a User 3) Delete a User 4) Back Users -> _ 1.4 Configuration > Policy Management 1) Access Hours 2) Traffic Management 3) Back Policy -> _ 1.4.
PAGE 257
Appendix A Using the Command-Line Interface CLI Menu Reference 2 Administration 1) 2) 3) 4) 5) 6) 7) 8) Administer Sessions Software Update System Reboot Ping Access Rights File Management Certificate Management Back Admin -> _ 2.1 Administration > Administer Sessions Active Sessions . . . 1) Refresh Session Status 2) Logoff Session 3) Session Details 4) Filter Sessions on Group 5) Back Admin -> _ 2.2 Administration > Software Update 1) Concentrator 2) Clients 3) Back Admin -> _ 2.
PAGE 258
Appendix A Using the Command-Line Interface CLI Menu Reference 2.3.3 Administration > System Reboot > Schedule Shutdown 1) 2) 3) 4) Save active configuration and use it at next reboot Shutdown without saving active Configuration file Use Factory/Default Configuration at next reboot Back Admin -> _ 2.5 Administration > Access Rights 1) 2) 3) 4) 5) Administrators Access Control List Access Settings Admin AAA Servers Back Admin -> _ 2.5.
PAGE 259
Appendix A Using the Command-Line Interface CLI Menu Reference 2.5.4 Administration > Access Rights > Admin AAA Servers 1) Authentication Servers 2) Back Admin -> _ 2.6 Administration > File Management List of Files . . . 1) Delete File 2) Copy File 3) View File 4) Put File via TFTP 5) Get File via TFTP 6) Swap Config Files 7) Upload Config Files 8) Back File -> _ 2.6.6 Administration > File Management > Swap Configuration File Every time the active configuration is saved,... . . .
PAGE 260
Appendix A Using the Command-Line Interface CLI Menu Reference 2.7.3 Administration > Certificate Management > Certificate Authorities Certificate Authorities . . . 1) View Certificate 2) Delete Certificate 3) CRL Configuration 4) Back Certificates -> _ 2.7.4 Administration > Certificate Management > Identity Certificates Identity Certificates . . . 1) View Certificate 2) Delete Certificate 3) Back Certificates -> _ 2.7.5 Administration > Certificate Management > SSL Certificate Subject . . .
PAGE 261
Appendix A Using the Command-Line Interface CLI Menu Reference 3 Monitoring 1) 2) 3) 4) 5) 6) Routing Table Event Log System Status Sessions General Statistics Back Monitor -> _ 3.1 Monitoring > Routing Table Routing Table . . . 1) Refresh Routing Table 2) Clear Routing Table 3) Back Routing -> _ 3.2 Monitoring > Event Log 1) 2) 3) 4) 5) Configure Log viewing parameters View Event Log Save Log Clear Log Back Log -> _ 3.2.2 Monitoring > Event Log > View Event Log [Event Log entries] . . .
PAGE 262
Appendix A Using the Command-Line Interface CLI Menu Reference 3.3 Monitoring > System Status Note The following menu appears on models 3015–3080 only. System Status . . . 1) Refresh System Status 2) View Card Status 3) View LED status 4) Back Status -> _ Note The following menu appears on model 3005 only. System Status . . . 1) Refresh System Status 2) View Card Status 3) Back Status -> 3.3.2 Monitoring > System Status > View Card Status Note The following menu appears on models 3015–3080 only.
PAGE 263
Appendix A Using the Command-Line Interface CLI Menu Reference 3.4 Monitoring > Sessions Note The following menu appears on models 3015–3080 only. 1) 2) 3) 4) 5) 6) 7) View Session View Top Ten View Session View Session View Session Select Group Back Statistics Lists Protocols SEPs Encryption to View Sessions -> _ Note The following menu appears on model 3005 only.
PAGE 264
Appendix A Using the Command-Line Interface CLI Menu Reference 3.4.4 View Session SEPS Session SEPs . . . 1) Refresh Session SEPs 2) Back Session -> 3.4.5 Monitoring > Sessions > View Session Encryption Session Encryption . . . 1) Refresh Session Encryption 2) Back Sessions -> _ 3.4.6 Monitoring > Sessions > Select Group to View Current User Groups . . . > Group to view (-1 for All Groups, 0 for Base Group) Sessions -> 3.
PAGE 265
Appendix A Using the Command-Line Interface CLI Menu Reference 3.5.2 Monitoring > General Statistics > Server Statistics 1) 2) 3) 4) 5) 6) 7) 8) 9) Authentication Statistics Accounting Statistics Filtering Statistics DHCP Statistics Address Pool Statistics Load Balancing Statistics Compression Statistics Admin AAA Authentication Statistics Back General -> _ 3.5.3 Monitoring > General Statistics > Event Statistics Event Statistics . . . 1) Refresh Event Statistics 2) Back2 General -> _ 3.5.
PAGE 266
Appendix A Using the Command-Line Interface CLI Menu Reference VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring A-26 78-13274-01
PAGE 267
A P P E N D I X B Troubleshooting and System Errors Appendix A describes common errors that can occur while configuring and using the system, and how to correct them. It also describes LED indicators on the system and its expansion modules. Files for Troubleshooting The VPN 3000 Concentrator creates several files that you can examine and that can assist Cisco support engineers when troubleshooting errors and problems: • Event log. • SAVELOG.
PAGE 268
Appendix B Troubleshooting and System Errors VPN Concentrator Manager Errors Configuration Files The VPN Concentrator saves the current boot configuration file (CONFIG) and its predecessor (CONFIG.BAK) as files in flash memory. These files may be useful for troubleshooting. See Administration | File Management | Files for information on managing files in flash memory.
PAGE 269
Appendix B Troubleshooting and System Errors VPN Concentrator Manager Errors Table B-1 VPN Concentrator Manager Errors (continued) Symptom Problem Possible Cause The Manager displays The Manager session the Invalid Login or has been idle longer Session Timeout screen. than the configured timeout interval. The Manager displays a You tried to perform screen with the some operation that is message, “Error/ An not allowed. error has occurred while attempting to perform the operation.
PAGE 270
Appendix B Troubleshooting and System Errors VPN Concentrator Manager Errors Table B-1 VPN Concentrator Manager Errors (continued) Symptom Problem The Manager displays a screen with the message, “Not Allowed/You do not have sufficient authorization to access the specified page.” You tried to access an area of the Manager that you do not have authorization to access. Possible Cause • • You logged in using an administrator login name that has limited privileges.
PAGE 271
Appendix B Troubleshooting and System Errors Command-Line Interface Errors Command-Line Interface Errors Table B-2 lists errors that might occur while using the menu-based Command-line Interface from a console or Telnet session. Table B-2 VPN 3000 Concentrator Command-Line Interface Errors Console Message Problem ERROR:-- Bad IP Address/Subnet Mask/Wildcard Mask/Area ID. The system expected a valid 4-byte dotted decimal entry, and the entry wasn’t in that format. ERROR:-- Out of Range Value Entered.
PAGE 272
Appendix B Troubleshooting and System Errors LED Indicators LED Indicators LED indicators on the VPN Concentrator and its expansion modules are normally green. The usage gauge LEDs are normally blue. LEDs that are amber or off might indicate an error condition. NA means not applicable; that is, the LED does not have that state. Contact TAC if any LED indicates an error condition.
PAGE 273
Appendix B Troubleshooting and System Errors LED Indicators Usage Gauge LEDs (Models 3015–3080 only) Steady or Intermittent Blue Blinking Blue Left to right sequential segments, varying number Normal operation. NA All 10 segments NA VPN Concentrator is in a shutdown (halted) state, ready to power off. VPN Concentrator Rear LEDs The LEDs on the rear of the VPN 3000 Concentrator are as follows: LED Indicator Green Amber Off Link Carrier detected. Normal. NA No carrier detected. Error.
PAGE 274
Appendix B Troubleshooting and System Errors LED Indicators WAN Interface Module LEDs WAN module LEDs are visible from the rear of the VPN Concentrator. WAN Module LED On Blinking Off Normal operation. NA Power is not reaching the module. It may not be seated correctly. Error. Module has passed diagnostics and is operational. Normal. Module failed diagnostics. Error. Module has failed. Error.
PAGE 275
Appendix B Troubleshooting and System Errors LED Indicators This table shows all possible combinations for the LEDs on each WAN port. WAN Port LEDs Alrm Alarm CD Carrier Detect Sync Synchronization LpBk Loopback Condition Off On On Off Normal operation. Carrier detected, line in synchronization. Off Off Off On Line is in loopback mode. This mode occurs, for example, when you install the line and the carrier is testing the signal. You can also set loopback mode by pressing the LpBk switch.
PAGE 276
Appendix B Troubleshooting and System Errors LED Indicators VPN 3000 Series Concentrator Reference Volume II; Administration and Monitoring B-10 78-13274-01
PAGE 277
A P P E N D I X C Copyrights, Licenses, and Notices Software License Agreement of Cisco Systems, Inc. CISCO SYSTEMS, INC. IS WILLING TO LICENSE TO YOU THE SOFTWARE CONTAINED IN THE ACCOMPANYING CISCO PRODUCT ONLY IF YOU ACCEPT ALL OF THE TERMS AND CONDITIONS IN THIS LICENSE AGREEMENT. PLEASE READ THIS AGREEMENT CAREFULLY BEFORE YOU OPEN THE PACKAGE BECAUSE, BY OPENING THE SEALED PACKAGE, YOU ARE AGREEING TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS AGREEMENT.
PAGE 278
Appendix C Copyrights, Licenses, and Notices Software License Agreement of Cisco Systems, Inc. 4. You may permanently transfer the Software and accompanying written materials (including the most recent update and all prior versions) only in conjunction with a transfer of the entire Cisco product, and only if you retain no copies and the transferee agrees to be bound by the terms of this Agreement. Any transfer terminates your license.
PAGE 279
Appendix C Copyrights, Licenses, and Notices Other Licenses WHICH IS RETURNED TO CISCO SYSTEMS TOGETHER WITH A COPY OF YOUR RECEIPT. Any replacement Software will be warranted for the remainder of the original warranty period or 30 days, whichever is longer. These remedies are not available outside the United States of America. 14. This Limited Warranty is void if failure of the Software has resulted from modification, accident, abuse, or misapplication. 15.
PAGE 280
Appendix C Copyrights, Licenses, and Notices Other Licenses 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the University of California, Berkeley and its contributors. 4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
PAGE 281
Appendix C Copyrights, Licenses, and Notices Other Licenses Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
PAGE 282
Appendix C Copyrights, Licenses, and Notices Other Licenses International Business Machines, Inc.
PAGE 283
Appendix C Copyrights, Licenses, and Notices Other Licenses DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PAGE 284
Appendix C Copyrights, Licenses, and Notices Other Licenses RSA Software Copyright © 1995-1998 RSA Data Security, Inc. All rights reserved. This work contains proprietary information of RSA Data Security, Inc. Distribution is limited to authorized licensees of RSA Data Security, Inc. Any unauthorized reproduction or distribution of this document is strictly prohibited. BSAFE is a trademark of RSA Data Security, Inc. SecureID SecureID is a product of RSA Security Inc., Bedford, MA.
PAGE 285
Appendix C Copyrights, Licenses, and Notices Other Licenses SSH Copyright © 1993, 1995-2000 by DataFellows, Inc. All rights reserved. SSL Plus Certicom, the Certicom logo, SSL Plus, and Security Builder are trademarks of Certicom Corp. Copyright © 1997-1999 Certicom Corp. Portions are Copyright © 1997-1998, Consensus Development Corporation, a wholly owned subsidiary of Certicom Corp. All rights reserved. Contains an implementation of NR signatures, licensed under U.S. patent 5,600,725. Protected by U.S.
PAGE 286
Appendix C Copyrights, Licenses, and Notices Regulatory Standards Compliance Telnet Server Copyright phase2 networks 1996. All rights reserved. SID: 1.1 Revision History: 1.197/06/23 21:17:43 root Regulatory Standards Compliance Standards Compliance The VPN 3000 Concentrator complies with the following regulatory standards: Specification Description Regulatory compliance Products bear CE Marking indicating compliance with (99/5/EEC) directives, which includes the following safety and EMC standards.
PAGE 287
Appendix C Copyrights, Licenses, and Notices Regulatory Standards Compliance FCC Part 68 Notice The equipment complies with Part 68 of the FCC rules. On the tray of this equipment is a label that contains, among other information, the FCC registration number. If requested, this information must be provided to the telephone company. This equipment cannot be used on telephone company-provided coin services. Connection to the Party Line Service is subject to state tariffs.
PAGE 288
Appendix C Copyrights, Licenses, and Notices Regulatory Standards Compliance Warning Do not attempt to make such connections yourself. Contact the appropriate electric inspection authority or electrician as appropriate. Table C-1 CS03 Approval Model Number Approval Number CVPN3005-T1 #2461 10854 A CVPN3000-2T1 #2461 10854 A JATE The equipment meets the requirements of the Japan Approvals Institute for Telecommunications Equipment (JATE). Refer to Table C-2 for JATE approval details.
PAGE 289
Appendix C Copyrights, Licenses, and Notices Regulatory Standards Compliance (FCC) Class A Warning “Modifying the equipment without Cisco's authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.” [cfr reference 15.
PAGE 290
Appendix C Copyrights, Licenses, and Notices Regulatory Standards Compliance Hungarian Class A Warning Figyelmeztetés a felhasználói kézikönyv számára: Ez a berendezés "A" osztályú termék, felhasználására és üzembe helyezésére a magyar EMC "A" osztályú követelményeknek (MSZ EN 55022) megfeleloen kerülhet sor, illetve ezen "A" osztályú berendezések csak megfelelo kereskedelmi forrásból származhatnak, amelyek biztosítják a megfelelo speciális üzembe helyezési körülményeket és biztonságos üzemelési távolság
PAGE 291
I N D E X parameters in nonvolatile memory Numerics predefined 100 LED (Ethernet) B-7 7-2 session idle timeout 7-11 admin password, default Alrm LED (WAN) A ARP table access control list, administration add 15-68 15-26 7-9 modify 7-9 accessing the CLI B A-2 access rights, configuring for administrators access rights section, administration accounting statistics 15-28 Active Sessions LED B-6 7-5 7-1 access settings, general, for administrators back panel display (monitoring) Bad IP
PAGE 292
Index Web page configuring VPN Concentrator with CLI xvii Cisco.com Web page console, accessing CLI via xvii Cisco TAC Web page documentation typographic 12-4 CLI xii xii copyrights and licenses accessing system A-2 access rights A-9 entering values saves log file main menu CRSHDUMP.
PAGE 293
Index root 9-1 old browser SSL 9-1 out of range value viewing details X.
PAGE 294
Index flash memory Ethernet status and statistics corrupting MIB-II statistics 3-2, 4-1 file transfer via TFTP file upload to rights to files in size of Invalid Login or Session Timeout error 8-1, 8-2 7-6 8-2 space used IP addresses, format xvi IP MIB-II statistics 15-54 B-3 B-2 IPSec 8-2 formats data 13-8 Invalid Login or Session Timeout (error) 8-8 managing files in 15-49 WAN status and statistics 8-5 13-5 statistics 15-11 xv IP addresses xvi front panel display (monitoring
PAGE 295
Index status, front panel Sync (WAN) System table nonvolatile memory 13-21 event log stored in B-9 12-1 No such interface supported B-6 error B-6 Throughput error B-7 usage gauge B-4 Not Allowed B-6 Tx (Ethernet) WAN card 7-2 B-4 Not Allowed (error) B-7 B-4 Not Found B-8 licenses and copyrights Link LED (Ethernet) error C-1 B-4 notices, regulatory agency B-7 C-10 load balancing statistics 15-41 locked configuration O 2-6 logging out all sessions 2-2 Obtaining loopbac
PAGE 296
Index SEP modules used R 14-16 statistics (administration) reboot system 4-1 saves log file top ten 4-1, B-1 14-20 by data redundancy 14-21 by duration SEP modules 13-15 14-24 by throughput references (bibliography) xiii refresh Monitoring screens regulatory agency notices 14-27 Session Timeout (error) 6-1 Session Timeout error C-10 shutdown system RIP 2-1 B-3 B-2 4-1 SNMP MIB-II statistics root certificates 15-57 MIB-II statistics 9-1 15-73 software image maximum allow
PAGE 297
Index Ethernet ICMP OSPF accessing CLI statistics 15-57 A-2 15-23 temperature sensors (monitoring) 15-73 TCP/UDP file transfer 15-3 sessions (administration) 8-5 throughput, top ten sessions sorted by 2-1 SSH 15-40 Throughput LED SSL 15-35 timeout, administrator 7-11 live event log overrides 13-8 12-6 13-8 top ten sessions (monitoring) Telnet 15-23 troubleshooting VRRP 15-32 consult event log WAN 13-8 files created for Status LED WAN 12-1 B-1 B-7 type (model number), s
PAGE 298
Index W WAN card LED indicators B-8 putting in loopback mode B-9 workstations allowed admnistrator access 7-7 X X.