Cisco 3005 - VPN Concentrator - Gateway Specifications

VPN 3000 Series Concentrator Reference
Volume II: Administration and Monitoring
Release 3.1
August 2001
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Customer Order Number: DOC-7813274=
Text Part Number: 78-13274-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE
PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR
APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION
PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of
UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED
“AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
AccessPath, AtmDirector, Browse with Me, CCIP, CCSI, CD-PAC, CiscoLink, the Cisco Powered Network logo, Cisco Systems Networking Academy,
the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare, FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ
Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX, the Networkers logo, Packet, RateMUX, ScriptBuilder,
ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and WebViewer are trademarks of Cisco Systems, Inc.; Changing
the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering the Internet Generation, are service marks of Cisco Systems,
Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco
IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastSwitch, IOS, IP/TV,
LightStream, MICA, Network Registrar, PIX, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, and VCO are
registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0106R)
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
Copyright © 2001, Cisco Systems, Inc.
All rights reserved.
C O N T E N T S
Preface
ix
Audience
ix
Prerequisites
x
Organization
x
Related Documentation
Conventions
xii
xiv
Obtaining Documentation
xvi
Obtaining Technical Assistance
PART
Administration
1
CHAPTER
1
Administration
1-1
Administration
CHAPTER
2
1-1
Administer Sessions
2-1
Administer Sessions
2-1
Administer Sessions | Detail
CHAPTER
xvii
3
Software Update
2-7
3-1
Software Update
3-1
Software Update | Concentrator
Software Update | Clients
CHAPTER
4
System Reboot
5
Ping
6
4-1
5-1
Ping
CHAPTER
3-5
4-1
System Reboot
CHAPTER
3-2
5-1
Monitoring Refresh
Monitoring Refresh
6-1
6-1
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
iii
Contents
CHAPTER
7
Access Rights
7-1
Access Rights
7-1
Access Rights | Administrators
7-2
Access Rights | Administrators | Modify Properties
Access Rights | Access Control List
7-4
7-7
Access Rights | Access Control List | Add or Modify
Access Rights | Access Settings
Access Rights | AAA Servers
7-9
7-11
7-13
Access Rights | AAA Servers | Authentication
7-14
Access Rights | AAA Servers | Add or Modify
7-16
Access Rights | AAA Servers | Test
7-18
Access Rights | AAA Servers | Authentication Success
Access Rights | AAA Servers | Authentication Error
CHAPTER
8
File Management
File Management
8-1
8-2
File Management | Swap Configuration Files
File Management | TFTP Transfer
File Management | File Upload
9
7-20
8-1
File Management | Files
CHAPTER
7-19
Certificate Management
Certificate Management
8-4
8-5
8-8
9-1
9-1
Certificate Management | Enrollment
9-3
Certificate Management | Enrollment | Request Generated
Certificate Management | Installation
9-8
Certificate Management | Certificates
9-11
Certificate Management | Certificates | View
Certificate Management | Certificates | CRL
Certificate Management | Certificates | Delete
9-6
9-13
9-16
9-18
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
iv
78-13274-01
Contents
PART
Monitoring
2
CHAPTER
CHAPTER
10
11
Monitoring
10-1
Monitoring
10-1
Routing Table
11-1
Routing Table
CHAPTER
12
11-1
Filterable Event Log
12-1
Filterable Event Log
Live Event Log
CHAPTER
13
System Status
12-1
12-6
13-1
System Status
13-1
System Status | Ethernet Interface
13-5
System Status | Dual T1/E1 WAN Slot N
System Status | Power
System Status | SEP
13-13
13-15
System Status | LED Status
CHAPTER
14
Sessions
13-8
13-21
14-1
Sessions
14-1
Sessions | Detail
14-7
Sessions | Protocols
Sessions | SEPs
14-14
14-16
Sessions | Encryption
14-18
Sessions | Top Ten Lists
14-20
Sessions | Top Ten Lists | Data
14-21
Sessions | Top Ten Lists | Duration
Sessions | Top Ten Lists | Throughput
14-24
14-27
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
v
Contents
CHAPTER
15
Statistics
15-1
Statistics
15-1
Statistics | PPTP
15-3
Statistics | L2TP
15-7
Statistics | IPSec
15-11
Statistics | HTTP
15-18
Statistics | Events
15-21
Statistics | Telnet
15-23
Statistics | DNS
15-25
Statistics | Authentication
Statistics | Accounting
Statistics | Filtering
Statistics | VRRP
Statistics | SSL
Statistics | DHCP
15-26
15-28
15-30
15-32
15-35
15-37
Statistics | Address Pools
Statistics | SSH
15-38
15-40
Statistics | Load Balancing
Statistics | Compression
15-41
15-43
Statistics | Administrative AAA
Statistics | MIB-II
15-46
15-48
Statistics | MIB-II | Interfaces
Statistics | MIB-II | TCP/UDP
Statistics | MIB-II | IP
15-49
15-51
15-54
Statistics | MIB-II | RIP
15-57
Statistics | MIB-II | OSPF
15-59
Statistics | MIB-II | ICMP
15-65
Statistics | MIB-II | ARP Table
Statistics | MIB-II | Ethernet
Statistics | MIB-II | SNMP
15-68
15-70
15-73
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
vi
78-13274-01
Contents
APPENDIX
A
Using the Command-Line Interface
A-1
APPENDIX
B
Troubleshooting and System Errors
B-1
APPENDIX
C
Copyrights, Licenses, and Notices
INDEX
C-1
Index
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
vii
Contents
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
viii
78-13274-01
Preface
The VPN Concentrator provides an HTML-based graphic interface, called the VPN Concentrator
Manager, that allows you to configure, administer, and monitor your device easily. The VPN
Concentrator Manager has three sets of screens that correspond to these tasks: Configuration screens,
Administration screens, and Monitoring screens.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring is the second in the
two volume VPN 3000 Series Concentrator Reference. Together, both volumes document all the screens
of the VPN Concentrator Manager.
•
VPN 3000 Series Concentrator Reference Volume I: Configuration explains how to start and use the
VPN Concentrator Manager. It details the Configuration screens and explains how to configure your
device beyond the minimal parameters you set during quick configuration.
•
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring provides
guidelines for administering and monitoring the VPN Concentrator. It explains and defines all
functions available in the Administration and Monitoring screens of the VPN Concentrator
Manager. Appendixes to this manual provide troubleshooting guidance and explain how to access
and use the alternate command-line interface.
This manual contains only administration and monitoring information. It does not contain any
information about configuring the VPN Concentrator. For configuration information, refer to VPN 3000
Series Concentrator Reference Volume I: Configuration.
This manual also contains no information about installing the VPN Concentrator and initially
configuring it. For information about set-up and initial configuration, refer to VPN 3000 Series
Concentrator Getting Started.
Audience
We assume you are an experienced system administrator or network administrator with appropriate
education and training, who knows how to install, configure, and manage internetworking systems.
However, virtual private networks and VPN devices might be new to you. You should be familiar with
Windows system configuration and management, and you should be familiar with Microsoft Internet
Explorer or Netscape Navigator or Communicator browsers.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
ix
Preface
Prerequisites
Prerequisites
We assume you have read the VPN 3000 Series Concentrator Getting Started manual, set up your VPN
Concentrator, and followed the minimal configuration steps in quick configuration.
Organization
Note
This guide is the second volume of the complete VPN Concentrator Manager reference. It documents
only administration and monitoring tasks. For information on configuring your VPN Concentrator,
refer to VPN 3000 Series Concentrator Reference Volume I: Configuration.
The chapters and sections of this guide correspond to the Administration and Monitoring parts of the
VPN Concentrator Manager table of contents (the left frame of the Manager browser window) and are
in the same order they appear there.
This guide has two parts:
•
Part 1, “Administration,” explains and defines all functions available in the Administration screens
of the VPN Concentrator Manager.
•
Part 2, “Monitoring,” explains and defines all functions available in the Monitoring screens of the
VPN Concentrator Manager.
This guide is organized as follows:
Chapter
Title
Description
Part One
Administration
Chapter 1
Administration
Explains how to access the Administration
screens.
Chapter 2
Administer Sessions
Explains how to view statistics for all active
sessions, to test if particular sessions are active,
and to terminate sessions.
Chapter 3
Software Update
Explains how to update both the VPN
Concentrator system software and the VPN Client
software.
Chapter 4
System Reboot
Explains how to reboot or shutdown the system.
Chapter 5
Ping
Explains how to test network connectivity.
Chapter 6
Monitoring Refresh
Explains how to set the status and statistics screens
to refresh automatically.
Chapter 7
Access Rights
Explains how to configure and control
administrative access to the VPN Concentrator.
Chapter 8
File Management
Explains how to manage files on the VPN
Concentrator. It describes how to copy, view, and
delete system files; how to swap backup and boot
configuration files; and how to transfer files to and
from the VPN Concentrator using TFTP, or to the
VPN Concentrator using HTTP.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
x
78-13274-01
Preface
Organization
Chapter
Title
Description
Chapter 9
Certificate Management
Explains how to manage digital certificates. It
describes how to create a certificate request to
enroll with a Certificate Authority (CA); how to
install certificates on the VPN Concentrator; how
to view, delete, and generate certificates; and how
to configure revocation checking.
Part Two
Monitoring
Chapter 10
Monitoring
Explains how to access the Monitoring screens.
Chapter 11
Routing Table
Explains how to view routing statistics.
Chapter 12
Filterable Event Log
Explains how to view and manage the event log
file.
Chapter 13
System Status
Explains how to view the status of SEP modules,
system power supplies, network interfaces, and
several software and hardware variables.
Chapter 14
Sessions
Explains how to view data for all active user and
administrator sessions.
Chapter 15
Statistics
Explains how to view statistics for traffic on the
VPN Concentrator and for current tunneled
sessions, plus statistics in standard MIB-II objects
for interfaces, TCP/UDP, IP, ICMP, and the ARP
table.
Appendix A
Using the Command-Line
Interface
Explains how to use the built-in menu and
command line based administrative management
system via the system console or a Telnet session.
With the CLI, you can access and configure all the
same parameters as the HTML-based VPN
Concentrator Manager.
Appendix B
Troubleshooting and System
Errors
Describes common errors that can occur while
configuring the system, and how to correct them.
It also describes all system and module LED
indicators.
Appendix C
Copyrights, Licenses, and
Notices
Provides all copyright and license information for
Cisco software on the VPN Concentrator, and for
software that the system uses under license from
other firms.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
xi
Preface
Related Documentation
Related Documentation
Refer to the following documents for further information about Cisco VPN applications and products.
VPN 3000 Series Concentrator Documentation
The VPN 3000 Series Concentrator Reference Volume I: Configuration explains how to start and use the
VPN Concentrator Manager. It details the Configuration screens and explains how to configure your
device beyond the minimal parameters you set during quick configuration.
The VPN Concentrator Manager also includes online help that you can access by clicking the Help icon
on the toolbar in the Manager window.
The VPN 3000 Series Concentrator Getting Started manual takes you from unpacking and installing the
VPN 3000 Series Concentrator, through configuring the minimal parameters to make it operational
(called quick configuration).
VPN Client Documentation
The VPN Client User Guide explains how to install, configure, and use the VPN Client, which lets a
remote client use the IPSec tunneling protocol for secure connection to a private network through the
VPN Concentrator.
The VPN Client Administrator Guide tells how to configure a VPN 3000 Concentrator for remote user
connections using the VPN Client, how to automate remote user profiles, how to use the VPN Client
command-line interface, and how to get troubleshooting information.
VPN 3002 Hardware Client Documentation
The VPN 3002 Hardware Client Reference provides details on all the functions available in the VPN
3002 Hardware Client Manager. This manual is online only.
The VPN 3002 Hardware Client Getting Started manual provides information to take you from
unpacking and installing the VPN 3002, through configuring the minimal parameters to make it
operational (called Quick Configuration). This manual is available only online.
The VPN 3002 Hardware Client Quick Start Card summarizes the information for quick configuration.
This quick reference card is provided with the VPN 3002 and is also available online.
The VPN 3002 Hardware Client Basic Information sticky label summarizes information for quick
configuration. It is provided with the VPN 3002 and you can also print it from the online version; you
can affix the label to the VPN 3002.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
xii
78-13274-01
Preface
Related Documentation
Documentation on VPN Software Distribution CDs
The VPN 3000 Series Concentrator and VPN 3002 Hardware Client documentation are provided on the
VPN 3000 Concentrator software distribution CD-ROM in PDF format. The VPN Client documentation
is included on the VPN Client software distribution CD-ROM, also in PDF format. To view the latest
versions on the Cisco website, click the Support icon on the toolbar at the top of the VPN Concentrator
Manager, Hardware Client Manager, or Client window. To open the documentation, you need Acrobat
Reader 3.0 or later; version 4.5 is included on the Cisco VPN 3000 Concentrator software distribution
CD-ROM and on the VPN Client software distribution CD-ROM.
Other References
Other useful references include:
•
Cisco Systems, Dictionary of Internetworking Terms and Acronyms. Cisco Press: 2001.
•
Virtual Private Networking: An Overview. Microsoft Corporation: 1999. (Available from Microsoft
website.)
•
www.ietf.org for Internet Engineering Task Force (IETF) Working Group drafts on IP Security
Protocol (IPSec).
•
www.whatis.com, a web reference site with definitions for computer, networking, and data
communication terms.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
xiii
Preface
Conventions
Conventions
This document uses the following conventions:
Convention
Description
boldface font
Commands and keywords are in boldface.
italic font
Arguments for which you supply values are in italics.
screen
font
boldface screen
font
^
Terminal sessions and information the system displays
are in screen font.
Information you must enter is in boldface screen
font.
The symbol ^ represents the key labeled Control. For
example, the key combination ^D in a screen display
means hold down the Control key while you press the D
key.
Notes use the following conventions:
Note
Means reader take note. Notes contain helpful suggestions or references to material not
covered in the publication.
Tips use the following conventions:
Tips
Means the following are useful tips.
Cautions use the following conventions:
Caution
Warning
Means reader be careful. Cautions alert you to actions or conditions that could result in
equipment damage or loss of data.
This warning symbol means danger. You are in a situation that could cause bodily injury. Before
you work on any equipment, you must be aware of the hazards involved with electrical circuitry
and familiar with standard practices for preventing accidents.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
xiv
78-13274-01
Preface
Conventions
Data Formats
As you configure and manage the system, enter data in the following formats unless the instructions
indicate otherwise:
Type of Data
Format
IP Addresses
IP addresses use 4-byte dotted decimal notation (for example, 192.168.12.34);
as the example indicates, you can omit leading zeros in a byte position.
Subnet Masks and
Wildcard Masks
Subnet masks use 4-byte dotted decimal notation (for example,
255.255.255.0). Wildcard masks use the same notation (for example,
0.0.0.255); as the example illustrates, you can omit leading zeros in a byte
position.
MAC Addresses
MAC addresses use 6-byte hexadecimal notation (for example,
00.10.5A.1F.4F.07).
Host names
Host names use legitimate network host name or end-system name notation
(for example, VPN01). Spaces are not allowed. A host name must uniquely
identify a specific system on a network.
Text Strings
Text strings use upper- and lower-case alphanumeric characters. Most text
strings are case-sensitive (for example, simon and Simon represent different
usernames). In most cases, the maximum length of text strings is 48
characters.
Filenames
Filenames on the VPN Concentrator follow the DOS 8.3 naming convention:
a maximum of eight characters for the name, plus a maximum of three
characters for an extension. For example, LOG00007.TXT is a legitimate
filename. The VPN Concentrator always stores filenames in uppercase.
Port Numbers
Port numbers use decimal numbers from 0 to 65535. No commas or spaces are
permitted in a number.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
xv
Preface
Obtaining Documentation
Obtaining Documentation
The following sections provide sources for obtaining documentation from Cisco Systems.
World Wide Web
You can access the most current Cisco documentation on the World Wide Web at the following sites:
•
http://www.cisco.com
•
http://www-china.cisco.com
•
http://www-europe.cisco.com
Documentation CD-ROM
Cisco documentation and additional literature are available in a CD-ROM package, which ships
with your product. The Documentation CD-ROM is updated monthly and might be more current than
printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.
Ordering Documentation
Cisco documentation is available in the following ways:
•
Registered Cisco Direct Customers can order Cisco Product documentation from the Networking
Products MarketPlace:
http://www.cisco.com/cgi-bin/order/order_root.pl
•
Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription
Store:
http://www.cisco.com/go/subscription
•
Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by
calling 800 553-NETS(6387).
Documentation Feedback
If you are reading Cisco product documentation on the World Wide Web, you can submit technical
comments electronically. Click Feedback in the toolbar and choose Documentation. After you
complete the form, click Submit to send it to Cisco.
You can e-mail your comments to bug-doc@cisco.com.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
xvi
78-13274-01
Preface
Obtaining Technical Assistance
To submit your comments by mail, for your convenience many documents contain a response card
behind the front cover. Otherwise, you can mail your comments to the following address:
Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can
obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com
registered users, additional troubleshooting tools are available from the TAC website.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open
access to Cisco information and resources at anytime, from anywhere in the world. This highly
integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
Cisco.com provides a broad range of features and services to help customers and partners streamline
business processes and improve productivity. Through Cisco.com, you can find information about Cisco
and our networking solutions, services, and programs. In addition, you can resolve technical issues with
online technical support, download and test software packages, and order Cisco learning materials and
merchandise. Valuable online skill assessment, training, and certification programs are also available.
Customers and partners can self-register on Cisco.com to obtain additional personalized information and
services. Registered users can order products, check to see the status of an order, access technical
support, and view benefits specific to their relationships with Cisco.
To access Cisco.com, go to the following website:
http://www.cisco.com
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
xvii
Preface
Obtaining Technical Assistance
Technical Assistance Center
The Cisco TAC website is available to all customers who need technical assistance with a Cisco product
or technology that is under warranty or covered by a maintenance contract.
Contacting TAC by Using the Cisco TAC Website
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC
website:
http://www.cisco.com/tac
P3 and P4 level problems are defined as follows:
•
P3—Your network performance is degraded. Network functionality is noticeably impaired, but most
business operations continue.
•
P4—You need information or assistance on Cisco product capabilities, product installation, or basic
product configuration.
In each of these cases, use the Cisco TAC website to quickly find answers to your questions.
To register for Cisco.com, go to the following website:
http://www.cisco.com/register/
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users
can open a case online by using the TAC Case Open tool at the following website:
http://www.cisco.com/tac/caseopen
Contacting TAC by Telephone
If you have a priority level 1(P1) or priority level 2 (P2) problem, contact TAC by telephone and
immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following
website:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
P1 and P2 level problems are defined as follows:
•
P1—Your production network is down, causing a critical impact to business operations if service is
not restored quickly. No workaround is available.
•
P2—Your production network is severely degraded, affecting significant aspects of your business
operations. No workaround is available.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
xviii
78-13274-01
P
A R T
1
Administration
C H A P T E R
1
Administration
Administering the VPN 3000 Concentrator Series involves activities that keep the system operational
and secure. Configuring the system sets the parameters that govern its use and functionality as a VPN
device, but administration involves higher level activities such as who is allowed to configure the
system, and what software runs on it. Only administrators can use the VPN Concentrator Manager.
Administration
Step 1
In the VPN Concentrator Manager table of contents, click Administration. The Administration screen
opens.
Figure 1-1
Administration Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
1-1
Chapter 1
Administration
Administration
This section of the Manager lets you control administrative functions on the VPN Concentrator:
•
Administer Sessions: View statistics for, log out, and ping sessions.
•
Software Update:
– Concentrator: Upload and update the VPN Concentrator software image.
– Clients: Upload and update the VPN client software image.
•
System Reboot: Set options for VPN Concentrator shutdown and reboot.
•
Ping: Use ICMP ping to determine connectivity.
•
Monitoring Refresh: Enable automatic refresh of status and statistics in the Monitoring section of
the Manager.
•
Access Rights: confiGure administrator profiles, access, and sessions.
– Administrators: Configure administrator usernames, passwords, and rights.
– Access Control List: Configure IP addresses for workstations with access rights.
– Access Settings: Set administrative session idle timeout and limits.
– AAA Servers: Set administrative authentication using TACACS+.
•
File Management: Manage system files in flash memory.
– Files: Copy, view, and delete system files.
– Swap Configuration Files: Swap backup and boot configuration files.
– TFTP Transfer: Use TFTP to transfer files to and from the VPN Concentrator.
– File Upload: Use HTTP to transfer files to the VPN Concentrator.
•
Certificate Management: Install and manage digital certificates.
– Enrollment: Create a certificate request to send to a Certificate Authority.
– Installation: Install digital certificates.
– Certificates: View, modify, and delete digital certificates.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
1-2
78-13274-01
C H A P T E R
2
Administer Sessions
Administration | Administer Sessions
This screen shows comprehensive statistics for all active sessions on the VPN Concentrator.
You can also click the name of a session to see detailed parameters and statistics for that session. See
Administration | Sessions | Detail.
Figure 2-1
Administration | Administer Sessions Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
2-1
Chapter 2
Administer Sessions
Administration | Administer Sessions
Refresh
To refresh the statistics, click Refresh.
Group
Choose a group from the menu to monitor statistics for that group only. The default is --All-- which
displays statistics for all groups.
Logout All: PPTP User | L2TP User | IPSec User | L2TP/IPSec User |
IPSec/NAT User | IPSec/LAN-to-LAN
These active labels let you log out all active sessions of a given tunnel type at once:
PPTP User = PPTP remote-access users
• L2TP User = L2TP remote-access users
•
•
IPSec User = IPSec remote-access users
•
L2TP/IPSec User = L2TP over IPSec users
•
IPSec/NAT User = IPSec through NAT users
•
IPSec/LAN-to-LAN = IPSec LAN-to-LAN
To log out the sessions, click the appropriate label. The Manager displays a prompt to confirm the action.
Figure 2-2
Caution
Logout All Sessions Confirmation Prompt
This action immediately terminates all sessions of the given tunnel type. There is no user warning
or undo.
The Manager refreshes the screen after it terminates the sessions.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
2-2
78-13274-01
Chapter 2
Administer Sessions
Administration | Administer Sessions
Session Summary table
This table shows summary totals for LAN-to-LAN, remote access, and management sessions.
A session is a VPN tunnel established with a specific peer. In most cases, one user connection = one
tunnel = one session. However, one IPSec LAN-to-LAN tunnel counts as one session, but it allows many
host-to-host connections through the tunnel.
Active LAN-to-LAN Sessions
The number of IPSec LAN-to-LAN sessions that are currently active.
Active Remote Access Sessions
The number of PPTP, L2TP, IPSec remote-access user, L2TP over IPSec, and IPSec through NAT
sessions that are currently active.
Active Management Sessions
The number of administrator management sessions that are currently active.
Total Active Sessions
The total number of sessions of all types that are currently active.
Peak Concurrent Sessions
The highest number of sessions of all types that were concurrently active since the VPN Concentrator
was last booted or reset.
Concurrent Sessions Limit
The maximum number of concurrently active sessions permitted on this VPN Concentrator. This number
is model-dependent, for example: model 3060 = 5000 sessions.
Total Cumulative Sessions
The total cumulative number of sessions of all types since the VPN Concentrator was last booted or
reset.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
2-3
Chapter 2
Administer Sessions
Administration | Administer Sessions
LAN-to-LAN Sessions table
This table shows parameters and statistics for all active IPSec LAN-to-LAN sessions. Each session here
identifies only the outer LAN-to-LAN connection or tunnel, not individual host-to-host sessions within
the tunnel.
[ Remote Access Sessions | Management Sessions ]
Click these active links to go to the other session tables on this Manager screen.
Connection Name
The name of the IPSec LAN-to-LAN connection.
To display detailed parameters and statistics for this connection, click this name. See the
Administration | Sessions | Detail screen.
IP Address
The IP address of the remote peer VPN Concentrator or other secure gateway that initiated this
LAN-to-LAN connection.
Protocol, Encryption, Login Time, Duration, Actions
See Table 2-1 on page 2-6 for definitions of these parameters.
Remote Access Sessions table
This table shows parameters and statistics for all active remote-access sessions. Each session is a
single-user connection from a remote client to the VPN Concentrator. Remote-access sessions include
PPTP, L2TP, IPSec remote-access user, L2TP over IPSec, and IPSec through NAT sessions.
[ LAN-to-LAN Sessions | Management Sessions ]
Click these active links to go to the other session tables on this Manager screen.
Username
The username or login name for the session. The field shows Authenticating... if the remote-access
client is still negotiating authentication. If the client is using a digital certificate for authentication, the
field shows the Subject CN or Subject OU from the certificate.
To display detailed parameters and statistics for this session, click this name. See the Administration |
Sessions | Detail screen.
Group
The group name of the client for this remote-access session.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
2-4
78-13274-01
Chapter 2
Administer Sessions
Administration | Administer Sessions
Public IP Address
The public IP address of the client for this remote-access session. This is also known as the “outer” IP
address. It is typically assigned to the client by the ISP, and it lets the client function as a host on the
public network.
Assigned IP Address
The private IP address assigned to the remote client for this session. This is also known as the “inner”
or “virtual” IP address, and it lets the client appear to be a host on the private network.
Protocol, Encryption, Login Time, Duration, Actions
See Table 2-1 on page 2-6 for definitions of these parameters.
Management Sessions table
This table shows parameters and statistics for all active administrator management sessions on the VPN
Concentrator.
[ LAN-to-LAN Sessions | Remote Access Sessions ]
Click these active links to go to the other session tables on this Manager screen.
Administrator
The administrator username or login name for the session.
The lock icon indicates the administrator who has the configuration lock, that is, the person who has the
right to make changes to the active system configuration. See the “Configuration locked by” section of
this chapter.
IP Address
The IP address of the manager workstation that is accessing the system. Local indicates a direct
connection through the Console port on the system.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
2-5
Chapter 2
Administer Sessions
Administration | Administer Sessions
Protocol, Encryption, Login Time, Duration, Actions
See Table 2-1 for definitions of these parameters.
Table 2-1
Parameter definitions for Administration | Administer Sessions Screen
Parameter
Definition
Protocol
The protocol this session is using. Console indicates a direct connection
through the Console port on the system.
Encryption
The data encryption algorithm this session is using, if any.
Login Time
The date and time (MMM DD HH:MM:SS) that the session logged in. Time
is displayed in 24-hour notation.
Duration
The elapsed time (HH:MM:SS) between the session login time and the last
screen refresh.
Actions / Logout / Ping To log out a specific session, click Logout. The screen refreshes and shows
the new session statistics.
Caution
Caution: Clicking Logout terminates a session without warning!
There is no undo.
To test the network connection to a session, click Ping. The VPN
Concentrator sends an ICMP Ping message to the session IP address. See the
Administration | Ping screen for details and results.
Configuration locked by
The administrator (IP address or Console) who has the right to make changes to the active system
configuration.
The configuration is locked by the administrator who first makes a change to the active (running)
configuration. That administrator holds the lock until logout, or until the Session Idle Timeout period
expires (see the Administration | Access Rights | Access Settings screen). For example, an administrator
who is just viewing and refreshing statistics on a Monitoring screen for longer than the timeout period,
loses the lock.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
2-6
78-13274-01
Chapter 2
Administer Sessions
Administration | Administer Sessions | Detail
Administration | Administer Sessions | Detail
These Manager screens show detailed parameters and statistics for a specific remote-access or
LAN-to-LAN session. The parameters and statistics differ depending on the session protocol. There are
unique screens for:
•
IPSec LAN-to-LAN (IPSec/LAN-to-LAN)
•
IPSec remote access (IPSec User)
•
IPSec through NAT (IPSec/NAT)
•
L2TP
•
L2TP over IPSec (L2TP/IPSec)
•
PPTP
The Manager displays the appropriate screen when you click a highlighted connection name or username
on the Administration | Administer Sessions screen. See Figure 2-3 through Figure 2-8.
Each session detail screen shows two tables: summary data at the top, and detail data below. The
summary data echoes the session data from the Administration | Administer Sessions screen. The session
detail table shows all the relevant parameters for each session and subsession.
See Table 2-2 on page 2-12 for definitions of the session detail parameters, in alphabetical order.
Figure 2-3
Administration | Administer Sessions | Detail Screen: IPSec LAN-to-LAN
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
2-7
Chapter 2
Administer Sessions
Administration | Administer Sessions | Detail
Figure 2-4
Administration | Administer Sessions | Detail Screen: IPSec Remote Access User
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
2-8
78-13274-01
Chapter 2
Administer Sessions
Administration | Administer Sessions | Detail
Figure 2-5
Administration | Administer Sessions | Detail Screen: IPSec Through NAT
Figure 2-6
Administration | Administer Sessions | Detail Screen: L2TP
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
2-9
Chapter 2
Administer Sessions
Administration | Administer Sessions | Detail
Figure 2-7
Administration | Administer Sessions | Detail Screen: L2TP Over IPSec
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
2-10
78-13274-01
Chapter 2
Administer Sessions
Administration | Administer Sessions | Detail
Figure 2-8
Administration | Administer Sessions | Detail Screen: PPTP
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Back to Sessions
To return to the Administration | Administer Sessions screen, click Back to Sessions.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
2-11
Chapter 2
Administer Sessions
Administration | Administer Sessions | Detail
Administration | Administer Sessions | Detail Parameters
Table 2-2
Parameter Definitions for Administration | Administer Sessions | Detail Screens
Parameter
Definition
Assigned IP Address
The private IP address assigned to the remote client for this session.
This is also known as the “inner” or “virtual” IP address, and it lets
the client appear to be a host on the private network.
Authentication Mode
The protocol or mode used to authenticate this session.
Bytes Rx
The total number of bytes received from the remote peer or client
by the VPN Concentrator.
Bytes Received
Bytes Tx
Bytes Transmitted
The total number of bytes transmitted to the remote peer or client by
the VPN Concentrator.
Compression
The data compression algorithm this session is using. LZS is the
data compression algorithm used by IPComp. MPPC uses LZ.
Connection Name
The name of the IPSec LAN-to-LAN connection.
Diffie-Hellman Group
The algorithm and key size used to generate IPSec SA encryption
keys.
Duration
The elapsed time (HH:MM:SS) between the session login time and
the last screen refresh.
Encapsulation Mode
The mode for applying IPSec ESP (Encapsulation Security Payload
protocol) encryption and authentication, in other words, what part
of the original IP packet has ESP applied.
Encryption
The data encryption algorithm this session is using, if any.
Encryption Algorithm
Hashing Algorithm
The algorithm used to create a hash of the packet, which is used for
IPSec data authentication.
Idle Time
The elapsed time (HH:MM:SS) between the last communication
activity on this session and the last screen refresh.
IKE Negotiation Mode
The IKE (IPSec Phase 1) mode for exchanging key information and
setting up SAs: Aggressive or Main.
IKE Sessions:
The total number of IKE (IPSec Phase 1) sessions; usually 1. These
sessions establish the tunnel for IPSec traffic.
IP Address
The IP address of the remote peer VPN Concentrator or other secure
gateway that initiated the IPSec LAN-to-LAN connection.
IPSec Sessions:
The total number of IPSec (Phase 2) sessions, which are data traffic
sessions through the tunnel. Each IPSec remote-access session
might have two IPSec sessions: one showing the tunnel endpoints,
and one showing the private networks reachable through the tunnel.
L2TP Sessions:
The total number of user sessions through this L2TP or L2TP /
IPSec tunnel; usually 1.
Local Address
The IP address (and wildcard mask) of the destination host (or
network) for this session.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
2-12
78-13274-01
Chapter 2
Administer Sessions
Administration | Administer Sessions | Detail
Table 2-2
Parameter Definitions for Administration | Administer Sessions | Detail Screens
(continued)
Parameter
Definition
Login Time
The date and time (MMM DD HH:MM:SS) that the session logged
in. Time is displayed in 24-hour notation.
Perfect Forward Secrecy Group
The Diffie-Hellman algorithm and key size used to generate IPSec
SA encryption keys using Perfect Forward Secrecy.
PFS Group
The Perfect Forward Secrecy group: 1, 2, 3, 4, or 7.
PPTP Sessions:
The total number of user sessions through this PPTP tunnel; usually
1.
Protocol
The tunneling protocol that this session is using.
Public IP Address
The public IP address of the client for this remote-access session.
This is also known as the “outer” IP address. It is typically assigned
to the client by the ISP, and it lets the client function as a host on the
public network.
Rekey Data Interval
The lifetime in kilobytes of the IPSec (IKE) SA encryption keys.
Rekey Time Interval
The lifetime in seconds of the IPSec (IKE) SA encryption keys.
Remote Address
The IP address (and wildcard mask) of the remote peer (or network)
that initiated this session.
SEP
The Scalable Encryption Module that is handling cryptographic
processing for this session.
Session ID
An identifier for session components (subsessions) on this screen.
With IPSec, there is one identifier for each SA.
UDP Port
The UDP port number used in an IPSec through NAT connection.
Username
The username or login name for the session. If the client is using a
digital certificate for authentication, the field shows the Subject CN
or Subject OU from the certificate.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
2-13
Chapter 2
Administer Sessions
Administration | Administer Sessions | Detail
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
2-14
78-13274-01
C H A P T E R
3
Software Update
Administration | Software Update
This section of the Manager lets you update the VPN Concentrator executable system software and the
VPN Client software.
Figure 3-1
Administration | Software Update Screen
•
Concentrator: Uploads the executable system software (the software image) to the VPN
Concentrator
•
Client: Updates the VPN 3002 Hardware Client software
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
3-1
Chapter 3
Software Update
Administration | Software Update | Concentrator
Administration | Software Update | Concentrator
This process uploads the executable system software to the VPN Concentrator, which then verifies the
integrity of the software image.
The new image file must be accessible by the workstation you are using to manage the VPN
Concentrator. Software image files ship on the Cisco VPN 3000 Concentrator CD-ROM. Updated or
patched versions are available from the Cisco website, www.cisco.com, under Service & Support >
Software Center.
It takes a few minutes to upload and verify the software, and the system displays the progress. Please
wait for the operation to finish.
To run the new software image, you must reboot the VPN Concentrator. The system prompts you to
reboot when the update is finished.
We also recommend that you clear your browser’s cache after you update the software image: delete all
the browser’s temporary internet files, history files, and location bar references.
Note
Caution
Note
The VPN Concentrator has two locations for storing image files: the active location, which stores the
image currently running on the system; and the backup location. Updating the image overwrites the
stored image file in the backup location and makes it the active location for the next reboot. Updating
twice, therefore, overwrites the image file in the active location; and the current image file is lost.
The Manager displays a warning on this screen if you have already updated the image without
rebooting.
You can update the software image while the system is still operating as a VPN device. Rebooting
the system, however, terminates all active sessions.
While the system is updating the image, do not perform any other operations that affect Flash
memory (listing, viewing, copying, deleting, or writing files.) Doing so might corrupt memory.
Updating the software image also makes available any new Cisco-supplied configurable selections for
filter rules, Security Associations, IKE proposals, base-group attributes, etc. When you reboot with the
new image, the system updates the active configuration in memory with these new selections, but it does
not write them to the CONFIG file until you click the Save Needed icon in the Manager window. See
Administration | File Management for ways to manage CONFIG files.
Figure 3-2
Administration | Software Update Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
3-2
78-13274-01
Chapter 3
Software Update
Administration | Software Update | Concentrator
Current Software Revision
The name, version number, and date of the software image currently running on the system.
Browse...
Enter the complete pathname of the new image file, or click Browse... to find and select the file from
your workstation or network. Cisco-supplied VPN 3000 Concentrator software image files are named:
•
For model 3005 = vpn3005-<Major Version>.<Minor Version>.<Sustaining Version>.<Patch
Version>-k9.bin. (For example, vpn3005-3.0.Rel-k9.bin.)
•
For models 3015, 3030, 3060, and 3080 = vpn3000-<Major Version>.<Minor
Version>.<Sustaining Version>.<Patch Version>-k9.bin. (For example, vpn3000-3.0.1-k9.bin.)
The Major and Minor Version numbers are always present; the initial Patch version is Rel; the Sustaining
Version number is present only if needed.
The correct file must be selected for your VPN Concentrator model; otherwise the update will fail.
Upload / Cancel
To upload the new image file to the VPN Concentrator, click Upload.
To cancel your entries on this screen, or to stop a file upload that is in progress, click Cancel. The
Manager returns to the main Administration screen. If you then return to the Administration |
Software Update screen, you might see a message that a file upload is in progress. Click the highlighted
link to stop it and clear the message.
Software Update Progress
This window shows the progress of the software upload. It refreshes the number of bytes transferred at
10-second intervals.
Figure 3-3
Administration | Software Update Progress Window
When the upload is finished, or if the upload is cancelled, the progress window closes.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
3-3
Chapter 3
Software Update
Administration | Software Update | Concentrator
Software Update Success
The Manager displays this screen when it completes the software upload and verifies the integrity of the
software. To go to the Administration | System Reboot screen, click the highlighted link.
We strongly recommend that you clear the cache of your browser after you update the software image:
delete all the browser’s temporary internet files, history files, and location bar references.
Figure 3-4
Administration | Software Update Success Screen
Software Update Error
This screen appears if there was an error in uploading or verifying the image file. You might have
selected the wrong file. Click the highlighted link to return to the Administration | Software Update
screen and try the update again, or contact Cisco support.
Figure 3-5
Administration | Software Update Error Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
3-4
78-13274-01
Chapter 3
Software Update
Administration | Software Update | Clients
Administration | Software Update | Clients
Figure 3-6
Administration| Software Update | Clients Screen
Group
Lets you select the VPN 3002 Hardware Client group for this update (the automatic update feature works
on a group basis). The default is --All--, which lets you update the software for all groups. The
Concentrator updates clients by group, in batches of ten, at 5-minute intervals.
Upgrade Clients Now
To update the VPN 3002 hardware Client software for the group you have selected, click Upgrade
Clients Now.
Cancel
If you decide not to update client software now, click Cancel. The Manager returns to the
Administration | Software Update screen, without updating software for any client(s).
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
3-5
Chapter 3
Software Update
Administration | Software Update | Clients
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
3-6
78-13274-01
C H A P T E R
4
System Reboot
Administration | System Reboot
This screen lets you reboot or shutdown (halt) the VPN Concentrator with various options.
Caution
We strongly recommend that you shut down the VPN Concentrator before you turn power off. If you
just turn power off without shutting down, you may corrupt flash memory and affect subsequent
operation of the system.
If you are logged in the Manager when the system reboots or halts, it automatically logs you out and
displays the main login screen. The browser may appear to hang during a reboot; that is, you cannot log
in and you must wait for the reboot to finish. You can log back in while the VPN Concentrator is in a
shutdown state, before you turn power off. On the Models 3015–3080, all 10 blue usage monitor LEDs
on the VPN Concentrator front panel blink when the system is in a shutdown state. On the Model 3005,
the System LED blinks.
If a delayed reboot or shutdown is pending, the Manager also displays a message that describes when
the action is scheduled to occur.
Caution
Reboot or shutdown does not wait for sessions to terminate. It terminates all active sessions without
warning and prevents new user sessions.
The VPN Concentrator automatically saves the current event log file as SAVELOG.TXT when it reboots,
and it overwrites any existing file with that name. See Configuration | System | Events | General,
Administration | File Management, and Monitoring | Filterable Event Log for more information on the
event log file.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
4-1
Chapter 4
System Reboot
Administration | System Reboot
Figure 4-1
Administration | System Reboot Screen
Action
Click a radio button to select the desired action. You can select only one action.
•
Reboot = Reboot the VPN Concentrator. Rebooting terminates all sessions, resets the hardware,
loads and verifies the software image, executes system diagnostics, and initializes the system. A
reboot takes about 60-75 seconds. (This is the default selection.)
•
Shutdown without automatic reboot = Shut down the VPN Concentrator; that is, bring the system to
a halt so you can turn off the power. Shutdown terminates all sessions and prevents new user
sessions (but not administrator sessions). While the system is in a shutdown state, the System LED
(Model 3005) or the blue usage LEDs (Models 3015–3080) blink on the front panel.
•
Cancel a scheduled reboot/shutdown = Cancel a reboot or shutdown that is waiting for a certain time
or for sessions to terminate. (This is the default selection if a reboot or shutdown is pending.)
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
4-2
78-13274-01
Chapter 4
System Reboot
Administration | System Reboot
Configuration
Click a radio button to select the configuration file handling at reboot. These selections apply to reboot
only. You can select only one option.
•
Save the active configuration at time of reboot = Save the active configuration to the CONFIG file,
and reboot using that new file.
•
Reboot without saving the active configuration = Reboot using the existing CONFIG file and
without saving the active configuration. (This is the default selection.)
•
Reboot ignoring the configuration file = Reboot using all the factory defaults; i.e., start the system
as if it had no CONFIG file. You will need to go through all the Quick Configuration steps described
in the VPN Concentrator Getting Started manual, including setting the system date and time and
supplying an IP address for the Ethernet 1 (Private) interface, using the system console. This option
does not destroy any existing CONFIG file, and it does not reset Administrator parameter settings.
When to Reboot/Shutdown
Click a radio button to select when to reboot or shutdown. You can select only one option.
•
Now = Reboot or shutdown as soon as you click Apply. (This is the default selection.)
•
Delayed by [NN] minutes = Reboot or shutdown NN minutes from when you click Apply, based on
system time. Enter the desired number in the field; the default is 10 minutes. (FYI: 1440 minutes =
24 hours.)
•
At time [HH:MM] = Reboot or shutdown at the specified system time, based on a 24-hour clock.
Enter the desired time in the field. Use 24-hour notation and enter numbers in all positions. The
default is 10 minutes after the current system time.
•
Wait for sessions to terminate (do not allow new sessions) = Reboot or shutdown as soon as the last
session terminates, and don’t allow any new sessions in the meantime. If you (the administrator) are
the last session, you must log out for the system to reboot or shutdown.
Apply / Cancel
To take action with the selected options, click Apply. The Manager returns to the main Administration
screen if you don’t reboot or shutdown now.
To cancel your settings on this screen, click Cancel. The Manager returns to the main Administration
screen. (Note that this Cancel button does not cancel a scheduled reboot or shutdown.)
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
4-3
Chapter 4
System Reboot
Administration | System Reboot
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
4-4
78-13274-01
C H A P T E R
5
Ping
Administration | Ping
This screen lets you use the ICMP ping (Packet Internet Groper) utility to test network connectivity.
Specifically, the VPN Concentrator sends an ICMP Echo Request message to a designated host. If the
host is reachable, it returns an Echo Reply message, and the Manager displays a Success screen. If the
host is not reachable, the Manager displays an Error screen.
You can also Ping hosts from the Administration | Sessions screen.
Figure 5-1
Administration | Ping Screen
Address/Hostname to Ping
Enter the IP address or host name of the system you want to test. (If you configured a DNS server, you
can enter a host name; otherwise, enter an IP address.) The maximum length is 64 characters.
Ping / Cancel
To send the ping message, click Ping. The Manager pauses during the test, which may take a few
moments; please wait for the operation to finish. The Manager then displays either a Success or Error
screen.
To cancel your entry on this screen, click Cancel. The Manager returns to the main Administration
screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
5-1
Chapter 5
Ping
Administration | Ping
Success (Ping)
If the system is reachable, the Manager displays a Success screen with the name of the tested host.
Figure 5-2
Administration | Ping | Success Screen
Continue
To return to the Administration | Ping screen, click Continue.
Error (Ping)
If the system is unreachable for any reason, (for example: host down, ICMP not running on host, route
not configured, intermediate router down, or network down or congested), the Manager displays an Error
screen with the name of the tested host. To troubleshoot the connection, try to Ping other hosts that you
know are working.
Figure 5-3
Administration | Ping | Error Screen
To return to the Administration | Ping screen, click Retry the operation.
To go to the main VPN Concentrator Manager screen, click Go to main menu.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
5-2
78-13274-01
C H A P T E R
6
Monitoring Refresh
Administration | Monitoring Refresh
This screen lets you enable automatic refresh of all status and statistics screens in the Monitoring section
of the VPN Concentrator Manager except the Event Log.
Figure 6-1
Administration | Monitoring Refresh Screen
Enable
To enable automatic refresh, check the Enable check box. The box is unchecked by default.
Refresh Period
Enter the refresh period in seconds. The minimum period is 1 second. The default period is 30 seconds.
The maximum period is 2000000000 seconds (about 63 years). Very short periods may affect system
performance.
The refresh period timer begins after the Manager fully displays a given screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
6-1
Chapter 6
Monitoring Refresh
Administration | Monitoring Refresh
Apply / Cancel
To save your settings in the active configuration, click Apply. The Manager goes to the main
Administration screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the
top of the Manager window.
To discard your settings, click Cancel. The Manager goes to the main Administration screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
6-2
78-13274-01
C H A P T E R
7
Access Rights
Administration | Access Rights
This section of the Manager lets you configure and control administrative access to the VPN
Concentrator.
•
Administrators: Configure administrator usernames, passwords, and rights.
•
Access Control List: Configure IP addresses for workstations with access rights.
•
Access Settings: Set administrative session timeout and limits.
•
AAA Servers: Set administrative authentication using TACACS+.
Figure 7-1
Administration | Access Rights Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
7-1
Chapter 7
Access Rights
Administration | Access Rights | Administrators
Administration | Access Rights | Administrators
Administrators are special users who can access and change the configuration, administration, and
monitoring functions on the VPN Concentrator. Only administrators can use the VPN Concentrator
Manager.
Cisco provides five predefined administrators:
•
1 - admin = System administrator with access to, and rights to change, all areas. This is the only
administrator enabled by default. This is the only administrator who can log in to, and use, the VPN
Concentrator Manager as supplied by Cisco.
•
2 - config = Configuration administrator with all rights except SNMP access.
•
3 - isp = Internet service provider administrator with limited general configuration rights.
•
4 - mis = Management information systems administrator with the same rights as config.
•
5 - user = User administrator with rights only to view system statistics.
This section of the Manager lets you change administrator properties and rights. Any changes take effect
as soon as you click Apply.
Note
The VPN Concentrator saves Administrator parameter settings from this screen and the Modify
Properties screen in nonvolatile memory, not in the active configuration (CONFIG) file. Thus, these
settings are retained even if the system loses power. These settings are also retained even if you
reboot the system with the factory configuration file.
Figure 7-2
Administration | Access Rights | Administrators Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
7-2
78-13274-01
Chapter 7
Access Rights
Administration | Access Rights | Administrators
Group Number
This is a reference number for the administrator. Cisco assigns these numbers so you can refer to
administrators by groups of properties. The numbers cannot be changed.
Username
The username, or login name, of the administrator. You can change this name on the Administration |
Access Rights | Administrators | Modify Properties screen.
Note
The default passwords that Cisco supplies are the same as the usernames. We strongly recommend
that you change these passwords.
Properties / Modify
To modify the username, password, and access rights of the administrator, click Modify. See the
Administration | Access Rights | Administrators | Modify Properties screen.
Administrator
To assign “system administrator” privileges to one administrator, click the radio button. Only the
“system administrator” can access and configure properties in this section. You can select only one. By
default, admin is selected.
Enabled
Check the Enabled check box to enable, or clear the box to disable, an administrator. Only enabled
administrators can log in to, and use, the VPN Concentrator Manager. You must enable at least one
administrator, and you can enable all administrators. By default, only admin is enabled.
Apply / Cancel
To save the settings of this screen in nonvolatile memory, click Apply. The settings immediately affect
new sessions. The Manager returns to the Administration | Access Rights screen.
To discard your settings or changes, click Cancel. The Manager returns to the Administration | Access
Rights screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
7-3
Chapter 7
Access Rights
Administration | Access Rights | Administrators | Modify Properties
Administration | Access Rights | Administrators |
Modify Properties
This screen lets you modify the username, password, and rights for an administrator. Any changes affect
new sessions as soon as you click Apply or Default.
Figure 7-3
Administration | Access Rights | Administrators | Modify Properties Screen
Table 7-1 shows the matrix of Cisco-supplied default rights for the five administrators.
Table 7-1
Cisco-Supplied Default Administrator Rights
Administrator
Authentication
General
SNMP
Files
1 - admin
Modify Config
Modify Config
Modify Config
Read/Write Files
2 - config
Modify Config
Modify Config
Stats Only
Read/Write Files
3 - isp
Stats Only
Modify Config
Stats Only
Read Files
4 - mis
Modify Config
Modify Config
Stats Only
Read Files
5 - user
Stats Only
Stats Only
Stats Only
Read Files
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
7-4
78-13274-01
Chapter 7
Access Rights
Administration | Access Rights | Administrators | Modify Properties
Username
Enter or edit the unique username for this administrator. The maximum length is 31 characters.
Password
Enter or edit the unique password for this administrator. The maximum length is 31 characters. The field
displays only asterisks.
Note
The default password that Cisco supplies is the same as the username. We strongly recommend that
you change this password.
Verify
Re-enter the password to verify it. The field displays only asterisks.
Access Rights
The Access Rights determine access to and rights in VPN Concentrator Manager functional areas
(Authentication or General), or via SNMP. Click the Access Rights drop-down menu button and choose
the access rights:
•
None = No access or rights.
•
Stats Only = Access to only the Monitoring section of the VPN Concentrator Manager. No rights to
change parameters.
•
View Config = Access to permitted functional areas of the VPN Concentrator Manager, but no rights
to change parameters.
•
Modify Config = Access to permitted functional areas of the VPN Concentrator Manager, and rights
to change parameters.
Authentication
This area consists of VPN Concentrator Manager functions that affect authentication:
•
•
•
Configuration | User Management
Configuration | Policy Management | Access Hours
Configuration | System | Servers | Authentication and Configuration | System | Servers | Accounting.
General
This area consists of all VPN Concentrator Manager functions except authentication and administration.
(The Administrator radio button on the Administration | Access Rights | Administrators screen controls
access to administration functions.)
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
7-5
Chapter 7
Access Rights
Administration | Access Rights | Administrators | Modify Properties
SNMP
This parameter governs limited changes to the VPN Concentrator Manager via SNMP, using a network
management system. In other words, it determines what the administrator can do via SNMP.
Files
This parameter governs rights to access and manage files in VPN Concentrator Flash memory, and to
save the active configuration in a file. (Flash memory acts like a disk.) Click the Files drop-down menu
button and choose the file management rights:
•
None = No file access or management rights.
•
List Files = See a list of files in VPN Concentrator Flash memory.
•
Read Files = Read (view) files in Flash memory.
•
Read/Write Files = Read and write files in Flash memory, clear or save the event log, and save the
active configuration to a file.
AAA Access Level
This parameter governs the level of access for administrators authenticated by a TACACS+ server. On
the TACACS+ server you configure levels of privilege, maximum 0-15, to suit your environment. You
can set the number of privilege levels and order them as you choose (numbered in ascending order,
descending order, or whatever scheme meets your requirements). You then set this AAA Access Level
parameter to one of the levels configured on the TACACS+ server. Administrators have access privileges
corresponding to the level you assign.
Apply / Default / Cancel
To save your settings in nonvolatile memory, click Apply. The settings take effect immediately. The
Manager returns to the Administration | Access Rights | Administrators screen.
To restore the Cisco-supplied access rights for this administrator, and to save your settings in nonvolatile
memory, click Default. The settings take effect immediately. This action does not restore the default
username or password. The Manager returns to the Administration | Access Rights | Administrators
screen.
To discard your changes, click Cancel. The Manager returns to the Administration | Access Rights |
Administrators screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
7-6
78-13274-01
Chapter 7
Access Rights
Administration | Access Rights | Access Control List
Administration | Access Rights | Access Control List
This section of the Manager lets you configure and prioritize the systems (workstations) that are allowed
to access the VPN Concentrator Manager. For example, you might want to allow access only from one
or two PCs that are in a locked room. If no systems are listed, then anyone who knows the VPN
Concentrator IP address and the administrator username/password combination can gain access.
As soon as you add a workstation to the list, access control becomes effective for new sessions.
Therefore, the first entry on the list should be the IP address of the workstation you are now using to
configure the VPN Concentrator. Otherwise, if you log out or time out, you will not be able to access the
Manager from the workstation.
These entries govern administrator access and management by any remote means: HTTP, HTTPS, FTP,
TFTP, SNMP, Telnet, SSH, etc.
Figure 7-4
Administration | Access Rights | Access Control List Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
7-7
Chapter 7
Access Rights
Administration | Access Rights | Access Control List
Manager Workstations
The Manager Workstations list shows the configured workstations that are allowed to access the VPN
Concentrator Manager, in priority order. Each entry shows the priority number, IP address/ mask, and
administrator group number, for example: 1. 10.10.1.35/255.255.255.255 Group=1. If no workstations
have been configured, the list shows --Empty--.
Add / Modify / Delete / Move
To configure a new manager workstation, click Add. The Manager opens the Administration | Access
Rights | Access Control List | Add screen.
To modify a configured manager workstation, select the entry from the list and click Modify. The
Manager opens the Administration | Access Rights | Access Control List | Modify screen.
To remove a configured manager workstation, select the entry from the list and click Delete. The
Manager refreshes the screen and shows the remaining entries in the Manager Workstations list.
To change the priority order for configured manager workstations, select the entry from the list and click
Move Up or Move .Down The Manager refreshes the screen and shows the reordered Manager
Workstations list.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active
configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager
window.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
7-8
78-13274-01
Chapter 7
Access Rights
Administration | Access Rights | Access Control List | Add or Modify
Administration | Access Rights | Access Control List |
Add or Modify
These screens let you:
•
Add a manager workstation to the list of those that are allowed to access the VPN Concentrator
Manager.
•
Modify a previously configured workstation that is allowed to access the VPN Concentrator
Manager.
Figure 7-5
Administration | Access Rights | Access Control List | Add or Modify Screen
Priority (Modify screen only)
This field shows the priority number of this workstation in the list of Manager Workstations. You cannot
edit this field. To change the priority, use the Move buttons on the Administration | Access Rights |
Access Control List screen.
IP Address
Enter the IP address of the workstation in dotted decimal notation, for example: 10.10.1.35.
IP Mask
Enter the mask for the IP address in dotted decimal notation. This mask lets you restrict access to a single
IP address, a range of addresses, or all addresses. To restrict access to a single IP address, enter
255.255.255.255 (the default). To allow all IP addresses, enter 0.0.0.0. To allow a range of IP
addresses, enter the appropriate mask. For example, to allow IP addresses 10.10.1.32 through
10.10.1.35, enter the mask 255.255.255.252.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
7-9
Chapter 7
Access Rights
Administration | Access Rights | Access Control List | Add or Modify
Access Group
To assign rights of an administrator group to this IP address, click the appropriate radio button. The
default choice is Group 1 (admin). You can assign only one group, or you can specify No Access.
Add or Apply / Cancel
To add this workstation to the list, click Add. Or to apply your changes to this workstation, click Apply.
Both actions include your entry in the active configuration. The Manager returns to the Administration
| Access Rights | Access Control List screen. Any new entry appears at the bottom of the Manager
Workstations list.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the
top of the Manager window.
To discard your settings, click Cancel. The Manager returns to the Administration | Access Rights |
Access Control List screen, and the Manager Workstations list is unchanged.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
7-10
78-13274-01
Chapter 7
Access Rights
Administration | Access Rights | Access Settings
Administration | Access Rights | Access Settings
This screen lets you configure general options for administrator access to the VPN Concentrator
Manager.
Figure 7-6
Administration | Access Rights | Access Settings Screen
Session Idle Timeout
Enter the idle timeout period in seconds for administrative sessions. If there is no activity for this period,
the VPN Concentrator Manager session terminates. The minimum period is 1 second. The default period
is 600 seconds. The maximum period is 1800 seconds (30 minutes).
The Manager resets the inactivity timer only when you click an action button (Apply, Add, Cancel, etc.)
or a link on a screen—that is, when you invoke a different screen. Entering values or setting parameters
on a given screen does not reset the timer.
If you close out of the Manager without logging off, no one can change the configuration from a different
PC until the logout time has been reached. Either you must log in and then log out, or the other user must
wait until the session idle timeout limit has occurred.
Session Limit
Enter the maximum number of simultaneous administrative sessions allowed. The minimum is 1 session.
The default is 10 sessions. The maximum is 50 sessions.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
7-11
Chapter 7
Access Rights
Administration | Access Rights | Access Settings
Encrypt Config File
To encrypt sensitive entries in the CONFIG file, check the Encrypt Config File check box (default).
The CONFIG file is in ASCII text format (.INI format). Check this box to encrypt entries such as
passwords, keys, and user information.
To use clear text for all CONFIG file entries, clear the box. For maximum security, we do not recommend
this option.
Apply / Cancel
To save your settings in the active configuration, click Apply. The Manager returns to the
Administration | Access Rights screen.
To cancel your settings, click Cancel. The Manager returns to the Administration | Access Rights screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
7-12
78-13274-01
Chapter 7
Access Rights
Administration | Access Rights | AAA Servers
Administration | Access Rights | AAA Servers
This section lets you configure AAA servers to authenticate administrators for this VPN Concentrator.
Before you configure a TACACS+ server here, be sure that the server you reference is itself properly
configured and that you know how to access it (IP address or host name, TCP/UDP port,
secret/password, etc.). The VPN Concentrator functions as the client of these servers.
You can configure and prioritize up to 10 TACACS+ servers. The first server of a given type is the
primary server for that type, and the rest are backup servers in case the primary is inoperative.
Note
In addition to configuring AAA servers, to use TACACS+ you must set a value in the AAA Access
Level parameter; see Administration | Access Rights | Administrators | Modify.
Caution
Misconfiguration of TACACS+ can lock an administrator out of the Concentrator HTML interface.
If that happens, you can access the Concentrator by logging in through the console port, using your
administrator username and password.
Figure 7-7
Administration | Access Rights | AAA Servers Screen
To configures TACACS+ servers, click Authentication--authentication servers.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
7-13
Chapter 7
Access Rights
Administration | Access Rights | AAA Servers | Authentication
Administration | Access Rights | AAA Servers | Authentication
The Manager displays the Administration | Access Rights | AAA Servers | Authentication screen. This
screen lets you add, modify, delete, or change the priority order of TACACS+ administrator
authentication servers.
Figure 7-8
Administration | Access Rights | AAA Servers | Authentication Screen
Authentication Servers
The Authentication Servers list shows the configured TACACS+ servers, in priority order. Each entry
shows the server identifier. If no servers have been configured, the list shows --Empty--. The first server
of each type in the list is the primary TACACS+ server, the rest are backup.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
7-14
78-13274-01
Chapter 7
Access Rights
Administration | Access Rights | AAA Servers | Authentication
Add / Modify / Delete / Move / Test
To configure and add a new TACACS server, click Add. The Manager opens the Administration |
Access Rights | AAA Servers | Add screen.
To modify parameters for an authentication server that has been configured, select the server from the
list and click Modify. The Manager opens the Administration | Access Rights | AAA Servers | Modify
screen.
To remove a server that has been configured, select the server from the list and click Delete.
Note
There is no confirmation or undo.
The Manager refreshes the screen and shows the remaining servers in the list.
To change the priority order for a TACACS+ server, click Move Up or Move Down to move it up or
down on the list of servers configured for this group.
When you are finished configuring TACACS+ servers, click Done. This action includes your settings in
the active configuration. The Manager returns to the Administration | Access Rights screen.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the
top of the Manager window.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
7-15
Chapter 7
Access Rights
Administration | Access Rights | AAA Servers | Add or Modify
Administration | Access Rights | AAA Servers | Add or Modify
These screens let you add or modify TACACS+ administration authentication servers.
Figure 7-9
Administration | Access Rights | AAA Servers | Add or Modify Screens
Authentication Server
Enter the IP address or host name of the RADIUS authentication server, for example: 192.168.12.34.
The maximum length is 32 characters. (If you have configured a DNS server, you can enter a host name
in this field; otherwise, enter an IP address.)
Server Port
Enter the TCP port number by which you access the server. Enter 0 (the default) to have the system
supply the default port number, 49.
Timeout
Enter the time in seconds to wait after sending a query to the server and receiving no response, before
trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30
seconds.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
7-16
78-13274-01
Chapter 7
Access Rights
Administration | Access Rights | AAA Servers | Add or Modify
Retries
Enter the number of times to retry sending a query to the server after the timeout period. If there is still
no response after this number of retries, the VPN Concentrator declares this server inoperative and uses
the next TACACS+ authentication server in the list. The minimum number of retries is 0. The default
number is 2. The maximum is number is 10.
Server Secret
Enter the TACACS+ server secret (also called the shared secret), for example: C8z077f. The maximum
length is 32 characters. The field shows only asterisks.
Verify
Re-enter the TACACS+ server secret to verify it. The field shows only asterisks.
Add/Apply or Cancel
To add the new server to the list of configured user TACACS+ servers, click Add. Or to apply your
changes to the configured server, click Apply. Both actions include your entries in the active
configuration. The Manager returns to the Administration | Access Rights | AAA Servers |
Authentication screen. Any new server appears at the bottom of the TACACS+ Authentication Servers
list.
Reminder:
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top
of the Manager window.
To discard your entries, click Cancel. The Manager returns to the Administration | Access Rights |
AAA Servers | Authentication screen, and the TACACS+ Authentication Servers list is unchanged.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
7-17
Chapter 7
Access Rights
Administration | Access Rights | AAA Servers | Test
Administration | Access Rights | AAA Servers | Test
This screen lets you test a configured TACACS+ server to determine that:
Caution
•
The VPN Concentrator is communicating properly with the TACACS+ server.
•
The server correctly authenticates a valid administrator.
•
The server correctly rejects an invalid user.
Misconfiguration of TACACS+ can lock an administrator out of the Concentrator HTML interface.
If that happens, you can access the Concentrator by logging in through the console port, using your
administrator username and password.
Figure 7-10 Administration | Access Rights | AAA Servers | Test Screen
User Name
To test connectivity and valid authentication, enter the username for a valid user who has been
configured on the TACACS+ server. The maximum length is 32 characters. Entries are case-sensitive.
To test connectivity and authentication rejection, enter a username that is invalid on the TACACS+
server.
Password
Enter the password for the username. The maximum length is 32 characters. Entries are case-sensitive.
The field displays only asterisks.
OK / Cancel
To send the username and password to the selected TACACS+ server, click OK. The authentication and
response process takes a few seconds. The Manager displays a Success or Error screen.
To cancel the test and discard your entries, click Cancel. The Manager returns to the Administration |
Access Rights | AAA Servers | Authentication screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
7-18
78-13274-01
Chapter 7
Access Rights
Administration | Access Rights | AAA Servers | Authentication Success
Administration | Access Rights | AAA Servers |
Authentication Success
If the authentication succeeds, the Manager displays a Success screen.
Figure 7-11 Administration | Access Rights | AAA Servers | Authentication Success Screen
Continue
To return to the Administration | Access Rights | AAA Servers screen, click Continue.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
7-19
Chapter 7
Access Rights
Administration | Access Rights | AAA Servers | Authentication Error
Administration | Access Rights | AAA Servers |
Authentication Error
If the authentication is unsuccessful for any reason—invalid username or password, no active server,
etc.—the Manager displays an Error screen.
Figure 7-12 Administration | Access Rights | AAA Servers | Authentication Error Screen
To return to the Administration | Access Rights | AAA Servers | Authentication Test screen, click Retry
the operation.
To go to the main VPN Concentrator Manager screen, click Go to main menu.
Note
You must set a value in the AAA Access Level parameter; see Administration | Access Rights |
Administrators | Modify.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
7-20
78-13274-01
C H A P T E R
8
File Management
Administration | File Management
This section of the Manager lets you manage files in VPN Concentrator Flash memory. (Flash memory
acts like a disk.)
•
Files: Copy, view, and delete system files.
•
Swap Configuration Files: Swap backup and boot configuration files.
•
TFTP Transfer: Use TFTP to transfer files to and from the VPN Concentrator.
•
File Upload: Use HTTP to transfer files to the VPN Concentrator.
Figure 8-1
Administration | File Management Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
8-1
Chapter 8
File Management
Administration | File Management | Files
Administration | File Management | Files
This screen lets you manage files in VPN Concentrator Flash memory. (Flash memory acts like a disk.)
Such files include CONFIG, CONFIG.BAK, LOGNNNNN.TXT files, and copies of them that you have
saved under different names.
The screen shows a table listing all files in Flash memory, one file per table row. Use the frame scroll
controls (if present) to display more files in the table.
Figure 8-2
Administration | File Management | Files Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Total, Used, Free KB
The total size of Flash memory in kilobytes, the amount used by the files listed, and the remaining free
space in Flash memory.
Filename
The name of the file in Flash memory. The VPN Concentrator stores filenames as uppercase in the 8.3
naming convention.
Size (bytes)
The size of the file in bytes.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
8-2
78-13274-01
Chapter 8
File Management
Administration | File Management | Files
Date/Time
The date and time the file was created. The format is MM/DD/YY HH:MM:SS, with time in 24-hour
notation. For example, 05/07/99 15:20:24 is May 7, 1999 at 3:20:24 PM.
Actions
For a selected file, click the desired action link. The actions available to you depend on your Access
Rights to Files; see the Administration | Access Rights | Administrators | Modify Properties screen.
View (Save)
To view the selected file, click View. The Manager opens a new browser window to display the file, and
the browser address bar shows the filename.
You can also save a copy of the file on the PC that is running the browser. Click the File menu on the
new browser window and select Save As.... The browser opens a dialog box that lets you save the file.
The default filename is the same as on the VPN Concentrator.
Alternatively, you can use the secondary mouse button to click View on this Manager screen. A pop-up
menu presents choices the exact wording of which depends on your browser, but among them are:
•
Open Link, Open Link in New Window, Open in New Window = Open and view the file in a new
browser window.
•
Save Target As..., Save Link As... = Save a copy of the file on your PC. Your system will prompt
for a filename and location. The default filename is the same as on the VPN Concentrator.
When you are finished viewing or saving the file, close the new browser window.
Delete
To delete the selected file from Flash memory, click Delete. The Manager opens a dialog box for you to
confirm or cancel. If you confirm, the Manager refreshes the screen and shows the revised list of files.
Copy
To copy a selected file within Flash memory, click Copy. The Manager opens a dialog box for you to
enter a filename for the copy, and to confirm the action. Filenames must adhere to the 8.3 naming
convention. If you confirm, the Manager refreshes the screen and shows the revised list of files.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
8-3
Chapter 8
File Management
Administration | File Management | Swap Configuration Files
Administration | File Management | Swap Configuration Files
This screen lets you swap the boot configuration file with the backup configuration file. Every time you
save the active configuration, the system writes it to the CONFIG file, which is the boot configuration
file; and it saves the previous CONFIG file as CONFIG.BAK, the backup configuration file.
To reload the boot configuration file and make it the active configuration, you must reboot the system.
When you click OK, the system automatically goes to the Administration | System Reboot screen, where
you can reboot the system. You can also click the highlighted link to go to that screen.
Figure 8-3
Administration | File Management | Swap Configuration Files Screen
OK / Cancel
To swap CONFIG and CONFIG.BAK files, click OK. The Manager goes to the Administration |
System Reboot screen.
To leave the files unchanged, click Cancel. The Manager returns to the Administration |
File Management screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
8-4
78-13274-01
Chapter 8
File Management
Administration | File Management | TFTP Transfer
Administration | File Management | TFTP Transfer
This screen lets you use TFTP (Trivial File Transfer Protocol) to transfer files to and from VPN
Concentrator Flash memory. (Flash memory acts like a disk.) The VPN Concentrator acts as a TFTP
client for these functions, accessing a TFTP server running on a remote system. All transfers are made
in binary (octet) mode, and they copy—rather than move—files.
To use these functions, you must have Access Rights to Read/Write Files. See the Administration |
Access Rights | Administrators | Modify Properties screen.
You can list, view, and manage VPN Concentrator files on the Administration | File Management | Files
screen.
Figure 8-4
Administration | File Management | TFTP Transfer Screen
Concentrator File
Enter the name of the file on the VPN Concentrator. This filename must conform to the 8.3 naming
convention.
Action
Click the Action drop-down menu button and choose the TFTP action:
•
GET << = Get a file from the remote system. Copy a file from the remote system to the VPN
Concentrator.
•
PUT >> = Put a file on the remote system. Copy a file from the VPN Concentrator to the remote
system.
TFTP Server
Enter the IP address or host name of the remote system running the TFTP server. (If you configured a
DNS server, you can enter a host name; otherwise, enter an IP address.)
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
8-5
Chapter 8
File Management
Administration | File Management | TFTP Transfer
TFTP Server File
Enter the name of the file on the remote system. This filename must conform to naming conventions
applicable to the remote system. Do not include a path; the configuration of the remote TFTP server
determines the location (path) of the file.
Caution
If either filename is the same as an existing file, TFTP overwrites the existing file without asking for
confirmation.
OK / Cancel
To transfer the file, click OK. The Manager pauses during the transfer, which might take a few moments;
please wait for the operation to finish. The Manager then displays either a Success or Error screen.
To cancel your settings on this screen, click Cancel. The Manager returns to the main Administration
screen.
Success (TFTP)
If the TFTP transfer is successful, the Manager displays a Success screen.
Figure 8-5
Administration | File Management | TFTP Transfer | Success Screen
Continue
To return to the Administration | File Management | TFTP Transfer screen, click Continue.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
8-6
78-13274-01
Chapter 8
File Management
Administration | File Management | TFTP Transfer
Error (TFTP)
If the TFTP transfer is unsuccessful for any reason—no such file, incorrect action, remote system
unreachable, TFTP server not running, incorrect server address, etc.—the Manager displays an Error
screen.
Figure 8-6
Administration | File Management | TFTP Transfer | Error Screen
To return to the Administration | File Management | TFTP Transfer screen, click Retry the operation.
To go to the main VPN Concentrator Manager screen, click Go to main menu.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
8-7
Chapter 8
File Management
Administration | File Management | File Upload
Administration | File Management | File Upload
This screen lets you use HTTP (Hypertext Transfer Protocol) to transfer a configuration file from your
PC—or a system accessible from your PC—to the VPN Concentrator Flash memory.
This function provides special handling for configuration (config) files. If the uploaded file has the VPN
Concentrator filename config, the system deletes any existing config.bak file, renames the existing
config file as config.bak, then writes the new config file. However, these actions occur only if the file
transfer is successful, so existing files are not corrupted.
To use these functions, you must have Access Rights to Read/Write Files. See the Administration |
Access Rights | Administrators | Modify Properties screen.
Be sure there is sufficient space in Flash memory for the new file. You can list, view, and manage VPN
Concentrator files, and check space available, on the Administration | File Management | Files screen.
Figure 8-7
Administration | File Management | File Upload Screen
File on VPN 3000 Concentrator Series
Enter the name for the file on the VPN Concentrator. This filename must conform to the 8.3 naming
convention. See the previous discussion about special handling for config files.
Local File / Browse...
Enter the name of the file on your PC. In a Windows environment, enter the complete pathname using
MS-DOS syntax, for example: c:\vpn3000\config0077. You can also click the Browse button to open a
file navigation window, find the file, and select it.
Upload / Cancel
To upload the file to the VPN Concentrator, click Upload. The Manager opens the File Upload Progress
window.
To cancel your entries on this screen, or to stop a file upload that is in progress, click Cancel. The
Manager returns to the Administration | File Management screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
8-8
78-13274-01
Chapter 8
File Management
Administration | File Management | File Upload
File Upload Progress
This window shows the progress of the file upload. It refreshes the number of bytes transferred at
10-second intervals.
Figure 8-8
Administration | File Management | File Upload Progress Window
When the upload is finished, or if the upload is cancelled, the progress window closes.
File Upload Success
The Manager displays this screen to confirm that the file upload was successful.
Figure 8-9
Administration | File Management | File Upload Success Screen
To go to the Administration | File Management | Files screen and examine files in Flash memory, click
the highlighted link.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
8-9
Chapter 8
File Management
Administration | File Management | File Upload
File Upload Error
The Manager displays this screen if there was an error during the file upload and the transfer was not
successful. Flash memory might be full, or the file transfer might have been interrupted or cancelled.
Figure 8-10 Administration | File Management | File Upload Error Screen
Click the link—Click here to see the list of files—to go to the Administration | File Management | Files
screen and examine space and files in Flash memory.
Click the link—Click here to return to File Upload—to return to the Administration | File
Management | File Upload screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
8-10
78-13274-01
C H A P T E R
9
Certificate Management
Administration | Certificate Management
This section of the Manager lets you manage digital certificates:
•
Enrollment: Create a certificate request to enroll with a Certificate Authority (CA).
•
Installation: Install certificates on the VPN Concentrator.
•
Certificates: View, delete, configure revocation checking, and generate certificates.
Digital certificates are a form of digital identification used for authentication. CAs issue them in the
context of a Public Key Infrastructure (PKI), which uses public-key / private-key encryption to ensure
security. CAs are trusted authorities who “sign” certificates to verify their authenticity. The systems on
each end of the VPN tunnel must have trusted certificates from the same CA, or from different CAs in
a hierarchy of trusted relationships, for example: “A” trusts “B,” and “B” trusts “C,” therefore “A” trusts
“C.”
CAs issue root certificates (also known as trusted or signing certificates). They may also issue
subordinate trusted certificates. Finally, CAs issue identity certificates, which are the certificates for
specific systems or hosts. There must be at least one identity certificate (and its root certificate) on a
given VPN Concentrator; there may be more than one root certificate. The maximum number of root and
identity certificates allowed depends on the VPN Concentrator model. Model 3005 allows a maximum
or 2 root and 2 identity certificates. The other VPN Concentrator models allow a maximum of 20 root
and 20 identity certificates.
During IKE (IPSec) Phase 1 authentication, the communicating parties exchange certificate and key
information, and they use the public-key / private-key pairs to generate a hash value; if the hash values
match, the client is authenticated.
The VPN Concentrator supports X.509 digital certificates (International Telecommunications Union
Recommendation X.509), including SSL (Secure Sockets Layer) certificates that are self-signed or
issued in a PKI context.
On the VPN Concentrator, digital certificates are stored as encrypted files in a secure area of Flash
memory. They do not require you to click Save Needed to store them, and they are not visible under
Administration | File Management.
After you install a digital certificate on the VPN Concentrator, it is available in the Digital Certificate
list for configuring IPSec LAN-to-LAN connections and IPSec SAs. See Configuration | System |
Tunneling Protocols | IPSec LAN-to-LAN and Configuration | Policy Management |
Traffic Management | Security Associations.
The VPN Concentrator can have only one SSL certificate installed. If you generate a self-signed SSL
certificate, it replaces any installed PKI-context SSL certificate; and vice-versa.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
9-1
Chapter 9
Certificate Management
Administration | Certificate Management
For information on using SSL certificates, see the “Installing the SSL Certificate in your Browser”
section in Chapter 1. See also Configuration | System | Management Protocols | HTTP/HTTPS and
Telnet, and Configuration | System | Management Protocols | SSL.
Digital certificates carry a timestamp that determines a time frame for their validity. Therefore, it is
essential that the time on the VPN Concentrator is correct and synchronized with network time. See
Configuration | System | Servers | NTP and Configuration | System | General | Time and Date.
Figure 9-1
Administration | Certificate Management Screen
Installing Digital Certificates on the VPN Concentrator
Installing a digital certificate on the VPN Concentrator requires these steps:
Step 1
Use the Administration | Certificate Management | Enrollment screen to generate a certificate request.
Save the request as a file, or copy it to the clipboard.
Step 2
Send the certificate request to a CA, usually using the CA’s web interface. Most CAs let you submit the
request by pasting from the clipboard; otherwise, you can send a file.
Step 3
From the CA, receive root (and perhaps subordinate) and identity certificates. Save them as text files on
your PC or other reachable network host; do not open them or install them in your browser.
Step 4
Use the Administration | Certificate Management | Installation screen to:
Step 5
Note
a.
Install the root certificate on the VPN Concentrator first.
a.
Then install any subordinate certificate(s).
a.
Finally, install the identity certificate.
Use the Administration | Certificate Management | Certificates screen to view the certificates and check
them, and perhaps to enable revocation checking.
You must complete the enrollment and certificate installation process within one week of generating
the request.
See the appropriate Administration | Certificate Management screen for more information.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
9-2
78-13274-01
Chapter 9
Certificate Management
Administration | Certificate Management | Enrollment
Administration | Certificate Management | Enrollment
This screen lets you generate a certificate request to send to a CA (Certificate Authority), to enroll the
VPN Concentrator in a PKI.
The entries you make on this screen are governed by PKI standards and practices. The fields conform to
ITU-T Recommendation X.520: Selected Attribute Types. You must get from the CA whether to make
an entry and what to enter (format, content, and syntax). You must at least enter the Common Name
(CN). All entries might appear in your identity certificate.
When you click Apply, the system generates a certificate request; see the Administration |
Certificate Management | Enrollment | Request Generated screen.
Figure 9-2
Administration | Certificate Management | Enrollment Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
9-3
Chapter 9
Certificate Management
Administration | Certificate Management | Enrollment
Common Name (CN)
Enter the name for the VPN Concentrator that identifies it in the PKI, for example: Engineering VPN.
Spaces are allowed. You must enter a name in this field.
If you are requesting an SSL certificate, enter the IP address or domain name you use to connect to this
VPN Concentrator, for example: 10.10.147.2.
Organizational Unit (OU)
Enter the name for the department or other organizational unit to which this VPN Concentrator belongs,
for example: CPU Design. Spaces are allowed.
Organization (O)
Enter the name for the company or organization to which this VPN Concentrator belongs, for example:
cisco systems. Spaces are allowed.
Locality (L)
Enter the city or town where this VPN Concentrator is located, for example: San Jose. Spaces are
allowed.
State/Province (SP)
Enter the state or province where this VPN Concentrator is located, for example: California. Spell the
name out completely; do not abbreviate. Spaces are allowed.
Country (C)
Enter the country where this VPN Concentrator is located, for example: US. Use two characters, no
spaces, and no periods. This two-character code must conform to ISO 3166 country abbreviations.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
9-4
78-13274-01
Chapter 9
Certificate Management
Administration | Certificate Management | Enrollment
Subject Alternative Name (FQDN)
Enter the fully qualified domain name for this VPN Concentrator that identifies it in this PKI, for
example: vpn3030.cisco.com. This field is optional. The alternative name is an additional data field in
the certificate, and it provides interoperability with many Cisco IOS and PIX systems in LAN-to-LAN
connections.
Key Size
Click the Key Size drop-down menu button and choose the algorithm for generating the public-key /
private-key pair, and the key size. If you are requesting an SSL certificate, you must select an RSA
choice.
•
RSA 512 bits = Generate 512-bit keys using the RSA (Rivest, Shamir, Adelman) algorithm. This
key size provides sufficient security and is the default selection. It is the most common, and requires
the least processing.
•
RSA 768 bits = Generate 768-bit keys using the RSA algorithm. This key size provides normal
security. It requires approximately 2 to 4 times more processing than the 512-bit key.
•
RSA 1024 bits = Generate 1024-bit keys using the RSA algorithm. This key size provides high
security, and it requires approximately 4 to 8 times more processing than the 512-bit key.
•
DSA 512 bits = Generate 512-bit keys using DSA (Digital Signature Algorithm).
•
DSA 768 bits = Generate 768-bit keys using the DSA algorithm.
•
DSA 1024 bits = Generate 1024-bit keys using the DSA algorithm.
OK / Cancel
To generate the certificate request, click OK. The Manager displays the Administration | Certificate
Management | Enrollment | Request Generated screen, and then opens a browser window showing the
certificate request.
To discard your entries and cancel the request, click Cancel. The Manager returns to the Administration
| Certificate Management screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
9-5
Chapter 9
Certificate Management
Administration | Certificate Management | Enrollment | Request Generated
Administration | Certificate Management | Enrollment |
Request Generated
The Manager displays this screen when the system has successfully generated a certificate request. The
request is a Base-64 encoded file in PKCS-10 format (Public Key Certificate Syntax-10), which most
CAs recognize or require. The system automatically saves this file in Flash memory with the filename
shown in the screen (pkcsNNNN.txt).
In generating the request, the system also generates the private key used in the PKI process. That key
remains on the VPN Concentrator, and it is not visible.
Note
You must complete the enrollment and certificate installation process within one week of generating
the request.
Figure 9-3
Administration | Certificate Management | Enrollment | Request Generated Screen
To go to the Administration | File Management | Files screen, click the highlighted File Management
page link. From there you can view, copy, or delete the file in Flash memory.
The system also automatically opens a new browser window and displays the certificate request. You
can select and copy the request to the clipboard, or you can save it as a file on your PC or a network host.
Some CAs let you paste the request in a web interface, some ask you to send a file; use the method your
CA requires.
Figure 9-4
Browser Window with PKCS-10 Certificate Request
Close this browser window when you are finished.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
9-6
78-13274-01
Chapter 9
Certificate Management
Administration | Certificate Management | Enrollment | Request Generated
Enrolling with a Certificate Authority
To send the certificate request to a CA, enroll, and receive your digital certificates, follow these steps.
(These are cut-and-paste steps; your CA might follow different procedures. In any case, you must end
up with certificates saved as text files on your PC or other reachable network host.)
Step 1
Select and copy the certificate request from the browser window to your clipboard.
Step 2
Use a browser to connect to the CA’s website. Navigate to the screen that lets you submit a PKCS-10
request via cut-and-paste.
Step 3
Paste the certificate request in the CA screen, and submit the request.
Step 4
The CA should respond with a new browser screen that says the certificates were successfully generated.
That screen also should include active links that let you “Download the root certificate” and “Download
the identity certificate.”
Step 5
With the secondary mouse button, click the root certificate download link and select Save Link As or
Save Target As. You want to save the file as a text file on your PC or other reachable network host; do
not open it or install it in the browser. The browser opens a dialog box that lets you navigate to the
desired location and enter a filename. Use a name that clearly identifies this as a root certificate, with a
.txt extension.
Step 6
Repeat the previous step for any subordinate certificates, and finally for the identity certificate. Name
the files so that you can distinguish the certificate types.
Step 7
Proceed to the Administration | Certificate Management | Installation screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
9-7
Chapter 9
Certificate Management
Administration | Certificate Management | Installation
Administration | Certificate Management | Installation
This Manager screen lets you install digital certificates on the VPN Concentrator.
You can install certificates obtained via enrollment with a CA in a PKI (where the private key is
generated on—and stays hidden on—the VPN Concentrator, or you can install certificates imported
along with the private key from some source (PKCS-12 format). The latter certificate installation
process is not secure, and we strongly recommend not using it unless you are absolutely certain of its
integrity.
Note
You must install the CA root certificate first, then install any other subordinate certificates from the
CA. Install the identity certificate last.
You can also install an SSL server identity certificate issued in a PKI context (not a self-signed SSL
certificate). If you install such a certificate, it replaces any self-signed SSL certificate. The VPN
Concentrator can have only one SSL certificate, regardless of type.
Figure 9-5
Administration | Certificate Management | Installation Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
9-8
78-13274-01
Chapter 9
Certificate Management
Administration | Certificate Management | Installation
Certificate Type
Click the Certificate Type drop-down menu button and choose the type of digital certificate to install.
(Please note that --Select a Certificate Type-- is an instruction reminder, not a choice.)
•
Issuing or Root Certificate Authority = Root and subordinate certificates obtained via enrollment
with a CA in a PKI. Select this type and install the root certificate first, then install any subordinate
certificates.
•
SSL Server (via Enrollment) = SSL certificate obtained via enrollment in a PKI.
•
SSL Server (import with Private Key) = SSL certificate imported along with a private key from
some source. Installing this certificate type is not a completely secure process, and we strongly
recommend not using it. If you choose this type, complete the Certificate Password and Verify fields.
•
Server Identity (via Enrollment) = Identity certificates obtained via enrollment with a CA in a PKI.
Select this type and install the identity certificate last.
Certificate Password
Complete this field only if you select an import with Private Key certificate type. Enter the password for
the private key.
Verify
Complete this field only if you select an import with Private Key certificate type. Re-enter the private
key password to verify it.
Local File / Browse
You can enter the certificate text in either of two ways. If the certificate text is stored in a file, then enter
the file name here. If the text of the certificate is displaying in another open window, you can copy and
paste it into the Certificate Text sub-window.
Enter the complete path and filename of the certificate you are installing, fore example:
d:\certs\ca_root.txt. Or click Browse to navigate to the file on your PC or other reachable network host.
Certificate Text
You can enter the certificate text in either of two ways. If the certificate text is stored in a file, then enter
the file name in the Local File/Browse field. If the text of the certificate is displaying in another open
window, you can copy and paste it here. This scrollable input field allows you to enter the certificate text
directly, without having to save it to a file first.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
9-9
Chapter 9
Certificate Management
Administration | Certificate Management | Installation
OK / Cancel
To install the certificate, click OK. The Manager displays the Administration | Certificate Management |
Certificates screen.
If you select the Server Identity (import with Private Key) certificate type, the Manager displays a
warning message and asks you confirm.
To discard your entries and cancel the operation, click Cancel. The Manager returns to the
Administration | Certificate Management screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
9-10
78-13274-01
Chapter 9
Certificate Management
Administration | Certificate Management | Certificates
Administration | Certificate Management | Certificates
This screen shows all the certificates installed in the VPN Concentrator and lets you view, enable
revocation checking, and delete certificates. You can also generate a self-signed SSL server certificate.
The Manager displays this screen each time you install a digital certificate.
Figure 9-6
Administration | Certificate Management | Certificates Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
9-11
Chapter 9
Certificate Management
Administration | Certificate Management | Certificates
Certificate Authorities
This table shows installed root and subordinate (trusted) certificates issued by Certificate Authorities
(CAs).
Identity Certificates
This table shows installed server identity certificates.
SSL Certificate / [ Generate ]
This table shows the SSL server certificate installed on the VPN Concentrator. The system can have only
one SSL server certificate installed: either a self-signed certificate or one issued in a PKI context.
To generate a self-signed SSL server certificate, click Generate. The system uses parameters set on the
Configuration | System | Management Protocols | SSL screen and generates the certificate. The new
certificate replaces any existing SSL certificate.
Subject / Issuer
The Common Name (CN) or Organizational Unit (OU) (if present), plus the Organization (O) in the
Subject and Issuer fields of the certificate. The format is CN at O, OU at O, or just O; for example, Root
2 at CyberTrust. The CN, OU, and O fields display a maximum of 33 characters each. See
Administration | Certificate Management | Certificates | View.
Expiration
The expiration date of the certificate. Format is MM/DD/YYYY.
Actions / View / CRL / Delete
To view details of this certificate, click View. The Manager opens the Administration |
Certificate Management | Certificates | View screen.
To enable CRL (Certificate Revocation List) checking for this CA certificate, click CRL. The Manager
opens the Administration | Certificate Management | Certificates | CRL screen.
To delete this certificate from the VPN Concentrator, click Delete. The Manager opens the
Administration | Certificate Management | Certificates | Delete screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
9-12
78-13274-01
Chapter 9
Certificate Management
Administration | Certificate Management | Certificates | View
Administration | Certificate Management | Certificates | View
The Manager displays this screen of certificate details when you click View for a certificate on the
Administration | Certificate Management | Certificates screen. The details vary depending on the
certificate content.
The content and format for certificate details are governed by ITU (International Telecommunication
Union) X.509 standards, specifically RFC 2459. The Subject and Issuer fields conform to ITU X.520.
This screen is read-only; you cannot change any information here.
Figure 9-7
Administration | Certificate Management | Certificates | View Screen
Subject
The person or system that uses the certificate. For a CA root certificate, the Subject and Issuer are the
same.
Issuer
The CA or other entity (jurisdiction) that issued the certificate.
Subject and Issuer consist of a specific-to-general identification hierarchy: CN, OU, O, L, SP, and C.
These labels and acronyms conform to X.520 terminology, and they echo the fields on the
Administration | Certificate Management | Enrollment screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
9-13
Chapter 9
Certificate Management
Administration | Certificate Management | Certificates | View
CN=
Common Name: the name of a person, system, or other entity. This is the lowest (most specific) level in
the identification hierarchy.
For the VPN Concentrator self-signed SSL certificate, the CN is the IP address on the Ethernet 1
(Private) interface at the time the certificate is generated. SSL compares this CN with the address you
use to connect to the VPN Concentrator via HTTPS, as part of its validation.
OU=
Organizational Unit: the subgroup within the organization (O).
O=
Organization: the name of the company, institution, agency, association, or other entity.
L=
Locality: the city or town where the organization is located.
SP=
State/Province: the state or province where the organization is located.
C=
Country: the two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.
Serial Number
The serial number of the certificate. Each certificate issued by a CA or other entity must be unique. CRL
checking uses this serial number.
Signing Algorithm
The cryptographic algorithm that the CA or other issuer used to sign this certificate.
Public Key Type
The algorithm and size of the public key that the CA or other issuer used in generating this certificate.
Certificate Usage
The purpose of the key contained in the certificate, for example: digital signature, certificate signing,
nonrepudiation, key or data encipherment, etc.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
9-14
78-13274-01
Chapter 9
Certificate Management
Administration | Certificate Management | Certificates | View
MD5 Thumbprint
A 128-bit MD5 hash of the complete certificate contents, shown as a 16-byte string. This value is unique
for every certificate, and it positively identifies the certificate. If you question a certificate’s authenticity,
you can check this value with the issuer.
SHA1 Thumbprint
A 160-bit SHA-1 hash of the complete certificate contents, shown as a 20-byte string. This value is
unique for every certificate, and it positively identifies the certificate. If you question a certificate’s
authenticity, you can check this value with the issuer.
Validity
The time period during which this certificate is valid.
Format is MM/DD/YYYY at HH:MM:SS AM/PM to MM/DD/YYYY at HH:MM:SS AM/PM. Time
uses 12-hour AM/PM notation, and is local system time.
The Manager checks the validity against the VPN Concentrator system clock, and it flags expired
certificates.
Subject Alternative Name (Fully Qualified Domain Name)
The fully qualified domain name for this VPN Concentrator that identifies it in this PKI. The alternative
name is an optional additional data field in the certificate, and it provides interoperability with many
Cisco IOS and PIX systems in LAN-to-LAN connections.
CRL Distribution Point
The distribution point for CRLs (Certificate Revocation Lists) from this CA. If this information is
included in the certificate in the proper format, and you enable CRL checking, you do not have to provide
it on the Administration | Certificate Management | Certificates | CRL screen.
Back
To return to the Administration | Certificate Management | Certificates screen, click Back.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
9-15
Chapter 9
Certificate Management
Administration | Certificate Management | Certificates | CRL
Administration | Certificate Management | Certificates | CRL
This screen lets you enable Certificate Revocation List (CRL) checking for CA certificates installed in
the VPN Concentrator.
A certificate is normally expected to be valid for its entire validity period. However, if a certificate
becomes invalid due to a name change, change of association between the subject and the CA, security
compromise, etc., the CA revokes the certificate. Under X.509, CAs revoke certificates by periodically
issuing a signed Certificate Revocation List (CRL), where each revoked certificate is identified by its
serial number. Enabling CRL checking means that every time the VPN Concentrator uses the certificate
for authentication, it also checks the latest CRL to ensure that the certificate has not been revoked.
CAs use LDAP databases to store and distribute CRLs. They might also use other means, but the VPN
Concentrator relies on LDAP access.
Since the system has to fetch and examine the CRL from a network distribution point, enabling CRL
checking might slow system response times. Also, if the network is slow or congested, CRL checking
might fail.
Many certificates include the location of the CRL distribution point. View the certificate to determine
its presence. If the CRL distribution point is present in the certificate in the proper format, you need not
configure any fields below the check box on this screen.
Figure 9-8
Administration | Certificate Management | Certificates | CRL Screen
Certificate
The certificate for which you are configuring CRL checking. This is the name in Subject field of
Certificate Authorities table on Administration | Certificate Management | Certificates screen.
Enable CRL Checking
Check the Enable CRL Checking checkbox to enable CRL checking on all certificates issued by this
CA under its root. The box is unchecked by default.
If this certificate does not include CRL Distribution Point information, you must configure the fields that
follow. Otherwise, ignore them. Contact the security administrator at the CA to get the proper entries for
these fields.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
9-16
78-13274-01
Chapter 9
Certificate Management
Administration | Certificate Management | Certificates | CRL
Server
Enter the IP address or hostname of the CRL distribution point server (LDAP server). Maximum 32
characters.
Server Port
Enter the port number for the CRL server. Enter 0 (the default) to have the system supply the default port
number, 389 (LDAP).
Filter
Enter the filename filter (wildcard) to use with the Base DN to select the appropriate CRLs in the
database. Maximum 128 characters.
Base DN
Enter the LDAP base DN (Distinguished Name), which defines the directory path to the CRL database,
for example: cn=crl,ou=certs,o=CANam,c=US. The maximum field length is 128 characters.
Login DN
Enter the login DN to access this CRL database. Maximum 128 characters.
Password
Enter the password for the Login DN. Maximum 128 characters.
Verify
Re-enter the password to verify it. Maximum 128 characters.
Apply / Cancel
To configure CRL checking for this certificate, click Apply. The Manager returns to the Administration |
Certificate Management | Certificates screen.
To discard your settings, click Cancel. The Manager returns to the Administration |
Certificate Management | Certificates screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
9-17
Chapter 9
Certificate Management
Administration | Certificate Management | Certificates | Delete
Administration | Certificate Management | Certificates | Delete
The Manager displays this confirmation screen when you click Delete for a certificate on the
Administration | Certificate Management | Certificates screen. The screen shows the same certificate
details as on the Administration | Certificate Management | Certificates | View screen.
Please note:
•
You must delete CA certificates from the bottom up: server identity first, then subordinate CA, then
root CA certificates last. Otherwise, the Manager displays an error message.
•
If the certificate is in use by an SA, the Manager displays an error message.
•
If you delete the SSL certificate, the Manager displays: Error getting SSL Certificate:
SSLIOErr in the SSL Certificate table. Generate a new SSL certificate to clear this
message.
Figure 9-9
Administration | Certificate Management | Certificates | Delete Screen
Yes / No
To delete this certificate, click Yes.
Note
There is no undo.
The Manager returns to the Administration | Certificate Management | Certificates screen and shows the
remaining certificates.
To retain this certificate, click No. The Manager returns to the Administration | Certificate Management |
Certificates screen, and the certificates are unchanged.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
9-18
78-13274-01
P
A R T
2
Monitoring
C H A P T E R
10
Monitoring
The VPN 3000 Concentrator tracks many statistics and the status of many items essential to system
administration and management. Use the Concentrator Manager Monitoring windows to view all those
status items and statistics. You can even see the state of LEDs that show the status of hardware
subsystems in the device. You can also see statistics that are stored and available in standard MIB-II data
objects.
Monitoring
Step 1
In the Concentrator Manager table of contents, click Monitoring. The Monitoring screen opens.
Figure 10-1 Monitoring Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
10-1
Chapter 10
Monitoring
Monitoring
This section of the Manager lets you view VPN Concentrator status, sessions, statistics, and event logs.
•
Routing Table: Current valid routes, protocols, and metrics.
•
Filterable Event Log: Current event log in memory, filterable by event class, severity, IP address,
etc.
– Live Event Log: Current event log, continuously updated.
•
System Status: Current software revisions, uptime, SEP modules, system power supplies, Ethernet
interfaces, WAN interfaces, front-panel LEDs, and hardware sensors.
– LED Status: Current status of the VPN Concentrator front-panel LED indicators.
•
Sessions: Currently active sessions sorted by protocol, SEP, and encryption. “Top ten” sessions
sorted by data, duration, and throughput.
•
Statistics: PPTP, L2TP, IPSec, HTTP, events, Telnet, DNS, authentication, accounting, filtering,
VRRP, SSL, DHCP, address pools, SSH, load balancing, and data compression. MIB-II statistics for
interfaces, TCP/UDP, IP, RIP, OSPF, ICMP, the ARP table, Ethernet traffic, and SNMP.
These Manager screens are read-only “snapshots” of data or status at the time the screen displays. Most
screens have a Refresh button that you can click to get a fresh snapshot and update the screen, but you
cannot modify the data on the screen.
You can also configure the Manager to automatically refresh all the screens in this section except the
Event Log. See Administration | Monitoring Refresh.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
10-2
78-13274-01
C H A P T E R
11
Routing Table
Monitoring | Routing Table
This screen shows the VPN Concentrator routing table at the time the screen displays. The IP routing
subsystem examines the destination IP address of packets coming through the VPN Concentrator and
forwards or drops them in accordance with configured parameters. The routing table shows the valid
forwarding paths that the IP routing subsystem knows about, from whatever source: static routes, learned
via routing protocols, interface addresses, etc. However, the table lists only the best routes—based on
metric and type—with duplicates removed.
To configure routing, see the Configuration | System | IP Routing and Configuration | Interfaces screens.
Figure 11-1 Monitoring | Routing Table Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
11-1
Chapter 11
Routing Table
Monitoring | Routing Table
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Clear Routes
Click the Clear Routes button to clear the dynamic routing entries, such as RIP and OSPF, from the
display. Clicking this button does not affect the display of static routing entries.
Valid Routes
The total number of current valid routes that the VPN Concentrator knows about. This number includes
all valid routes, and it may be greater than the number of rows in the routing table, which shows only
the best routes with duplicates removed.
Address
The packet destination IP address to which this route applies. This address is combined with the subnet
mask to determine the destination route. 0.0.0.0 indicates the default gateway.
Mask
The subnet mask for the destination IP address in the Address field. 0.0.0.0 indicates the default gateway.
Next Hop
For remote routes, the IP address of the next system in the path to the destination. 0.0.0.0 indicates a
local route. There is no next hop.
Interface
The VPN Concentrator network interface through which traffic moves on this route:
•
1 = Ethernet 1 (Private) interface.
•
2 = Ethernet 2 (Public) interface.
•
3 = Ethernet 3 (External) interface.
•
8 or greater = WAN interface.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
11-2
78-13274-01
Chapter 11
Routing Table
Monitoring | Routing Table
Protocol
The protocol or source of this routing table entry:
•
RIP = Learned via Routing Information Protocol.
•
OSPF = Learned via Open Shortest Path First protocol.
•
Static = Configured static route.
•
Local = Local VPN Concentrator interface address.
•
ICMP = Learned from an ICMP (Internet Control Message Protocol) redirect message.
•
Default = The default gateway.
Age
The number of seconds since this route was last updated or otherwise validated. The age is relative to
the screen display time, for example: 25 means the route was last validated 25 seconds before the screen
was displayed. 0 indicates a static, local, or default route.
Metric
The metric, or cost, of this route. One is the lowest value; sixteen is the highest value.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
11-3
Chapter 11
Routing Table
Monitoring | Routing Table
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
11-4
78-13274-01
C H A P T E R
12
Filterable Event Log
Monitoring | Filterable Event Log
This screen shows the events in the current event log, lets you filter and display events by various
criteria, and lets you manage the event log file. For troubleshooting any system difficulty, or just to
examine details of system activity, consult the event log first.
The VPN Concentrator records events in nonvolatile memory, thus the event log persists even if the
system is powered off. The Model 3015–3080 event log holds 2048 events, the Model 3005 holds 256
events, and it wraps when it is full; that is, entry 2049 (or 257) overwrites entry 1, etc. Use the scroll
controls (if present) to display more events in the log.
To configure event handling, see the Configuration | System | Events screens.
To Get, Save, or Clear the event log file, you must have Access Rights to Read/Write Files. See the
Administration | Administrators | Modify Properties screen.
Figure 12-1 Monitoring | Filterable Event Log Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
12-1
Chapter 12
Filterable Event Log
Monitoring | Filterable Event Log
Select Filter Options
You can select any or all of the following options for filtering and displaying the event log. After
selecting the option(s), click any one of the four Page buttons. The Manager refreshes the screen and
displays the event log in accordance with your selections.
Your filter options remain in effect as long as you continue working within and viewing Monitoring |
Filterable Event Log screens. The Manager resets all options to their defaults if you leave and return, or
if you click Filterable Event Log in the left frame of the Manager window (the table of contents). You
cannot save filter options.
Event Class
To display all the events in a single event class, click the Event Class drop-down menu button and
choose the event class. To choose a contiguous range of event classes, select the first class in the range,
hold down the keyboard Shift key, and select the last class in the range. To select multiple event classes,
select the first class, hold down the keyboard Ctrl key, and select the other classes. By default, the
Manager displays All Classes of events. For a description of event classes, refer to VPN 3000 Series
Concentrator Reference Volume 1: Configuration.
Severities
To display all events of a single severity level, click the Severities drop-down menu button and choose
the severity level. To choose a contiguous range of severity levels, select the first severity level in the
range, hold down the keyboard Shift key, and select the last severity level in the range. To select multiple
severity levels, select the first severity level, hold down the keyboard Ctrl key, and select the other
severity levels. By default, the Manager displays All severity levels. For an explanation of event severity
levels, refer to VPN 3000 Series Concentrator Reference Volume 1: Configuration.
Client IP Address
To display all events relating to a single IP address, enter the IP address in the field using dotted decimal
notation, for example: 10.10.1.35. By default, the Manager displays all IP addresses. To restore the
default, enter 0.0.0.0.
Events/Page
To display a given number of events per Manager screen (page), click the Events/Page drop-down menu
button and choose the number. Choices are 10, 25, 50, 100, 250, and ALL. By default, the Manager
displays 100 events per screen.
Group
Choose a group from the menu to monitor events for that group only. The default is --All--, which
displays events for all groups.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
12-2
78-13274-01
Chapter 12
Filterable Event Log
Monitoring | Filterable Event Log
Direction
To display events in a different chronological order, click the Direction drop-down menu button and
choose the order. Choices are:
•
Oldest to Newest = Display events in actual chronological order, with oldest events at the top of the
screen. This is the default selection.
•
Newest to Oldest = Display events in reverse chronological order, with newest events at the top of
the screen.
First Page
To display the first page (screen) of the event log, click the first page button. By default, the Manager
displays the first page of the event log when you first open this screen.
Previous Page
To display the previous page (screen) of the event log, click the previous page button.
Next Page
To display the next page (screen) of the event log, click the next page button.
Last Page
To display the last page (screen) of the event log, click the last page button.
All four Page buttons are also present at the bottom of the screen.
Get Log
To download the event log from VPN Concentrator memory to your PC and view it or save it as a text
file, click Get Log. The Manager opens a new browser window to display the file. The browser address
bar shows the VPN Concentrator address and log file default filename; for example,
10.10.4.6/LOG/vpn3000log.txt.
To save a copy of the log file on your PC, click the File menu on the new browser window and choose
Save As.... The browser opens a dialog box that lets you save the file. The default filename is
vpn3000log.txt.
Alternatively, you can use the secondary mouse button to click Get Log on this Monitoring |
Filterable Event Log screen. A pop-up menu presents choices of which the exact wording depends on
your browser, but among them are:
•
Open Link, Open Link in New Window, Open in New Window = Open and view the file in a new
browser window.
•
Save Target As..., Save Link As... = Save a copy of the log file on your PC. Your system will prompt
for a filename and location. The default filename is vpn3000log.txt.
When you are finished viewing or saving the file, close the new browser window.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
12-3
Chapter 12
Filterable Event Log
Monitoring | Filterable Event Log
Save Log
To save a copy of the current event log as a file on the VPN Concentrator, click the Save Log button.
The browser prompts you for a filename, which must conform to the 8.3 naming convention.
Caution
If the filename you enter is the same as an existing file, the browser overwrites the existing file
without asking for confirmation.
To list and manage files on the VPN Concentrator, see the Administration | File Management screen.
Clear Log
To clear the current event log from memory, click the Clear Log button. The Manager then refreshes the
screen and shows the empty log.
Caution
The Manager immediately erases the event log from memory without asking for confirmation. There
is no undo feature for this action.
Event Log Format
Each entry (record) in the event log consists of eight or nine fields:
Sequence Date Time Severity Class/Number Repeat (IPAddress)
String
(The IPAddress field only appears in certain events.)
For example:
3 12/06/1999 14:37:06.680 SEV=4 HTTP/47 RPT=17 10.10.1.35
New administrator login: admin.
Event Sequence
The number of the logged entry. Event sequence numbers are sequential (they proceed from lower to
higher) but not consecutive. For example, a series of events could have the following sequence numbers:
1, 2, 4, 7, 8.
Numbering starts or restarts from 1 when the system powers up, when you save the event log, or when
you clear the event log. When the log file wraps after 2048 entries (Model 3015–3080; 256 entries on
Model 3005), numbering continues with event 2049 (or 257) overwriting event 1. The maximum
sequence number is 65536.
Although numbering restarts at 1 when the system powers up, it does not overwrite existing entries in
the event log; it appends them. Assuming the log doesn’t wrap, it could contain several sequences of
events starting at 1. Thus you can examine events preceding and following reboot or reset cycles.
Event Date
The date of the event: MM/DD/YYYY. For example, 12/06/1999 identifies an event that occurred on
December 6, 1999.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
12-4
78-13274-01
Chapter 12
Filterable Event Log
Monitoring | Filterable Event Log
Event Time
The time of the event: hour:minute:second.millisecond. The hour is based on a 24-hour clock. For
example, 14:37:06.680 identifies an event that occurred at 2:37:06.680 PM.
Event Severity
The severity level of the event; for example: SEV=4 identifies an event of severity level 4. For an
explanation of event severity levels, refer to VPN 3000 Series Concentrator Reference Volume 1:
Configuration.
Event Class / Number
The class, or source, of the event, and the internal reference number associated with the specific event
within the event class. For example: HTTP/47 identifies that an administrator logged in to the VPN
Concentrator using HTTP to connect to the Manager. For a description of event classes, refer to VPN
3000 Series Concentrator Reference Volume 1: Configuration. The internal reference number assists
Cisco support personnel if they need to examine a log file.
Event Repeat
The number of times that this specific event has occurred since the VPN Concentrator was last booted
or reset. For example, RPT=17 indicates that this is the seventeenth occurrence of this specific event.
Event IP Address
The IP address of the client or host associated with this event. Only certain events have this field. For
tunnel-related events, this is typically the “outer” or tunnel endpoint address. In the Event log format
example, 10.10.1.35 is the IP address of the host PC from which admin logged in using the Manager.
Event String
The string, or message, that describes the specific event. Each event class comprises many possible
events, and the string gives a brief description. Event strings usually do not exceed 80 characters. In the
Event log format example, “New administrator login: admin” describes the event.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
12-5
Chapter 12
Filterable Event Log
Monitoring | Live Event Log
Monitoring | Live Event Log
Note
The live event log requires Netscape versions 4.5- 4.7 or 6.0. It does not run on other versions of
Netscape.
This screen shows events in the current event log and automatically updates the display every 5 seconds.
The events might take a few seconds to load when you first open the screen.
The screen always displays the most recent event at the bottom. Use the scroll bar to view earlier events.
To filter and display events by various criteria, see the Filterable Event Log section.
Note
If you keep this VPN Concentrator Manager screen open, your administrative session does not time
out. Each automatic screen update resets the inactivity timer. See Session Idle Timeout on the
Administration | Access Rights | Access Settings screen.
Figure 12-2 Monitoring | Live Event Log Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
12-6
78-13274-01
Chapter 12
Filterable Event Log
Monitoring | Live Event Log
Pause Display / Resume Display
To pause the display, click Pause Display. While paused, the screen does not display new events, the
button changes to Resume Display, and the timer counts down to 0 and stops. You can still scroll through
the event log. Click the button to resume the display of new events and restart the timer.
Clear Display
To clear the event display, click Clear Display. This action does not clear the event log, only the display
of events on this screen.
Restart
To clear the event display and reload the entire event log in the display, click Restart. This action does
not clear the event log, only the display of events on this screen.
Timer
The timer counts 5 – 4 – 3 – 2 – 1 to show where it is in the 5-second refresh cycle. A momentary
Receiving... indicates receipt of new events. A steady 0 indicates the display has been paused.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
12-7
Chapter 12
Filterable Event Log
Monitoring | Live Event Log
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
12-8
78-13274-01
C H A P T E R
13
System Status
Monitoring | System Status
This screen shows the status of several software and hardware variables at the time the screen displays.
From this screen you can also display the status and statistics for SEP modules, system power supplies,
and network interfaces.
Figure 13-1 Monitoring | System Status Screen (Model 3005)
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
13-1
Chapter 13
System Status
Monitoring | System Status
Figure 13-2 Monitoring | System Status Screen (Models 3015-3080)
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
VPN Concentrator Type
The type, or model number, of this VPN Concentrator.
Bootcode Rev
The version name, number, and date of the VPN Concentrator bootcode software file. When you boot or
reset the system, the bootcode software runs system diagnostics, and it loads and executes the system
software image. The bootcode is installed at the factory, and there is no need to upgrade it. If an
engineering change requires a bootcode upgrade, only Cisco support personnel are authorized to do this.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
13-2
78-13274-01
Chapter 13
System Status
Monitoring | System Status
Software Rev
The version name, number, and date of the VPN Concentrator system software image file. You can
update this image file from the Administration | Software Update screen.
Up Since
The date and time that the VPN Concentrator was last booted or reset.
RAM Size
The total amount of SDRAM memory installed in the VPN Concentrator.
Front Panel
On models 3015-3080, the front panel image is an active link. Put the mouse pointer anywhere within
the image and click. The Manager displays the Monitoring | System Status | LED Status screen.
Back Panel
The back panel image includes active links for configurable modules installed in the VPN Concentrator:
Ethernet interfaces, WAN interfaces, power supplies, and SEP modules. Use the mouse pointer to select
a module on the back-panel image and click anywhere in the highlighted area. The Manager displays the
appropriate Monitoring | System Status | Interface, Power, Dual T1/E1 WAN, or SEP screen.
Fan 1, Fan 2
The VPN Concentrator includes two cooling fans. In the Model 3005, they are on the rear of the chassis,
with Fan 1 on the left as you face the rear. In the Model 3015–3080, they are on the right side of the
chassis as you face the front, with Fan 1 closest to the front. This table shows the RPM for both fans.
The nominal value is 5000 RPM for the Model 3005 and 3800 RPM for the Model 3015–3080, with an
acceptable minimum of 3000 RPM for both. Values below this minimum trigger a hardware event.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
13-3
Chapter 13
System Status
Monitoring | System Status
CPU, Cage
The VPN Concentrator Model 3015–3080 includes two temperature sensors on the main printed circuit
board: one near the CPU and one near the power supply cage. The Model 3005 has one sensor near the
CPU. This table shows the temperature at the sensor(s). Temperatures between 0° and 50°C (32° and
122°F) are acceptable. Values outside this range trigger a hardware event.
CPU Utilization
This usage graph shows the CPU load as a percentage of the maximum possible load. Each segment
represents ten percent of the maximum possible load.
Active Sessions
This usage graph shows the number of active sessions as a percentage of the maximum possible sessions.
For example, if 5000 sessions is the maximum, each segment represents 500 sessions. The first segment
lights with the first session, the second segment lights with 10 percent plus one session, etc.
Throughput
This usage graph shows current throughput (measured in LAN packets) as a percentage of the maximum
possible system throughput. For example, if two interfaces are set for 100 Mbps, the maximum possible
throughput is 200 Mbps and each segment represents 20 Mbps.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
13-4
78-13274-01
Chapter 13
System Status
Monitoring | System Status | Ethernet Interface
Monitoring | System Status | Ethernet Interface
This screen displays status and statistics for a VPN Concentrator Ethernet interface. To configure an
interface, see Configuration | Interfaces.
Figure 13-3 Monitoring | System Status | Ethernet Interface Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Back
To return to the Monitoring | System Status screen, click Back.
Interface
The VPN Concentrator Ethernet interface number:
•
1 = Private interface.
•
2 = Public interface.
•
3 = External interface.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
13-5
Chapter 13
System Status
Monitoring | System Status | Ethernet Interface
IP Address
The IP address configured on this interface.
Status
The operational status of this interface:
•
UP = configured and enabled, ready to pass data traffic.
•
DOWN = configured but disabled.
•
Testing = in test mode; no regular data traffic can pass.
•
Dormant = configured and enabled but waiting for an external action, such as an incoming
connection.
•
Not Present = missing hardware components.
•
Lower Layer Down = not operational because a lower-layer interface is down.
•
Unknown = not configured.
Rx Unicast
The number of unicast packets that were received by this interface since the VPN Concentrator was last
booted or reset. Unicast packets are those addressed to a single host.
Tx Unicast
The number of unicast packets that were routed to this interface for transmission since the VPN
Concentrator was last booted or reset, including those that were discarded or not sent. Unicast packets
are those addressed to a single host.
Rx Multicast
The number of multicast packets that were received by this interface since the VPN Concentrator was
last booted or reset. Multicast packets are those addressed to a specific group of hosts.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
13-6
78-13274-01
Chapter 13
System Status
Monitoring | System Status | Ethernet Interface
Tx Multicast
The number of multicast packets that were routed to this interface for transmission since the VPN
Concentrator was last booted or reset, including those that were discarded or not sent. Multicast packets
are those addressed to a specific group of hosts.
Rx Broadcast
The number of broadcast packets that were received by this interface since the VPN Concentrator was
last booted or reset. Broadcast packets are those addressed to all hosts on a network.
Tx Broadcast
The number of broadcast packets that were routed to this interface for transmission since the VPN
Concentrator was last booted or reset, including those that were discarded or not sent. Broadcast packets
are those addressed to all hosts on a network.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
13-7
Chapter 13
System Status
Monitoring | System Status | Dual T1/E1 WAN Slot N
Monitoring | System Status | Dual T1/E1 WAN Slot N
This screen displays status and statistics for a VPN Concentrator WAN module. To configure a WAN
module interface, see Configuration | Interfaces.
Figure 13-4 Monitoring | System Status | Dual T1/E1 WAN Slot N Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Back
To return to the Monitoring | System Status screen, click Back.
T1/E1 Statistics
This table shows statistics for the physical T1/E1 interface ports, with a column of statistics for each
configured port. RFC 1406 defines most T1/E1 errors.
Slot
The physical slot in the VPN Concentrator (1 through 4) that houses the WAN module.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
13-8
78-13274-01
Chapter 13
System Status
Monitoring | System Status | Dual T1/E1 WAN Slot N
Port
The interface port on the WAN module (A or B).
Status
The current status of this port:
•
Up = (Green) Configured, enabled, and operational; synchronized with the network and ready to
pass data traffic.
•
Red = (Red) Red alarm: Port has lost synchronization or signal. This alarm indicates out of frame
errors or a mismatched framing format, or a disconnected line.
•
Blue = (Blue) Blue alarm: A problem on the receive path is causing the port to lose the remote
signal. This alarm indicates a problem in the data bit stream.
•
Yellow = (Yellow) Yellow alarm: A problem on the transmit side (the remote side of the connection
has detected a problem with this line).
•
Loopback = Port is in loopback state.
•
Unknown = (Red) Not configured or not able to determine status.
Up Time Seconds
The number of seconds this T1/E1 port has been running.
Errored Seconds
The number of seconds during which one or more path coding violations, out-of-frame defects,
controlled slips, AIS (Alarm Indication Signal) defects, or bipolar violations was detected on this port.
This number excludes unavailable seconds.
Severely Errored Seconds
The number of seconds during which these errors were detected on this port:
•
ESF signals: 320 or more path coding violations, one or more out-of-frame defects, or an AIS defect.
•
E1/CRC signals: 832 or more path coding violations, or one or more out-of-frame defects.
•
E1 signals (no CRC): 2048 or more line coding violations.
•
SF/D4 signals: framing errors, one or more out-of-frame defects, or 1544 or more line coding
violations.
This number excludes controlled slips and unavailable seconds.
Bursty Errored Seconds
The number of seconds during which 1 to 319 path coding violations, but no severely errored frame
defects or AIS defects, were detected on this port. This number excludes controlled slips and unavailable
seconds.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
13-9
Chapter 13
System Status
Monitoring | System Status | Dual T1/E1 WAN Slot N
Severely Errored Framing Seconds
The number of seconds during which one or more out-of-frame defects or an AIS defect were detected
on this port.
Unavailable Seconds
The number of seconds during which this port has not been available. Basically, unavailable seconds
begin with 10 contiguous severely errored seconds, or with a condition leading to failure.
Line Errored Seconds
The number of seconds during which one or more line coding violations were detected on this port.
Degraded Minutes
The number of minutes during which lower than normal-quality signals were detected on this port. (The
estimated error rate >1e-6 but <1e-3.)
Bipolar Violations
The number of bipolar violations detected on this port, defined as:
•
AMI-coded signal: a pulse of the same polarity follows the previous pulse.
•
B8ZS- or HDB3-coded signal: a pulse of the same polarity follows the previous pulse but is not a
part of the zero substitution code.
Line Coding Violations
The number of line coding violations detected on this port, which are bipolar violations or excessive
zeros violations (for AMI, >15 contiguous zeros; for B8ZS, >7 contiguous zeros).
Path Coding Violations
The number of path coding violations detected on this port, defined as:
•
SF/D4 and E1 (no CRC) signals: a frame synchronization bit error.
•
ESF and E1/CRC4 signals: a CRC error.
Controlled Slips
The number of times that the payload bits of a frame were replicated or deleted on this port. This
condition occurs when there is a difference between the timing (synchronization) of the receiving port
and the received signal.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
13-10
78-13274-01
Chapter 13
System Status
Monitoring | System Status | Dual T1/E1 WAN Slot N
Synchronous Statistics
This table shows statistics for the synchronous traffic (frames) through the WAN interface ports, with a
column of statistics for each configured port.
Slot
The physical slot in the VPN Concentrator (1 through 4) that houses the WAN module.
Port
The interface port on the WAN module (A or B).
IfIndex
The unique interface index (an integer) that identifies this WAN port. For WAN ports, the index integers
start at 8.
Status
The current operational status of the port:
•
Initializing = Coming up.
•
Running = Finished initializing; waiting to transition to the Up state.
•
Up = (Green) Synchronized and operational; able to transmit and receive packets.
•
Down = (Red) Unable to transmit or receive packets; possibly disconnected from the line.
•
Unknown = (Red) Not configured or unable to determine status.
Protocol
The WAN protocol enabled on this interface:
•
MP = PPP Multilink protocol.
•
PPP = Point-to-Point Protocol.
•
Unknown = Unable to determine protocol.
Packets Received
The number of packets (frames) received on this interface port.
Bytes Received
The number of bytes (octets) received on this interface port.
Packets Transmitted
The number of packets (frames) transmitted on this interface port.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
13-11
Chapter 13
System Status
Monitoring | System Status | Dual T1/E1 WAN Slot N
Bytes Transmitted
The number of bytes (octets) transmitted on this interface port.
Received Frame Too Long
The number of received frame too long errors on this interface port. The size of the packets received
exceeds the MTU (Maximum Transmission Unit). These errors could indicate that the T1/E1 line is not
configured correctly; for example, if you are using a fractional T1/E1 line, the timeslots configured
might not match those of the T1/E1 provider.
Transmit Frame Too Long
The number of transmit frame too long errors on this interface port. The size of the transmit packet
exceeds the MTU. These errors could indicate that the T1/E1 line is not configured correctly; for
example, if you are using a fractional T1/E1 line, the timeslots configured might not match those of the
T1/E1 provider.
Received Byte Align Errors
The number of received byte align errors on this interface port. These errors occur when the frame does
not contain a multiple of 8 bits, and could indicate misconfigured timeslots.
Received CRC Errors
The number of received CRC (Cyclic Redundancy Checking) errors on this interface port. These errors
could indicate a lossy or noisy transmission line.
Receiver Overrun Errors
The number of receiver overrun errors on this interface port. These errors occur when the memory
system can’t keep up with the incoming data stream. This number should be zero; if not, check the event
log for system malfunction or contact technical support.
Transmits Dropped
The number of frames dropped on this interface port because the transmission buffer was full. For
example, these errors would occur when trying to transmit too much data from a 100-Mbps Ethernet to
a T1/E1 line.
Transmit Underruns
The number of transmission underruns on this interface port. These errors occur when the memory
system cannot keep up with the outgoing data stream. This number should be zero; if not, check the event
log for system malfunction or contact technical support.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
13-12
78-13274-01
Chapter 13
System Status
Monitoring | System Status | Power
Monitoring | System Status | Power
This screen displays status and data for VPN Concentrator power supplies and voltage sensors in the
system. To configure alarm thresholds for system voltages, see the Configuration | Interfaces | Power
screen.
Figure 13-5 Monitoring | System Status | Power Screen (Model 3005)
Figure 13-6 Monitoring | System Status | Power Screen (Models 3015-3080)
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
13-13
Chapter 13
System Status
Monitoring | System Status | Power
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Back
To return to the Monitoring | System Status screen, click Back.
CPU
Voltage and status for the voltage sensor on the CPU chip. The screen shows either 1.9 or 2.5 volts,
depending on the CPU chip in the system.
Power Supply A, B
Voltages and status of the 3.3- and 5-volt outputs from the power supplies.
Board
Voltages and status of the 3.3- and 5-volt sensors on the main circuit board.
1.9/2.5V Status, 3.3V Status, 5V Status
The status of voltages relative to the configured thresholds:
•
OK = within low and high threshold limits.
•
ALARM = outside of low or high threshold limit.
•
Not Installed = power supply not installed.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
13-14
78-13274-01
Chapter 13
System Status
Monitoring | System Status | SEP
Monitoring | System Status | SEP
Note
This screen appears on models 3015–3080 only.
This screen displays status and statistics for a VPN Concentrator SEP (Scalable Encryption Processing)
module, which performs hardware-based cryptographic functions:
•
Random-number generation.
•
Hash transforms (MD5 and SHA-1) for authentication.
•
Encryption and decryption (DES and Triple-DES).
The screen shows cumulative data since the system was last booted or reset.
SEP Redundancy
The VPN Concentrator can contain up to four SEP modules for maximum system throughput and
redundancy. Two SEP modules provide maximum throughput; additional modules provide redundancy
in case of module failure.
SEP redundancy requires no configuration: it is always enabled and completely automatic; no
administrator action is required. If a SEP module fails, the VPN Concentrator automatically switches
active sessions to another SEP module. If the system has only one SEP module and it fails, the sessions
automatically use software cryptographic functions. Even if a SEP module fails, the VPN Concentrator
supports the number of sessions for which it is licensed.
If a SEP module fails, the system generates an event of severity level 2. It continues to generate an event
every 10 minutes until the failed module is removed or replaced and the VPN Concentrator is rebooted.
The front- and back-panel Status LEDs also indicate the failed module, as does this screen.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
13-15
Chapter 13
System Status
Monitoring | System Status | SEP
Figure 13-7 Monitoring | System Status | SEP Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Back
To return to the Monitoring | System Status screen, click Back.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
13-16
78-13274-01
Chapter 13
System Status
Monitoring | System Status | SEP
SEP
The chassis slot number where this SEP is inserted, and the type of hardware in this SEP:
•
CryptSet = first-release hardware using a set of integrated circuits.
•
CryptIC = second-release hardware using a single integrated circuit.
•
Unknown = hardware could not be determined. This is an error condition; please contact Cisco
Customer Support.
Status
The functional state of this SEP module:
•
Operational = module is operating correctly.
•
Not Operational = module has failed during operation. This is an error condition; please contact
Cisco Customer Support.
•
Found = module is installed but is not yet operational. If this condition persists after the VPN
Concentrator finishes initializing, it is an error. Please contact Cisco Customer Support.
•
Not Found = module could not be found. This is an error condition; please contact Cisco Customer
Support.
•
Loading = the system is loading microcode into the SEP module.
•
Initializing = the system is initializing the SEP module.
•
Diagnostic Failure = module failed during diagnostic testing. This is an error condition; please
contact Cisco Customer Support.
DSP Code Version
The version of DSP (Digital Signal Processing) microcode running on this SEP module. This
information might be useful during troubleshooting.
Inbound Hash: Octets
The number of inbound octets (bytes) to which this SEP applied a hashing algorithm for authentication.
Inbound Hash: Packets
The number of inbound authentication-only hashed packets processed by this SEP. Only hashing
algorithms are applied to authentication-only traffic; there is no encryption or decryption.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
13-17
Chapter 13
System Status
Monitoring | System Status | SEP
Outbound Hash: Octets
The number of outbound octets (bytes) to which this SEP applied a hashing algorithm for authentication.
Outbound Hash: Packets
The number of outbound authentication-only hashed packets processed by this SEP. Only hashing
algorithms are applied to authentication-only traffic; there is no encryption or decryption.
Encrypted: Octets
The number of octets (bytes) that this SEP encrypted.
Encrypted: Packets
The number of encryption-only packets processed by this SEP. Only encryption algorithms are applied
to encryption-only traffic; there is no hashing or authentication.
Decrypted: Octets
The number of octets (bytes) that this SEP decrypted.
Decrypted: Packets
The number of decryption-only packets processed by this SEP. Only encryption algorithms are applied
to encryption-only traffic; there is no hashing or authentication.
Hash Encrypted: Packets
The number of packets that this SEP processed using both hashing (authentication) and encryption
algorithms. This is typical processing for tunneled traffic.
Hash Decrypted: Packets
The number of packets that this SEP processed using both hashing (authentication) and decryption
algorithms.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
13-18
78-13274-01
Chapter 13
System Status
Monitoring | System Status | SEP
Drops: Packets
The number of packets intended for processing by this SEP, but dropped due to the SEP being
overloaded.
Random Requests
The number of requests to this SEP to generate random numbers. When needed (requested), the SEP
generates a 2-KB block of random numbers and caches them on the VPN Concentrator. Various
cryptographic functions require random numbers of different sizes, and they get them from the cache.
Random Replenishments
The number of times this SEP fulfilled a request to generate a block of random numbers, to replenish the
cache.
Random Bytes Available
The number of bytes currently available in the random-number cache on the VPN Concentrator.
Random Cache Empty
The number of times the VPN Concentrator received a request for random numbers and the
random-number cache was empty. Since the VPN Concentrator monitors this cache and communicates
with the SEP to replenish it, this number should be zero or very small.
DH Keys Generated
The number of times this SEP generated a new Diffie-Hellman key pair. IPSec Security Associations use
the Diffie-Hellman algorithm to generate encryption keys, for example.
DH Derived Secret Keys
The number of times this SEP has derived the Diffie-Hellman secret key. In public-key cryptography,
the VPN Concentrator receives a remote public key, and the SEP uses the local private key to generate
the secret key.
RSA Digital Signings
The number of times this SEP has generated an RSA (Rivest, Shamir, Adelman algorithm) digital
signature. The VPN Concentrator generates a digital signature when it creates a digital certificate.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
13-19
Chapter 13
System Status
Monitoring | System Status | SEP
RSA Digital Verifications
The number of times this SEP has verified an RSA digital signature. When the VPN Concentrator
receives a signed digital certificate for authentication, it must verify the digital signature by computing
a hash of the certificate and comparing it with the received-certificate hash.
RSA Encryptions: Octets / Packets
The number of RSA-encrypted octets (bytes) / packets this SEP has generated.
RSA Decryptions: Octets / Packets
The number of RSA-encrypted octets (bytes) / packets this SEP has received and decrypted.
DSA Digital Keys Generated
The number of times this SEP has generated a new DSA (Digital Signature Algorithm) encryption-key
pair.
DSA Digital Signings
The number of times this SEP has generated a DSA digital signature. The VPN Concentrator generates
a digital signature when it creates a digital certificate.
DSA Digital Verifications
The number of times this SEP has verified a DSA digital signature. When the VPN Concentrator receives
a signed digital certificate for authentication, it must verify the digital signature by computing a hash of
the certificate and comparing it with the received-certificate hash.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
13-20
78-13274-01
Chapter 13
System Status
Monitoring | System Status | LED Status
Monitoring | System Status | LED Status
Note
This screen appears on models 3015–3080 only.
This screen shows the status of VPN Concentrator front-panel LED indicators, exactly as they appear on
the unit itself. LED indicators on the VPN Concentrator are normally green, and the usage graph LEDs
are blue. LEDs that are amber, red, or off might indicate an error condition. See Appendix B,
“Troubleshooting and System Errors” for descriptions of the LEDs.
The usage graph displays CPU Utilization, Active Sessions, or Throughput, in accordance with the
selection you make using the front-panel button. You can “press” the front-panel button either
physically—on the unit itself—or logically—on this screen. See Monitoring | System Status for an
explanation of usage graph units.
Figure 13-8 Monitoring | System Status | LED Status Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
[LED Selector Button]
To toggle the usage graph LEDs, click the front-panel button on this screen. Clicking the button here
also changes the selection on the VPN Concentrator itself.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
13-21
Chapter 13
System Status
Monitoring | System Status | LED Status
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
13-22
78-13274-01
C H A P T E R
14
Sessions
Monitoring | Sessions
The following screen shows comprehensive data for all active user and administrator sessions on the
VPN Concentrator.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-1
Chapter 14
Sessions
Monitoring | Sessions
Figure 14-1 Monitoring | Sessions Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Group
Choose a group from the menu to monitor sessions for that group only. The default value is --All--, which
displays sessions for all groups.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-2
78-13274-01
Chapter 14
Sessions
Monitoring | Sessions
Session Summary Table
This table shows summary totals for LAN-to-LAN, remote access, and management sessions.
A session is a VPN tunnel established with a specific peer. In most cases, one user connection = one
tunnel = one session. However, one IPSec LAN-to-LAN tunnel counts as one session, but it allows many
host-to-host connections through the tunnel.
Active LAN-to-LAN Sessions
The number of IPSec LAN-to-LAN sessions that are currently active.
Active Remote Access Sessions
The number of PPTP, L2TP, IPSec remote-access user, L2TP over IPSec, and IPSec through NAT
sessions that are currently active.
Active Management Sessions
The number of administrator management sessions that are currently active.
Total Active Sessions
The total number of sessions of all types that are currently active.
Peak Concurrent Sessions
The highest number of sessions of all types that were concurrently active since the VPN Concentrator
was last booted or reset.
Concurrent Sessions Limit
The maximum number of concurrently active sessions permitted on this VPN Concentrator. This number
is model-dependent, for example, model 3060 = 5000 sessions.
Total Cumulative Sessions
The total cumulative number of sessions of all types since the VPN Concentrator was last booted or
reset.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-3
Chapter 14
Sessions
Monitoring | Sessions
LAN-to-LAN Sessions Table
This table shows parameters and statistics for all active IPSec LAN-to-LAN sessions. Each session here
identifies only the outer LAN-to-LAN connection or tunnel, not individual host-to-host sessions within
the tunnel.
[ Remote Access Sessions | Management Sessions ]
Click these active links to go to the other session tables on this Manager screen.
Connection Name
The name of the IPSec LAN-to-LAN connection.
To display detailed parameters and statistics for this connection, click this name. See the Monitoring |
Sessions | Detail screen.
IP Address
The IP address of the remote peer VPN Concentrator or other secure gateway that initiated this
LAN-to-LAN connection.
Protocol, Encryption, Login Time, Duration, Bytes Tx, Bytes Rx
See Table 14-1 on page 14-6 for definitions of these parameters.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-4
78-13274-01
Chapter 14
Sessions
Monitoring | Sessions
Remote Access Sessions Table
This table shows parameters and statistics for all active remote-access sessions. Each session is a
single-user connection from a remote client to the VPN Concentrator. Remote-access sessions include
PPTP, L2TP, IPSec remote-access user, L2TP over IPSec, and IPSec through NAT sessions.
[ LAN-to-LAN Sessions | Management Sessions ]
Click these active links to go to the other session tables on this Manager screen.
Username
The username or login name for the session. The field shows Authenticating... if the remote-access
client is still negotiating authentication. If the client is using a digital certificate for authentication, the
field shows the Subject CN or Subject OU from the certificate.
To display detailed parameters and statistics for this session, click this name. See the Monitoring |
Sessions | Detail screen.
Group
The user’s group.
Public IP Address
The public IP address of the client for this remote-access session. This is also known as the “outer” IP
address. It is typically assigned to the client by the ISP, and it lets the client function as a host on the
public network.
Assigned IP Address
The private IP address assigned to the remote client for this session. This is also known as the “inner”
or “virtual” IP address, and it lets the client appear to be a host on the private network.
Protocol, Encryption, Login Time, Duration, Bytes Tx, Bytes Rx
See Table 14-1 on page 14-6 for definitions of these parameters.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-5
Chapter 14
Sessions
Monitoring | Sessions
Management Sessions Table
This table shows parameters and statistics for all active administrator management sessions on the VPN
Concentrator.
[ LAN-to-LAN Sessions | Remote Access Sessions ]
Click these active links to go to the other session tables on this Manager screen.
Administrator
The administrator username or login name for the session.
IP Address
The IP address of the manager workstation that is accessing the system. Local indicates a direct
connection through the Console port on the system.
Protocol, Encryption, Login Time, Duration
See Table 14-1 for definitions of these parameters.
Table 14-1 Parameter definitions for Monitoring | Sessions Screen
Parameter
Definition
Protocol
The protocol this session is using. Console indicates a direct connection
through the Console port on the system.
See Monitoring | Sessions | Protocols for a graphical representation of
sessions by protocol.
Encryption
The data encryption algorithm this session is using, if any.
See Monitoring | Sessions | Encryption for a graphical representation of
sessions by encryption algorithm used.
Login Time
The date and time (MMM DD HH:MM:SS) that the session logged in. Time is
displayed in 24-hour notation.
Duration
The elapsed time (HH:MM:SS) between the session login time and the last
screen refresh.
Bytes Tx
The total number of bytes transmitted to the remote peer or client by the VPN
Concentrator.
Bytes Rx
The total number of bytes received from the remote peer or client by the
VPN Concentrator.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-6
78-13274-01
Chapter 14
Sessions
Monitoring | Sessions | Detail
Monitoring | Sessions | Detail
These Manager screens show detailed parameters and statistics for a specific remote-access or
LAN-to-LAN session. The parameters and statistics differ depending on the session protocol. There are
unique screens for:
•
IPSec LAN-to-LAN (IPSec/LAN-to-LAN)
•
IPSec remote access (IPSec User)
•
IPSec through NAT (IPSec/NAT)
•
L2TP
•
L2TP over IPSec (L2TP/IPSec)
•
PPTP
The Manager displays the appropriate screen when you click a highlighted connection name or username
on the Monitoring | Sessions screen. See Figure 14-2 through Figure 14-7.
Each session detail screen shows two tables: summary data at the top, and detail data below. The
summary data echoes the session data from the Monitoring | Sessions screen. The session detail table
shows all the relevant parameters for each session and subsession.
See Table 14-2 on page 14-12 for definitions of the session detail parameters, in alphabetical order.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-7
Chapter 14
Sessions
Monitoring | Sessions | Detail
Figure 14-2 Monitoring | Sessions | Detail Screen: IPSec LAN-to-LAN
Figure 14-3 Monitoring | Sessions | Detail Screen: IPSec Remote Access User
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-8
78-13274-01
Chapter 14
Sessions
Monitoring | Sessions | Detail
Figure 14-4 Monitoring | Sessions | Detail Screen: IPSec through NAT
Figure 14-5 Monitoring | Sessions | Detail Screen: L2TP
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-9
Chapter 14
Sessions
Monitoring | Sessions | Detail
Figure 14-6 Monitoring | Sessions | Detail Screen: L2TP Over IPSec
Figure 14-7 Monitoring | Sessions | Detail Screen: PPTP
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-10
78-13274-01
Chapter 14
Sessions
Monitoring | Sessions | Detail
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Back to Sessions
To return to the Monitoring | Sessions screen, click Back to Sessions.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-11
Chapter 14
Sessions
Monitoring | Sessions | Detail
Monitoring | Sessions | Detail Parameters
Table 14-2 Parameter Definitions for Monitoring | Sessions | Detail Screens
Parameter
Definition
Assigned IP Address
The private IP address assigned to the remote client for this session.
This is also known as the “inner” or “virtual” IP address, and it lets
the client appear to be a host on the private network.
Authentication Mode
The protocol or mode used to authenticate this session.
Bytes Rx
The total number of bytes received from the remote peer or client
by the VPN Concentrator.
Bytes Received
Bytes Tx
Bytes Transmitted
The total number of bytes transmitted to the remote peer or client by
the VPN Concentrator.
Compression
The data compression algorithm this session is using. LZS is the
data compression algorithm used by IPComp. MPPC uses LZ.
Connection Name
The name of the IPSec LAN-to-LAN connection.
Diffie-Hellman Group
The algorithm and key size used to generate IPSec SA encryption
keys.
Duration
The elapsed time (HH:MM:SS) between the session login time and
the last screen refresh.
Encapsulation Mode
The mode for applying IPSec ESP (Encapsulation Security Payload
protocol) encryption and authentication, in other words, what part
of the original IP packet has ESP applied.
Encryption
The data encryption algorithm this session is using, if any.
Encryption Algorithm
Hashing Algorithm
The algorithm used to create a hash of the packet, which is used for
IPSec data authentication.
Idle Time
The elapsed time (HH:MM:SS) between the last communication
activity on this session and the last screen refresh.
IKE Negotiation Mode
The IKE (IPSec Phase 1) mode for exchanging key information and
setting up SAs: Aggressive or Main.
IKE Sessions
The total number of IKE (IPSec Phase 1) sessions; usually 1. These
sessions establish the tunnel for IPSec traffic.
IP Address
The IP address of the remote peer VPN Concentrator or other secure
gateway that initiated the IPSec LAN-to-LAN connection.
IPSec Sessions
The total number of IPSec (Phase 2) sessions, which are data traffic
sessions through the tunnel. Each IPSec remote-access session may
have two IPSec sessions: one showing the tunnel endpoints, and one
showing the private networks reachable through the tunnel.
L2TP Sessions
The total number of user sessions through this L2TP or L2TP /
IPSec tunnel; usually 1.
Local Address
The IP address (and wildcard mask) of the destination host (or
network) for this session.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-12
78-13274-01
Chapter 14
Sessions
Monitoring | Sessions | Detail
Table 14-2 Parameter Definitions for Monitoring | Sessions | Detail Screens (continued)
Parameter
Definition
Login Time
The date and time (MMM DD HH:MM:SS) that the session logged
in. Time is displayed in 24-hour notation.
Perfect Forward Secrecy Group
The Diffie-Hellman algorithm and key size used to generate IPSec
SA encryption keys using Perfect Forward Secrecy.
PFS Group
The Perfect Forward Secrecy group: 1, 2, 3, 4, or 7.
PPTP Sessions:
The total number of user sessions through this PPTP tunnel; usually
1.
Protocol
The tunneling protocol that this session is using.
Public IP Address
The public IP address of the client for this remote-access session.
This is also known as the “outer” IP address. It is typically assigned
to the client by the ISP, and it lets the client function as a host on the
public network.
Rekey Data Interval
The lifetime in kilobytes of the IPSec (IKE) SA encryption keys.
Rekey Time Interval
The lifetime in seconds of the IPSec (IKE) SA encryption keys.
Remote Address
The IP address (and wildcard mask) of the remote peer (or network)
that initiated this session.
SEP
The Scalable Encryption Module that is handling cryptographic
processing for this session.
Session ID
An identifier for session components (subsessions) on this screen.
With IPSec, there is one identifier for each SA.
UDP Port
The UDP port number used in an IPSec through NAT connection.
Username
The username or login name for the session. If the client is using a
digital certificate for authentication, the field shows the Subject CN
or Subject OU from the certificate.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-13
Chapter 14
Sessions
Monitoring | Sessions | Protocols
Monitoring | Sessions | Protocols
This screen graphically displays the protocols used by currently active user and administrator sessions
on the VPN Concentrator.
Figure 14-8 Monitoring | Sessions | Protocols Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Group
Choose a group from the menu to show protocols used by currently active users in that group only. The
default value is --All--, which displays protocols for users in all groups.
Active Sessions
The number of currently active sessions.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-14
78-13274-01
Chapter 14
Sessions
Monitoring | Sessions | Protocols
Total Sessions
The total number of sessions since the VPN Concentrator was last booted or reset.
Protocol
The protocol that the session is using:
•
Other = Protocol other than those listed here.
•
PPTP = Point-to-Point Tunneling Protocol.
•
L2TP = Layer 2 Tunneling Protocol.
•
IPSec = Internet Protocol Security tunneling protocol (remote-access users).
•
HTTP = Hypertext Transfer Protocol (web browser).
•
FTP = File Transfer Protocol.
•
Telnet = Terminal emulation protocol.
•
SNMP = Simple Network Management Protocol.
•
TFTP = Trivial File Transfer Protocol.
•
Console = Directly connected console; no protocol.
•
Debug/Telnet = Debugging via Telnet (for Cisco use only).
•
Debug/Console = Debugging via console (for Cisco use only).
•
IKE = Internet Key Exchange protocol.
•
L2TP/IPSec = L2TP over IPSec.
•
IPSec/LAN-to-LAN = IPSec LAN-to-LAN connection.
•
IPSec/NAT = IPSec through NAT (Network Address Translation).
•
SSH = Secure SHell protocol.
•
VCA/LanToLan = Virtual Cluster Agent/LAN-to-LAN protocol. (For Cisco use only.)
Sessions
The number of active sessions using this protocol. The sum of this column equals the total number of
Active Sessions shown above.
Bar Graph
The percentage of sessions using this protocol relative to the total active sessions, as a horizontal bar
graph. Each segment of the bar in the column heading represents 25 percent.
Percentage
The percentage of sessions using this protocol relative to the total active sessions, as a number. The sum
of this column equals 100 percent (rounded).
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-15
Chapter 14
Sessions
Monitoring | Sessions | SEPs
Monitoring | Sessions | SEPs
Note
This screen appears on models 3015–3080 only.
This screen graphically displays the SEP (Scalable Encryption Processing) modules used by currently
active user and administrator sessions on the VPN Concentrator. SEP modules perform data encryption
functions in hardware.
Figure 14-9 Monitoring | Sessions | SEPs Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Group
Choose a group from the menu to display SEP modules for that group only. The default value is --All--,
which displays SEP modules for all groups.
Active Sessions
The number of currently active sessions.
Total Sessions
The total number of sessions since the VPN Concentrator was last booted or reset.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-16
78-13274-01
Chapter 14
Sessions
Monitoring | Sessions | SEPs
SEP
The SEP module that the sessions are using.
•
Not on SEP = using software encryption, or not using encryption.
•
1, 2, 3, 4 = SEP module 1, 2, 3, and 4, respectively.
Sessions
The number of active sessions using this SEP module. The sum of this column equals the total number
of Active Sessions shown above.
Bar Graph
The percentage of sessions using this SEP module relative to the total active sessions, as a horizontal bar
graph. Each segment of the bar in the column heading represents 25 percent.
Percentage
The percentage of sessions using this SEP module relative to the total active sessions, as a number. The
sum of this column equals 100 percent (rounded).
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-17
Chapter 14
Sessions
Monitoring | Sessions | Encryption
Monitoring | Sessions | Encryption
This screen graphically displays the data encryption algorithms used by currently active user and
administrator sessions on the VPN Concentrator.
Figure 14-10 Monitoring | Sessions | Encryption Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Group
Choose a group from the menu to monitor data encryption algorithms used by currently active users in
that group only. The default value is --All--, which displays data encryption algorithms for all groups.
Active Sessions
The number of currently active sessions.
Total Sessions
The total number of sessions since the VPN Concentrator was last booted or reset.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-18
78-13274-01
Chapter 14
Sessions
Monitoring | Sessions | Encryption
Encryption
The data encryption algorithm that the sessions are using:
•
Other = other than listed below.
•
None = no data encryption.
•
DES-56 = Data Encryption Standard algorithm with a 56-bit key.
•
DES-40 = DES encryption with a 56-bit key, 40 bits of which are private.
•
3DES-168 = Triple-DES encryption with a 168-bit key.
•
RC4-40 Stateless = RSA RC4 encryption with a 40-bit key, and with keys changed on every packet.
•
RC4-40 Stateful = RSA RC4 encryption with a 40-bit key, and with keys changed after some number
of packets or whenever a packet is lost.
•
RC4-128 Stateless = RSA RC4 encryption with a 128-bit key, and with keys changed on every
packet.
•
RC4-128 Stateful = RSA RC4 encryption with a 128-bit key, and with keys changed after some
number of packets or whenever a packet is lost.
Sessions
The number of active sessions using this encryption algorithm. The sum of this column equals the total
number of Active Sessions shown above.
Bar Graph
The percentage of sessions using this encryption algorithm relative to the total active sessions, as a
horizontal bar graph. Each segment of the bar in the column heading represents 25 percent.
Percentage
The percentage of sessions using this encryption algorithm relative to the total active sessions, as a
number. The sum of this column equals 100 percent (rounded).
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-19
Chapter 14
Sessions
Monitoring | Sessions | Top Ten Lists
Monitoring | Sessions | Top Ten Lists
This section of the Manager shows statistics for the top 10 currently active VPN Concentrator sessions,
sorted by:
•
Data: total bytes transmitted and received.
•
Duration: total time connected.
•
Throughput: average throughput (bytes/sec).
Figure 14-11 Monitoring | Sessions | Top Ten Lists Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-20
78-13274-01
Chapter 14
Sessions
Monitoring | Sessions | Top Ten Lists | Data
Monitoring | Sessions | Top Ten Lists | Data
This screen shows statistics for the top 10 currently active VPN Concentrator sessions, sorted by data,
total bytes transmitted and received.
Figure 14-12 Monitoring | Sessions | Top Ten Lists | Data Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Group
Choose a group from the menu to show session statistics for that group only. The default value is --All--,
which displays session statistics for all groups.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-21
Chapter 14
Sessions
Monitoring | Sessions | Top Ten Lists | Data
Username
The login username for the session.
Group
The user’s group.
IP Address
The IP address of the session user. This is the address assigned to or supplied by a remote user, or the
host address of a networked user. Local identifies the console directly connected to the VPN
Concentrator.
Protocol
The protocol that the session is using:
•
Console = Directly connected console; no protocol.
•
Debug/Console = Debugging via console (for Cisco use only).
•
Debug/Telnet = Debugging via Telnet (for Cisco use only).
•
FTP = File Transfer Protocol.
•
HTTP = Hypertext Transfer Protocol (web browser).
•
IPSec = Internet Protocol Security tunneling protocol (remote-access user).
•
IPSec/LAN-to-LAN = IPSec LAN-to-LAN connection.
•
IPSec/NAT = IPSec through NAT (Network Address Translation).
•
L2TP = Layer 2 Tunneling Protocol.
•
L2TP/IPSec = L2TP over IPSec.
•
Other = Protocol other than those listed here.
•
PPTP = Point-to-Point Tunneling Protocol.
•
SNMP = Simple Network Management Protocol.
•
Telnet = Terminal emulation protocol.
•
TFTP = Trivial File Transfer Protocol.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-22
78-13274-01
Chapter 14
Sessions
Monitoring | Sessions | Top Ten Lists | Data
Encryption
The data encryption algorithm that the session is using:
•
None = No data encryption.
•
DES-40 = Data Encryption Standard algorithm with a 56-bit key, 40 bits of which are private.
•
DES-56 = DES encryption with a 56-bit key.
•
3DES-168 = Triple-DES encryption with a 168-bit key.
•
RC4-40 Stateless = RSA RC4 encryption with a 40-bit key, and with keys changed on every packet.
•
RC4-40 Stateful = RSA RC4 encryption with a 40-bit key, and with keys changed after some number
of packets or whenever a packet is lost.
•
RC4-128 Stateless = RSA RC4 encryption with a 128-bit key, and with keys changed on every
packet.
•
RC4-128 Stateful = RSA RC4 encryption with a 128-bit key, and with keys changed after some
number of packets or whenever a packet is lost.
Login Time
The date and time that this session logged in: MM/DD/YYYY HH:MM:SS. Time is in 24-hour notation.
Total Bytes
The total number of bytes transmitted and received by this session. N/A = the session is not passing data,
in other words, it is an administrator session.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-23
Chapter 14
Sessions
Monitoring | Sessions | Top Ten Lists | Duration
Monitoring | Sessions | Top Ten Lists | Duration
This screen shows statistics for the top 10 currently active VPN Concentrator sessions, sorted by
duration: total time connected.
Figure 14-13 Monitoring | Sessions | Top Ten Lists | Duration Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Group
Choose a group from the menu to show session statistics for that group only. The default value is --All--,
which displays session statistics for all groups.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-24
78-13274-01
Chapter 14
Sessions
Monitoring | Sessions | Top Ten Lists | Duration
Username
The login username for the session.
Group
The user’s group.
IP Address
The IP address of the session user. This is the address assigned to or supplied by a remote user, or the
host address of a networked user. Local identifies the console directly connected to the VPN
Concentrator.
Protocol
The protocol that the session is using:
•
Console = Directly connected console; no protocol.
•
Debug/Console = Debugging via console (for Cisco use only).
•
Debug/Telnet = Debugging via Telnet (for Cisco use only).
•
FTP = File Transfer Protocol.
•
HTTP = Hypertext Transfer Protocol (web browser).
•
IPSec = Internet Protocol Security tunneling protocol (remote-access user).
•
IPSec/LAN-to-LAN = IPSec LAN-to-LAN connection.
•
IPSec/NAT = IPSec through NAT (Network Address Translation).
•
L2TP = Layer 2 Tunneling Protocol.
•
L2TP/IPSec = L2TP over IPSec.
•
Other = Protocol other than those listed here.
•
PPTP = Point-to-Point Tunneling Protocol.
•
SNMP = Simple Network Management Protocol.
•
Telnet = Terminal emulation protocol.
•
TFTP = Trivial File Transfer Protocol.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-25
Chapter 14
Sessions
Monitoring | Sessions | Top Ten Lists | Duration
Encryption
The data encryption algorithm that the session is using.
•
None = no data encryption.
•
DES-40 = Data Encryption Standard algorithm with a 56-bit key, 40 bits of which are private.
•
DES-56 = DES encryption with a 56-bit key.
•
3DES-168 = Triple-DES encryption with a 168-bit key.
•
RC4-40 Stateless = RSA RC4 encryption with a 40-bit key, and with keys changed on every packet.
•
RC4-40 Stateful = RSA RC4 encryption with a 40-bit key, and with keys changed after some number
of packets or whenever a packet is lost.
•
RC4-128 Stateless = RSA RC4 encryption with a 128-bit key, and with keys changed on every
packet.
•
RC4-128 Stateful = RSA RC4 encryption with a 128-bit key, and with keys changed after some
number of packets or whenever a packet is lost.
Login Time
The date and time that this session logged in: MM/DD/YYYY HH:MM:SS. Time is in 24-hour notation.
Duration
The total amount of time that this session has been connected: HH:MM:SS.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-26
78-13274-01
Chapter 14
Sessions
Monitoring | Sessions | Top Ten Lists | Throughput
Monitoring | Sessions | Top Ten Lists | Throughput
This screen shows statistics for the top 10 currently active VPN Concentrator sessions, sorted by average
throughput (bytes/sec).
Figure 14-14 Monitoring | Sessions | Top Ten Lists | Throughput Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Group
Choose a group from the menu to show session statistics for that group only. The default value is --All--,
which displays session statistics for all groups.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-27
Chapter 14
Sessions
Monitoring | Sessions | Top Ten Lists | Throughput
Username
The login username for the session.
Group
The user’s group.
IP Address
The IP address of the session user. This is the address assigned to or supplied by a remote user, or the
host address of a networked user. Local identifies the console directly connected to the VPN
Concentrator.
Protocol
The protocol that the session is using:
•
Console = Directly connected console; no protocol.
•
Debug/Console = Debugging via console (for Cisco use only).
•
Debug/Telnet = Debugging via Telnet (for Cisco use only).
•
FTP = File Transfer Protocol.
•
HTTP = Hypertext Transfer Protocol (web browser).
•
IPSec = Internet Protocol Security tunneling protocol (remote-access user).
•
IPSec/LAN-to-LAN = IPSec LAN-to-LAN connection.
•
IPSec/NAT = IPSec through NAT (Network Address Translation).
•
L2TP = Layer 2 Tunneling Protocol.
•
L2TP/IPSec = L2TP over IPSec.
•
Other = Protocol other than those listed here.
•
PPTP = Point-to-Point Tunneling Protocol.
•
SNMP = Simple Network Management Protocol.
•
Telnet = Terminal emulation protocol.
•
TFTP = Trivial File Transfer Protocol.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-28
78-13274-01
Chapter 14
Sessions
Monitoring | Sessions | Top Ten Lists | Throughput
Encryption
The data encryption algorithm that the session is using.
•
None = No data encryption.
•
DES-40 = Data Encryption Standard algorithm with a 56-bit key, 40 bits of which are private.
•
DES-56 = DES encryption with a 56-bit key.
•
3DES-168 = Triple-DES encryption with a 168-bit key.
•
RC4-40 Stateless = RSA RC4 encryption with a 40-bit key, and with keys changed on every packet.
•
RC4-40 Stateful = RSA RC4 encryption with a 40-bit key, and with keys changed after some number
of packets or whenever a packet is lost.
•
RC4-128 Stateless = RSA RC4 encryption with a 128-bit key, and with keys changed on every
packet.
•
RC4-128 Stateful = RSA RC4 encryption with a 128-bit key, and with keys changed after some
number of packets or whenever a packet is lost.
Login Time
The date and time that this session logged in: MM/DD/YYYY HH:MM:SS. Time is in 24-hour notation.
Avg. Throughput (bytes/sec)
The average throughput of the session, which is [total bytes transmitted and received] divided by total
connect time. N/A = the session is not passing data, in other words, it is an administrator session.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
14-29
Chapter 14
Sessions
Monitoring | Sessions | Top Ten Lists | Throughput
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
14-30
78-13274-01
C H A P T E R
15
Statistics
Monitoring | Statistics
This section of the Manager shows statistics for traffic and activity on the VPN Concentrator since it
was last booted or reset, and for current tunneled sessions, plus statistics in standard MIB-II objects for
interfaces, TCP/UDP, IP, ICMP, and the ARP table.
Figure 15-1 Monitoring | Statistics Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-1
Chapter 15
Statistics
Monitoring | Statistics
Statistics include:
•
PPTP: total tunnels, sessions, received and transmitted control and data packets; and detailed current
session data.
•
L2TP: total tunnels, sessions, received and transmitted control and data packets; and detailed current
session data.
•
IPSec: total Phase 1 and Phase 2 tunnels, received and transmitted packets, failures, drops, etc.
•
HTTP: total data traffic and connection statistics.
•
Events: total events sorted by class, number, and count.
•
Telnet: total sessions, and current session inbound and outbound traffic.
•
DNS: total requests, responses, timeouts, etc.
•
Authentication: total requests, accepts, rejects, challenges, timeouts, etc.
•
Accounting: total requests, responses, timeouts, etc.
•
Filtering: total inbound and outbound filtered traffic by interface.
•
VRRP: total advertisements, Master router roles, errors, etc.
•
SSL: total sessions, encrypted vs. unencrypted traffic, etc.
•
DHCP: leased addresses, duration, server addresses, etc.
•
Address Pools: configured pools, allocated and available addresses.
•
SSH: total and active sessions, bytes and packets sent and received, etc.
Load Balancing: device role; device load; and cluster peers’ sessions, IP addresses, priority, etc.
• Compression: pre and post-compression byte totals for IPComp and MPPC.
•
•
Administrative AAA: requests, accepts, rejects, challenges, timeouts, etc.
•
MIB-II Stats: interfaces, TCP/UDP, IP, RIP, OSPF, ICMP, ARP table, Ethernet, and SNMP.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-2
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | PPTP
Monitoring | Statistics | PPTP
This screen shows statistics for PPTP activity on the VPN Concentrator since it was last booted or reset,
and for current PPTP sessions.
The Monitoring | Sessions | Detail screens also show PPTP data.
To configure system-wide PPTP parameters, see the Configuration | System | Tunneling Protocols | PPTP
screen. To configure PPTP parameters for users and groups, see Configuration | User Management. To
configure PPTP on rules in filters that govern data traffic, see Configuration | Policy Management |
Traffic Management.
Figure 15-2 Monitoring | Statistics | PPTP Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Total Tunnels
The total number of PPTP tunnels created since the VPN Concentrator was last booted or reset, including
those tunnels that failed to be established.
Active Tunnels
The number of PPTP tunnels that are currently active.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-3
Chapter 15
Statistics
Monitoring | Statistics | PPTP
Maximum Tunnels
The maximum number of PPTP tunnels that have been simultaneously active on the VPN Concentrator
since it was last booted or reset.
Total Sessions
The total number of user sessions through PPTP tunnels since the VPN Concentrator was last booted or
reset.
Active Sessions
The number of user sessions that are currently active through PPTP tunnels. The PPTP Sessions table
shows statistics for these sessions.
Maximum Sessions
The maximum number of user sessions that have been simultaneously active through PPTP tunnels on
the VPN Concentrator since it was last booted or reset.
Rx Octets Control / Data
The number of PPTP control/data octets (bytes) received by the VPN Concentrator since it was last
booted or reset.
Rx Packets Control / Data
The number of PPTP control/data packets received by the VPN Concentrator since it was last booted or
reset.
Rx Discards Control / Data
The number of PPTP control/data packets received and discarded by the VPN Concentrator since it was
last booted or reset.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-4
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | PPTP
Tx Octets Control / Data
The number of PPTP control/data octets (bytes) transmitted by the VPN Concentrator since it was last
booted or reset.
Tx Packets Control / Data
The number of PPTP control/data packets transmitted by the VPN Concentrator since it was last booted
or reset.
PPTP Sessions
This table shows statistics for active PPTP sessions on the VPN Concentrator. Each active session is a
row.
Peer IP
The IP address of the peer host that established the PPTP tunnel for this session, in other words, the
tunnel endpoint IP address. The Monitoring | Sessions screen shows the IP address assigned to the client
using the tunnel.
Username
The username for the session within a PPTP tunnel. This is typically the login name of the remote user.
Receive Octets
The total number of PPTP data octets (bytes) received by this session.
Receive Packets
The total number of PPTP data packets received by this session.
Receive Discards
The total number of PPTP data packets received and discarded by this session.
Receive ZLB
The total number of PPTP Zero Length Body acknowledgement data packets received by this session.
ZLB packets are sent as GRE acknowledgement packets when there is no data packet on which to
piggyback an acknowledgement.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-5
Chapter 15
Statistics
Monitoring | Statistics | PPTP
Transmit Octets
The total number of PPTP data octets (bytes) transmitted by this session.
Transmit Packets
The total number of PPTP data packets transmitted by this session.
Transmit ZLB
The total number of PPTP Zero Length Body acknowledgement packets transmitted by this session. ZLB
packets are sent as GRE acknowledgement packets when there is no data packet on which to piggyback
an acknowledgement.
ACK Timeouts
The total number of acknowledgement timeouts seen on PPTP data packets for this session. When the
system times out waiting for a data packet on which to piggyback an acknowledgement, it sends a ZLB
instead. Therefore, this number should equal the Transmit ZLB number.
Flow
The state of packet flow control for this PPTP session:
•
Local = The local buffer is full. Packet flow for the local end of the session is OFF because the
number of outstanding unacknowledged packets received from the peer is equal to the local window
size.
•
Peer = The peer buffer is full. Packet flow for the peer end of the session is OFF because the number
of outstanding unacknowledged packets sent to the peer is equal to the peer’s window size.
•
Both = Both buffers are full. Packet flow for both ends of the session is OFF because the number of
outstanding unacknowledged packets is equal to the window size on both ends.
•
None = Neither end of the session has a full buffer. Packet flow for the session is ON. This is the
normal operating state.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-6
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | L2TP
Monitoring | Statistics | L2TP
This screen shows statistics for L2TP activity on the VPN Concentrator since it was last booted or reset,
and for current L2TP sessions.
The Monitoring | Sessions | Detail screens also show L2TP data.
To configure system-wide L2TP parameters, see the Configuration | System | Tunneling Protocols | L2TP
screen. To configure L2TP parameters for users and groups, see Configuration | User Management. To
configure L2TP on rules in filters that govern data traffic, see Configuration | Policy Management |
Traffic Management.
Figure 15-3 Monitoring | Statistics | L2TP Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Total Tunnels
The total number of L2TP tunnels successfully established since the VPN Concentrator was last booted
or reset.
Active Tunnels
The number of L2TP tunnels that are currently active.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-7
Chapter 15
Statistics
Monitoring | Statistics | L2TP
Maximum Tunnels
The maximum number of L2TP tunnels that have been simultaneously active on the VPN Concentrator
since it was last booted or reset.
Failed Tunnels
The number of L2TP tunnels that failed to become established since the VPN Concentrator was last
booted or reset.
Total Sessions
The total number of user sessions successfully established through L2TP tunnels since the VPN
Concentrator was last booted or reset.
Active Sessions
The number of user sessions that are currently active through PPTP tunnels. The L2TP Sessions table
shows statistics for these sessions.
Maximum Sessions
The maximum number of user sessions that have been simultaneously active through L2TP tunnels on
the VPN Concentrator since it was last booted or reset.
Failed Sessions
The number of sessions that failed to become established through L2TP tunnels since the VPN
Concentrator was last booted or reset.
Rx Octets Control / Data
The number of L2TP control / data channel octets (bytes) received by the VPN Concentrator since it was
last booted or reset.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-8
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | L2TP
Rx Packets Control / Data
The number of L2TP control / data channel packets received by the VPN Concentrator since it was last
booted or reset.
Rx Discards Control / Data
The number of L2TP control / data channel packets received and discarded by the VPN Concentrator
since it was last booted or reset.
Tx Octets Control / Data
The number of L2TP control/data channel octets (bytes) transmitted by the VPN Concentrator since it
was last booted or reset.
Tx Packets Control / Data
The number of L2TP control/data channel packets transmitted by the VPN Concentrator since it was last
booted or reset.
L2TP Sessions
This table shows statistics for active L2TP sessions on the VPN Concentrator. Each active session is a
row.
Remote IP
The IP address of the remote host that established the L2TP tunnel for this session, in other words, the
tunnel endpoint IP address. The Monitoring | Sessions screen shows the IP address assigned to the client
using the tunnel.
Username
The username for the session within an L2TP tunnel. This is typically the login name of the remote user.
Serial
The serial number of the session within an L2TP tunnel. If there are multiple sessions using a tunnel,
each session has a unique serial number.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-9
Chapter 15
Statistics
Monitoring | Statistics | L2TP
Receive Octets
The total number L2TP data octets (bytes) received by this session.
Receive Packets
The total number of L2TP data packets received by this session.
Receive Discards
The total number of L2TP data packets received and discarded by this session.
Receive ZLB
The total number of L2TP Zero Length Body acknowledgement data packets received by this session.
ZLB packets are sent as acknowledgement packets when there is no data packet on which to piggyback
an acknowledgement.
Transmit Octets
The total number of L2TP data octets (bytes) transmitted by this session.
Transmit Packets
The total number of L2TP data packets transmitted by this session.
Transmit ZLB
The total number of L2TP Zero Length Body acknowledgement packets transmitted by this session. ZLB
packets are sent as acknowledgement packets when there is no data packet on which to piggyback an
acknowledgement.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-10
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | IPSec
Monitoring | Statistics | IPSec
This screen shows statistics for IPSec activity—including current IPSec tunnels—on the VPN
Concentrator since it was last booted or reset. These statistics conform to the IETF draft for the IPSec
Flow Monitoring MIB.
The Monitoring | Sessions | Detail screens also show IPSec data.
To configure system-wide IPSec parameters and LAN-to-LAN connections, see the Configuration |
System | Tunneling Protocols | IPSec screens. To configure IPSec parameters for users and groups, see
Configuration | User Management. To configure IPSec parameters and SAs on rules in filters that govern
data traffic, see Configuration | Policy Management | Traffic Management.
Figure 15-4 Monitoring | Statistics | IPSec Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-11
Chapter 15
Statistics
Monitoring | Statistics | IPSec
IKE (Phase 1) Statistics
This table provides IPSec Phase 1 (IKE: Internet Key Exchange) global statistics. During IPSec Phase
1 (IKE), the two peers establish control tunnels through which they negotiate Security Associations.
Active Tunnels
The number of currently active IKE control tunnels, both for LAN-to-LAN connections and remote
access.
Total Tunnels
The cumulative total of all currently and previously active IKE control tunnels, both for LAN-to-LAN
connections and remote access.
Received Bytes
The cumulative total of bytes (octets) received by all currently and previously active IKE tunnels.
Sent Bytes
The cumulative total of bytes (octets) sent by all currently and previously active IKE tunnels.
Received Packets
The cumulative total of packets received by all currently and previously active IKE tunnels.
Sent Packets
The cumulative total of packets sent by all currently and previously active IKE tunnels.
Received Packets Dropped
The cumulative total of packets that were dropped during receive processing by all currently and
previously active IKE tunnels. If there is a problem with the content of a packet (such as hash failure,
parsing error, or encryption failure) received in Phase 1 or the negotiation of Phase 2, the system drops
the packet. This number should be zero or very small; if not, check for misconfiguration.
Sent Packets Dropped
The cumulative total of packets that were dropped during send processing by all currently and previously
active IKE tunnels. This number should be zero; if not, check for a network problem, check the event
log for an internal subsystem failure, or contact Cisco support.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-12
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | IPSec
Received Notifies
The cumulative total of notify packets received by all currently and previously active IKE tunnels. A
notify packet is an informational packet that is sent in response to a bad packet or to indicate status, for
example: error packets, keepalive packets, etc.
Sent Notifies
The cumulative total of notify packets sent by all currently and previously active IKE tunnels. See
comments for Received Notifies.
Received Phase-2 Exchanges
The cumulative total of IPSec Phase-2 exchanges received by all currently and previously active IKE
tunnels, in other words, the total of Phase-2 negotiations received that were initiated by a remote peer.
A complete exchange consists of three packets.
Sent Phase-2 Exchanges
The cumulative total of IPSec Phase-2 exchanges that were sent by all currently and previously active
and IKE tunnels, in other words, the total of Phase-2 negotiations initiated by this VPN Concentrator.
Invalid Phase-2 Exchanges Received
The cumulative total of IPSec Phase-2 exchanges that were received, found to be invalid because of
protocol errors, and dropped, by all currently and previously active IKE tunnels. In other words, the total
of Phase-2 negotiations that were initiated by a remote peer but that this VPN Concentrator dropped
because of protocol errors.
Invalid Phase-2 Exchanges Sent
The cumulative total of IPSec Phase-2 exchanges that were sent and were found to be invalid, by all
currently and previously active IKE tunnels.
Rejected Received Phase-2 Exchanges
The cumulative total of IPSec Phase-2 exchanges that were initiated by a remote peer, received, and
rejected by all currently and previously active IKE tunnels. Rejected exchanges indicate policy-related
failures, such as configuration problems.
Rejected Sent Phase-2 Exchanges
The cumulative total of IPSec Phase-2 exchanges that were initiated by this VPN Concentrator, sent, and
rejected, by all currently and previously active IKE tunnels. See the previous comment.
Phase-2 SA Delete Requests Received
The cumulative total of requests to delete IPSec Phase-2 Security Associations received by all currently
and previously active IKE tunnels.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-13
Chapter 15
Statistics
Monitoring | Statistics | IPSec
Phase-2 SA Delete Requests Sent
The cumulative total of requests to delete IPSec Phase-2 Security Associations sent by all currently and
previously active IKE tunnels.
Initiated Tunnels
The cumulative total of IKE tunnels that this VPN Concentrator initiated. The VPN Concentrator
initiates tunnels only for LAN-to-LAN connections.
Failed Initiated Tunnels
The cumulative total of IKE tunnels that this VPN Concentrator initiated and that failed to activate.
Failed Remote Tunnels
The cumulative total of IKE tunnels that remote peers initiated and that failed to activate.
Authentication Failures
The cumulative total of authentication attempts that failed, by all currently and previously active IKE
tunnels. Authentication failures indicate problems with preshared keys, digital certificates, or user-level
authentication.
Decryption Failures
The cumulative total of decryptions that failed, by all currently and previously active IKE tunnels. This
number should be at or near zero; if not, check for misconfiguration or SEP module problems.
Hash Validation Failures
The cumulative total of hash validations that failed, by all currently and previously active IKE tunnels.
Hash validation failures usually indicate misconfiguration or mismatched preshared keys or digital
certificates.
System Capability Failures
The cumulative total of system capacity failures that occurred during processing of all currently and
previously active IKE tunnels. These failures indicate that the system has run out of memory, or that the
tunnel count exceeds the system maximum.
No-SA Failures
The cumulative total of nonexistent-Security Association failures that occurred during processing of all
currently and previously active IKE tunnels. These failures occur when the system receives a packet for
which it has no Security Association, and might indicate synchronization problems.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-14
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | IPSec
IPSec (Phase 2) Statistics
This table provides IPSec Phase 2 global statistics. During IPSec Phase 2, the two peers negotiate
Security Associations that govern traffic within the tunnel.
Active Tunnels
The number of currently active IPSec Phase-2 tunnels, both for LAN-to-LAN connections and remote
access.
Total Tunnels
The cumulative total of all currently and previously active IPSec Phase-2 tunnels, both for LAN-to-LAN
connections and remote access.
Received Bytes
The cumulative total of bytes (octets) received by all currently and previously active IPSec Phase-2
tunnels, before decompression. In other words, total bytes of IPSec-only data received by the IPSec
subsystem, before decompressing the IPSec payload.
Sent Bytes
The cumulative total of bytes (octets) sent by all currently and previously active IPSec Phase-2 tunnels,
after compression. In other words, total bytes of IPSec-only data sent by the IPSec subsystem, after
compressing the IPSec payload.
Received Packets
The cumulative total of packets received by all currently and previously active IPSec Phase-2 tunnels.
Sent Packets
The cumulative total of packets sent by all currently and previously active IPSec Phase-2 tunnels.
Received Packets Dropped
The cumulative total of packets dropped during receive processing by all currently and previously active
IPSec Phase-2 tunnels, excluding packets dropped due to anti-replay processing. If there is a problem
with the content of a packet, the system drops the packet. This number should be zero or very small; if
not, check for misconfiguration.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-15
Chapter 15
Statistics
Monitoring | Statistics | IPSec
Received Packets Dropped (Anti-Replay)
The cumulative total of packets dropped during receive processing due to anti-replay errors, by all
currently and previously active IPSec Phase-2 tunnels. If the sequence number of a packet is a duplicate
or out of bounds, there might be a faulty network or a security breach, and the system drops the packet.
Sent Packets Dropped
The cumulative total of packets dropped during send processing by all currently and previously active
IPSec Phase-2 tunnels. This number should be zero; if not, check for a network problem, check the event
log for an internal subsystem failure, or contact Cisco support.
Inbound Authentications
The cumulative total number of inbound individual packet authentications performed by all currently
and previously active IPSec Phase-2 tunnels.
Failed Inbound Authentications
The cumulative total of inbound packet authentications that failed, by all currently and previously active
IPSec Phase-2 tunnels. Failed authentications could indicate corrupted packets or a potential security
attack (“man in the middle”).
Outbound Authentications
The cumulative total of outbound individual packet authentications performed by all currently and
previously active IPSec Phase-2 tunnels.
Failed Outbound Authentications
The cumulative total of outbound packet authentications that failed, by all currently and previously
active IPSec Phase-2 tunnels. This number should be zero or very small; if not, check the event log for
an internal IPSec subsystem problem.
Decryptions
The cumulative total of inbound decryptions performed by all currently and previously active IPSec
Phase-2 tunnels.
Failed Decryptions
The cumulative total of inbound decryptions that failed, by all currently and previously active IPSec
Phase-2 tunnels. This number should be zero or very small; if not, check for misconfiguration or SEP
module problems.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-16
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | IPSec
Encryptions
The cumulative total of outbound encryptions performed by all currently and previously active IPSec
Phase-2 tunnels.
Failed Encryptions
The cumulative total of outbound encryptions that failed, by all currently and previously active IPSec
Phase-2 tunnels. This number should be zero or very small; if not, check for IPSec subsystem or SEP
module problems.
System Capability Failures
The total number of system capacity failures that occurred during processing of all currently and
previously active IPSec Phase-2 tunnels. These failures indicate that the system has run out of memory
or some other critical resource; check the event log.
No-SA Failures
The cumulative total of nonexistent-Security Association failures which occurred during processing of
all currently and previously active IPSec Phase-2 tunnels. These failures occur when the system receives
an IPSec packet for which it has no Security Association, and might indicate synchronization problems.
Protocol Use Failures
The cumulative total of protocol use failures that occurred during processing of all currently and
previously active IPSec Phase-2 tunnels. These failures indicate errors parsing IPSec packets.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-17
Chapter 15
Statistics
Monitoring | Statistics | HTTP
Monitoring | Statistics | HTTP
This screen shows statistics for HTTP activity on the VPN Concentrator since it was last booted or reset.
To configure system-wide HTTP server parameters, see the Configuration | System |
Management Protocols | HTTP screen.
Figure 15-5 Monitoring | Statistics | HTTP Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Octets Sent/Received
The total number of HTTP octets (bytes) sent or received since the VPN Concentrator was last booted
or reset.
Packets Sent/Received
The total number of HTTP packets sent or received since the VPN Concentrator was last booted or reset.
Packets Sent Sockets/Sessions
The number of HTTP sessions on the VPN Concentrator.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-18
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | HTTP
Active
The number of currently active HTTP connections on the VPN Concentrator.
Peak
The maximum number of HTTP connections that were simultaneously active on the VPN Concentrator
since it was last booted or reset.
Total
The total number of HTTP connections on the VPN Concentrator since it was last booted or reset.
HTTP Sessions
This section provides information about HTTP sessions on the VPN Concentrator since it was last
booted or reset.
Login Name
The name of the administrative user for the HTTP session.
IP Address
The IP address of the HTTP session.
Login Time
The time when the HTTP session began.
Encryption
The encryption method used in the HTTP session.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-19
Chapter 15
Statistics
Monitoring | Statistics | HTTP
Octets Sent/Received
Number of octets sent or received during the HTTP session.
Packets Sent/Received
Number of packets sent or received during the HTTP session.
Sockets Active
The number of currently active sockets for the HTTP session.
Sockets Peak
The maxmum number of sockets simultaneously active during the HTTP session.
Sockets Total
The total number of sockets active durng the HTTP session.
Max Connections
The maximum number of concurrent HTTP connections for the VPN Concentrator since it was last
rebooted or reset.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-20
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | Events
Monitoring | Statistics | Events
This screen shows statistics for all events on the VPN Concentrator since it was last booted or reset.
To configure event handling, see the Configuration | System | Events screens.
Figure 15-6 Monitoring | Statistics | Events Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-21
Chapter 15
Statistics
Monitoring | Statistics | Events
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Use the scroll controls (if present) to view the entire table.
Event Class
Event class denotes the source of the event and refers to a specific hardware or software subsystem
within the VPN Concentrator. For a description of event classes, see VPN 3000 Series Concentrator
Reference Volume 1: Configuration.
Event Number
Event number is an Cisco-assigned reference number that denotes a specific event within the event class.
For example, CONFIG event number 2 is “Reading configuration file.” This reference number assists
Cisco support personnel if they need to examine event statistics.
Count of Events
The number of times that specific event has occurred on the VPN Concentrator since it was last booted
or reset.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-22
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | Telnet
Monitoring | Statistics | Telnet
This screen shows statistics for Telnet activity on the VPN Concentrator since it was last booted or reset,
and for current Telnet sessions.
To configure the VPN Concentrator’s Telnet server, see the Configuration | System |
Management Protocols | Telnet screen.
Figure 15-7 Monitoring | Statistics | Telnet Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Active Sessions
The number of active Telnet sessions. The Telnet Sessions table shows statistics for these sessions.
Attempted Sessions
The total number of attempts to establish Telnet sessions on the VPN Concentrator since it was last
booted or reset.
Successful Sessions
The total number of Telnet sessions successfully established on the VPN Concentrator since it was last
booted or reset.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-23
Chapter 15
Statistics
Monitoring | Statistics | Telnet
Telnet Sessions
This table shows statistics for active Telnet sessions on the VPN Concentrator. Each active session is a
row.
Client IP Address:Port
The IP address and TCP source port number of this session’s remote Telnet client.
Inbound Octets Total
The total number of Telnet octets (bytes) received by this session.
Inbound Octets Command
The number of octets (bytes) containing Telnet commands or options, received by this session.
Inbound Octets Discarded
The number of Telnet octets (bytes) received and dropped during input processing by this session.
Outbound Octets Total
The total number of Telnet octets (bytes) transmitted by this session.
Outbound Octets Dropped
The number of outbound Telnet octets dropped during output processing by this session.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-24
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | DNS
Monitoring | Statistics | DNS
This screen shows statistics for DNS (Domain Name System) activity on the VPN Concentrator since it
was last booted or reset.
To configure the VPN Concentrator to communicate with DNS servers, see the Configuration | System |
Servers | DNS screen.
Figure 15-8 Monitoring | Statistics | DNS Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Requests
The total number of DNS queries the VPN Concentrator made since it was last booted or reset. This
number equals the sum of the numbers in the four cells below.
Responses
The number of DNS queries that were successfully resolved.
Timeouts
The number of DNS queries that failed because there was no response from the server.
Server Unreachable
The number of DNS queries that failed because the address of the server is not reachable according to
the VPN Concentrator’s routing table.
Other Failures
The number of DNS queries that failed for an unspecified reason.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-25
Chapter 15
Statistics
Monitoring | Statistics | Authentication
Monitoring | Statistics | Authentication
This screen shows statistics for user authentication activity on the VPN Concentrator since it was last
booted or reset.
To configure the VPN Concentrator to communicate with authentication servers, see the Configuration
| System | Servers | Authentication screens.
Figure 15-9 Monitoring | Statistics | Authentication Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Server IP Address:Port
The IP address of the configured authentication server, and the port number that the VPN Concentrator
is using to access the server. Each configured authentication server is a row in this table. Internal
identifies the internal VPN Concentrator authentication server.
The default, or well-known, port numbers identify an authentication server type:
•
139 = NT Domain
•
389 = LDAP
•
1645 = RADIUS
•
5500 = SDI
Requests
The total number of authentication request packets sent to this server. This number does not include
retransmissions.
Retransmissions
The number of authentication request packets retransmitted to this server.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-26
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | Authentication
Accepts
The number of authentication acceptance packets received from this server.
Rejects
The number of authentication rejection packets received from this server.
Challenges
The number of authentication challenge packets received from this server.
Malformed Responses
The number of malformed authentication response packets received from this server. Malformed packets
include packets with an invalid length. Bad authenticators are not included in this number.
Bad Authenticators
The number of bad authentication response packets received from this server. Bad authenticators contain
invalid authenticators or signature attributes.
Pending Requests
The number of authentication request packets destined for this server that have not yet timed out or
received a response.
Timeouts
The number of authentication timeouts to this server. After a timeout the system might retry the same
server, send to a different server, or give up. Retrying the same server is counted as a retransmission as
well as a timeout. Sending to a different server is counted as a request as well as a timeout.
Unknown Type
The number of authentication packets of unknown type received from this server.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-27
Chapter 15
Statistics
Monitoring | Statistics | Accounting
Monitoring | Statistics | Accounting
This screen shows statistics for RADIUS user accounting activity on the VPN Concentrator since it was
last booted or reset.
To configure the VPN Concentrator to communicate with RADIUS accounting servers, see the
Configuration | System | Servers | Accounting screens.
Figure 15-10 Monitoring | Statistics | Accounting Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Server IP Address: Port
The IP address of the configured RADIUS user accounting server, and the port number that the VPN
Concentrator is using to access the server. Each configured accounting server is a row in this table. The
well-known port number for RADIUS accounting is 1646.
Requests
The number of accounting request packets sent to this RADIUS accounting server. This number does not
include retransmissions.
Retransmissions
The number of accounting request packets retransmitted to this RADIUS accounting server.
Responses
The number of accounting response packets received from this RADIUS accounting server.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-28
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | Accounting
Malformed Responses
The number of malformed accounting response packets received from this RADIUS accounting server.
Malformed packets include packets with an invalid length. Bad authenticators are not included in this
number.
Bad Authenticators
The number of accounting response packets received from this server that contained invalid
authenticators.
Pending Requests
The number of accounting request packets sent to this RADIUS accounting server that have not yet
timed out or received a response.
Timeouts
The number of accounting timeouts to this RADIUS server. After a timeout the system may retry the
same server, send to a different server, or give up. Retrying the same server is counted as a
retransmission as well as a timeout. Sending to a different server is counted as a request as well as a
timeout.
Unknown Type
The number of RADIUS packets of unknown type received from this server on the accounting port.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-29
Chapter 15
Statistics
Monitoring | Statistics | Filtering
Monitoring | Statistics | Filtering
This screen shows statistics for filtering of traffic that has passed through the interfaces on the VPN
Concentrator since it was last booted or reset.
To configure filters, see the Configuration | Policy Management | Traffic Management screens. To apply
filters to interfaces, see the Configuration | Interfaces screens. To apply filters to users and groups, see
the Configuration | User Management screens.
Figure 15-11 Monitoring | Statistics | Filtering Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Interface
The VPN Concentrator network interface through which the filtered traffic has passed.
•
1 = Ethernet 1 (Private) interface.
•
2 = Ethernet 2 (Public) interface.
•
3 = Ethernet 3 (External) interface.
•
8 or greater = WAN interface.
Inbound Packets Pre-Filter
The total number of inbound packets received on this interface.
Inbound Packets Filtered
The number of inbound packets that have been filtered and dropped on this interface.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-30
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | Filtering
Inbound Packets Post Filter
The number of inbound packets that have been filtered and forwarded on this interface. This number
equals Inbound Packets Pre-Filter minus Inbound Packets Filtered.
Outbound Packets Pre-Filter
The total number of outbound packets received on this interface.
Outbound Packets Filtered
The number of outbound packets that have been filtered and dropped on this interface.
Outbound Packets Post Filter
The number of outbound packets that have been filtered and forwarded on this interface. This number
equals Outbound Packets Pre-Filter minus Outbound Packets Filtered.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-31
Chapter 15
Statistics
Monitoring | Statistics | VRRP
Monitoring | Statistics | VRRP
This screen shows status and statistics for VRRP (Virtual Router Redundancy Protocol) activity on the
VPN Concentrator since it was last booted or reset.
To configure VRRP, see the Configuration | System | IP Routing | Redundancy screen.
Figure 15-12 Monitoring | Statistics | VRRP Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Checksum Errors
The total number of VRRP packets received with an invalid VRRP checksum value.
Version Errors
The total number of VRRP packets received with an unknown or unsupported version number. The VPN
Concentrator supports VRRP version 2 as defined in RFC 2338.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-32
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | VRRP
VRID Errors
The total number of VRRP packets received with an invalid VRRP Group ID number for this VPN
Concentrator.
VRID
The identification number that uniquely identifies the group of virtual routers to which this VPN
Concentrator belongs.
•
Not Configured = VRRP has not been configured or enabled.
Virtual Routers
This table shows statistics for the virtual router on each configured VRRP interface on this VPN
Concentrator.
Interface: 1 (Private), 2 (Public), 3 (External)
The Ethernet interface configured for VRRP.
Status
The status of the VRRP router in this VPN Concentrator:
•
Master = VRRP is enabled and the router is functioning as the Master router.
•
Backup = VRRP is enabled and the router is functioning as a Backup router, monitoring the status
of the Master router.
•
Init = VRRP has been configured but is disabled. The router is waiting to be enabled (initialized).
Became Master
The total number of times that this VPN Concentrator has become a VRRP Master router after having a
different role. This number should be the same in all columns.
Advertisements Received
The total number of VRRP advertisements received by this interface.
Advertisement Interval Errors
The total number of VRRP advertisement packets received by this interface, in which the advertisement
interval differs from the interval configured on this VPN Concentrator.
Authentication Failures
The total number of VRRP packets received by this interface that do not pass the authentication check.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-33
Chapter 15
Statistics
Monitoring | Statistics | VRRP
Time-to-Live Errors
The total number of VRRP packets received by this interface with IP TTL (Time-To-Live) not equal to
255. All VRRP packets must have TTL = 255.
Priority 0 Packets Received
The total number of VRRP packets received by this interface with a priority of 0. Priority 0 packets
indicate that the current Master router has stopped participating in VRRP.
Priority 0 Packets Sent
The total number of VRRP packets sent by this interface with a priority of 0. Priority 0 packets indicate
that the current Master router has stopped participating in VRRP.
Invalid Type Received
The number of VRRP packets received by this interface with an invalid value in the Type field. For
VRRP version 2, the only valid Type value is 1, which indicates an advertisement packet.
Address List Errors
The total number of packets received for which the address list does not match the list configured on this
VPN Concentrator.
Invalid Authentication Errors
The total number of packets received by this interface with an unknown authentication type.
Mismatch Authentication Errors
The total number of packets received by this interface with an authentication type that differs from the
configured authentication type.
Packet Length Errors
The total number of packets received by this interface with a packet length less than the length of the
VRRP header.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-34
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | SSL
Monitoring | Statistics | SSL
This screen shows statistics for SSL (Secure Sockets Layer) protocol traffic on the VPN Concentrator
since it was last booted or reset.
To configure SSL, see Configuration | System | Management Protocols | SSL.
Figure 15-13 Monitoring | Statistics | SSL Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Unencrypted Inbound Octets
The number of octets (bytes) of inbound traffic output by the decryption engine.
Encrypted Inbound Octets
The number of octets (bytes) of encrypted inbound traffic sent to the decryption engine. This number
includes negotiation traffic.
Unencrypted Outbound Octets
The number of unencrypted outbound octets (bytes) sent to the encryption engine.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-35
Chapter 15
Statistics
Monitoring | Statistics | SSL
Encrypted Outbound Octets
The number of octets (bytes) of outbound traffic output by the encryption engine. This number includes
negotiation traffic.
Total Sessions
The total number of SSL sessions.
Active Sessions
The number of currently active SSL sessions.
Max Active Sessions
The maximum number of SSL sessions simultaneously active at any one time.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-36
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | DHCP
Monitoring | Statistics | DHCP
This screen shows statistics for DHCP (Dynamic Host Configuration Protocol) activity on the VPN
Concentrator since it was last booted or reset. Each row of the table shows data for each session using
an IP address via DHCP.
To identify DHCP servers to the VPN Concentrator, see Configuration | System | Servers | DHCP. To
configure system-wide DHCP functions within the VPN Concentrator, see Configuration | System |
IP Routing | DHCP. To use DHCP to assign addresses to clients, see the Configuration | System |
Address Management | Assignment screen.
Figure 15-14 Monitoring | Statistics | DHCP Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Leased IP Address
The IP address leased from the DHCP server by the remote client.
Lease Duration
The duration of the current IP address lease, shown as HH:MM:SS.
Time Used
The total length of time that this session has had an active IP address lease, shown as HH:MM:SS.
Time Left
The time remaining until the current IP address lease expires, shown as HH:MM:SS.
DHCP Server Address
The IP address of the DHCP server that leased this IP address.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-37
Chapter 15
Statistics
Monitoring | Statistics | Address Pools
Monitoring | Statistics | Address Pools
This screen shows statistics for address pool activity on the VPN Concentrator since it was last booted
or reset. This data appears if the VPN Concentrator is configured to assign IP addresses to clients from
an internal address pool.
To configure address pools, see the Configuration | System | Address Management screens.
Figure 15-15 Monitoring | Statistics | Address Pools Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
IP Address Range: Start / End
The starting and ending IP addresses in the configured address pool. Each configured range is a row in
the table.
Total Addresses
The total number of IP addresses in this configured pool.
Available Addresses
The number of IP addresses available (unassigned) in this pool.
Allocated Addresses
The number of IP addresses currently assigned from this pool.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-38
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | Address Pools
Max Allocated Addresses
The maximum number of IP addresses assigned from this pool at any one time.
Group
The names of configured groups.
IP Address Range: Start / End
The starting and ending IP addresses in the group’s address pool. Each configured range is a row in the
table.
Total Addresses
The total number of IP addresses in the address pool of this group.
Available Addresses
The number of IP addresses available (unassigned) in this group’s pool.
Allocated Addresses
The number of IP addresses currently assigned from this group’s pool.
Max Allocated Addresses
The maximum number of IP addresses assigned from this group’s pool at any one time.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-39
Chapter 15
Statistics
Monitoring | Statistics | SSH
Monitoring | Statistics | SSH
This screen shows statistics for SSH (Secure Shell) protocol traffic on the VPN Concentrator since it
was last booted or reset.
To configure SSH, see Configuration | System | Management Protocols | SSH.
Figure 15-16 Monitoring | Statistics | SSH Screen
Octets Sent / Received
The total number of SSH octets (bytes) sent / received since the VPN Concentrator was last booted or
reset.
Packets Sent / Received
The total number of SSH packets sent / received since the VPN Concentrator was last booted or reset.
Total Sessions
The total number of SSH sessions since the VPN Concentrator was last booted or reset.
Active Sessions
The number of currently active SSH sessions.
Max Sessions
The maximum number of simultaneously active SSH sessions on the VPN Concentrator.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-40
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | Load Balancing
Monitoring | Statistics | Load Balancing
This screen shows statistics for load balancing on the VPN Concentrator since it was last booted or reset.
Figure 15-17 Monitoring | Statistics | Load Balancing Screen
Enabled?
Indicates whether load balancing has been enabled on this VPN Concentrator.
Role
The role of this VPN Concentrator within the virtual cluster. It is either a virtual cluster master or a
secondary device.
Load
The percentage of the cluster’s total session load that this VPN Concentrator is carrying.
Number of Peers
The number of other VPN Concentrators in the virtual cluster.
Peers
The peers chart shows configuration details and session statistics of the other VPN Concentrators in the
virtual cluster.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-41
Chapter 15
Statistics
Monitoring | Statistics | Load Balancing
Private IP Address
The private IP address of the peer.
Public IP Address
The public IP address of the peer.
Mapped IP Address
The NAT address of the peer, if it has one.
Role
The role of the peer within the virtual cluster. It is either a virtual cluster master or a secondary device.
Device Type
The VPN Concentrator model (such as 3005 or 3015) of the peer.
Load
The percentage of the cluster’s total session load that the peer is carrying. You can view this information
only from the virtual cluster master device. If you are viewing this field from a secondary device, its
value is N/A.
Sessions
The number of currently active sessions on the peer. You can view this information only from the virtual
cluster master device. If you are viewing this field from a secondary device, its value is N/A.
Priority
The likelihood that this peer will become the master at power-up or if the current master fails. For more
information on priorities, see the Configuration | System | Load Balancing section.
Duration
The length of time this device has been connected to the virtual cluster.
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-42
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | Compression
Monitoring | Statistics | Compression
If you have enabled data compression, this screen shows statistics for data compression on the VPN
Concentrator since it was last booted or reset.
Figure 15-18 Monitoring | Statistics | Compression Screen
IPSec Using IPComp
This screen shows statistics for IPSec data compression using the IPComp compression protocol.
Note
The following IPComp statistics measure the results of compression on all incoming and outgoing
data, including data not intended for compression and data that is not compressible.
Outbound Pre-Compression
The total number of bytes of all outbound data before compression.
Outbound Post-Compression
The total number of bytes of all outbound data after compression.
Ratio
The ratio of Outbound Pre-Compression to Outbound Post-Compression.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-43
Chapter 15
Statistics
Monitoring | Statistics | Compression
Inbound Pre-Decompression
The total number of bytes of all incoming data before any of it is decompressed.
Inbound Post-Decompression
The total number of bytes of all incoming data after decompression.
Ratio
The ratio of Inbound Post-Decompression to Inbound Pre-Decompression.
L2TP/PPTP Using MPPC
This table shows statistics for L2TP and PPTP data compression using the MPPC compression protocol.
These MPPC statistics use the following distinctions. (See Figure 15-19.) All data transmitted can be
divided into two groups: data intended for compression (A) and data that is not intended for compression
(B). Of the data intended for compression, some of it actually compresses (A1) and some does not (A2).
(The compression process would actually cause certain data to expand, so this data is left
uncompressed.)
Figure 15-19 Distinctions Used for Data Compression Statistics
All data
Data intended
for compression (A)
Data actually
compressed (A1)
Data not intended
for compression (B)
61609
Data that could not
be compressed (A2)
Resets Received
The total number of reset requests received from the remote peer.
Resets Sent
The total number of reset requests sent to the remote peer.
Outbound Pre-Compression
The total number of bytes of outbound data intended for compression. (“A” in Figure 15-19.)
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-44
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | Compression
Outbound Post-Compression
The total number of bytes of outbound data actually compressed. (“A1” in Figure 15-19.)
Outbound Not Compressed
The total number of bytes of data intended for compression that were not compressed. The compression
process would actually cause certain data to expand, so this data is left uncompressed. (“A2” in
Figure 15-19.)
Compression Ratio
The ratio of Outbound Pre-Compression to (Outbound Post-Compression + Outbound Not Compressed).
Not Compressed Ratio
The ratio of Outbound Pre-Compressed to Outbound Not Compressed.
Inbound Pre-Decompression
The total number of bytes of incoming data intended for decompression. (“A” in Figure 15-19.)
Inbound Post-Decompression
The total number of bytes of incoming data actually decompressed. (“A1” in Figure 15-19.)
Inbound Not Compressed
The total number of uncompressed inbound data bytes of the data. (“A2” in Figure 15-19.)
Compression Ratio
The ratio of (Inbound Post-Decompression + Inbound Not Compressed) to Inbound Pre-Decompression.
Not Compressed Ratio
The ratio of Inbound Pre-Decompression to Inbound Not Compressed.
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-45
Chapter 15
Statistics
Monitoring | Statistics | Administrative AAA
Monitoring | Statistics | Administrative AAA
If you have configured a TACACS+ server, this screen shows statistics for communications between the
VPN Concentrator and the TACACS+ server since the VPN Concentrator was last booted or reset.
Figure 15-20 Monitoring | Statistics | Administrative AAA Screen
IP Address
The IP address of the TACACS+ server.
Requests
The number of requests for authentication, information, or authorization from the VPN Concentrator to
the TACACS+ server.
Accepts
The number of successful authentications.
Rejects
The number of rejected authentications.
Challenge
This field is not used.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-46
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | Administrative AAA
Pending Requests
The number of requests that have not yet been answered.
Timeouts
The number of times the VPN Concentrator timed out waiting for a request.
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-47
Chapter 15
Statistics
Monitoring | Statistics | MIB-II
Monitoring | Statistics | MIB-II
This section of the Manager lets you view statistics that are recorded in standard MIB-II objects on the
VPN Concentrator. MIB-II (Management Information Base, version 2) objects are variables that contain
data about the system. They are defined as part of the Simple Network Management Protocol (SNMP);
and SNMP-based network management systems can query the VPN Concentrator to gather the data.
Each subsequent screen displays the data for a standard MIB-II group of objects:
•
Interfaces: packets sent and received on network interfaces and VPN tunnels.
•
TCP/UDP: Transmission Control Protocol and User Datagram Protocol segments and datagrams
sent and received, etc.
•
IP: Internet Protocol packets sent and received, fragmentation and reassembly data, etc.
•
RIP: Routing Information Protocol global route changes, bad packets and bad routes received, etc.
•
OSPF: Open Shortest Path First protocol LSA data, Area data, etc.
•
ICMP: Internet Control Message Protocol ping, timestamp, and address mask requests and replies,
etc.
•
ARP Table: Address Resolution Protocol physical (MAC) addresses, IP addresses, and mapping
types.
•
Ethernet: errors and collisions, MAC errors, etc.
•
SNMP: Simple Network Management Protocol requests, bad community strings, parsing errors, etc.
To configure and enable the VPN Concentrator’s SNMP server, see the Configuration | System |
Management Protocols | SNMP screen.
Figure 15-21 Monitoring | Statistics | MIB-II Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-48
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | Interfaces
Monitoring | Statistics | MIB-II | Interfaces
This screen shows statistics in MIB-II objects for VPN Concentrator interfaces since the system was last
booted or reset. This screen also shows statistics for VPN tunnels as logical interfaces. RFC 2233 defines
interface MIB objects.
Figure 15-22 Monitoring | Statistics | MIB-II | Interfaces Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Interface
The VPN Concentrator interface:
•
Ethernet 1 (Private) = Ethernet 1 (Private) interface.
•
Ethernet 2 (Public) = Ethernet 2 (Public) interface.
•
Ethernet 3 (External) = Ethernet 3 (External) interface.
•
WAN 1.A = WAN interface module in Slot 1, Port A
•
WAN 1.B = WAN interface module in Slot 1, Port B
•
WAN 2.A = WAN interface module in Slot 2, Port A
•
WAN 2.B = WAN interface module in Slot 2, Port B
•
1000 and up = VPN tunnels, which are treated as logical interfaces.
Status
The operational status of this interface:
•
UP = configured and enabled, ready to pass data traffic.
•
DOWN = configured but disabled.
•
Testing = in test mode; no regular data traffic can pass.
•
Dormant = configured and enabled but waiting for an external action, such as an incoming
connection.
•
Not Present = missing hardware components.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-49
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | Interfaces
•
Lower Layer Down = not operational because a lower-layer interface is down.
•
Unknown = not configured.
Unicast In
The number of unicast packets that were received by this interface. Unicast packets are those addressed
to a single host.
Unicast Out
The number of unicast packets that were routed to this interface for transmission, including those that
were discarded or not sent. Unicast packets are those addressed to a single host.
Multicast In
The number of multicast packets that were received by this interface. Multicast packets are those
addressed to a specific group of hosts.
Multicast Out
The number of multicast packets that were routed to this interface for transmission, including those that
were discarded or not sent. Multicast packets are those addressed to a specific group of hosts.
Broadcast In
The number of broadcast packets that were received by this interface. Broadcast packets are those
addressed to all hosts on a network.
Broadcast Out
The number of broadcast packets that were routed to this interface for transmission, including those that
were discarded or not sent. Broadcast packets are those addressed to all hosts on a network.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-50
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | TCP/UDP
Monitoring | Statistics | MIB-II | TCP/UDP
This screen shows statistics in MIB-II objects for TCP and UDP traffic on the VPN Concentrator since
it was last booted or reset. RFC 2012 defines TCP MIB objects, and RFC 2013 defines UDP MIB
objects.
Figure 15-23 Monitoring | Statistics | MIB-II | TCP/UDP Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
TCP Segments Received
The total number of segments received, including those received in error and those received on currently
established connections. Segment is the official TCP name for what is often called a data packet.
TCP Segments Transmitted
The total number of segments sent, including those on currently established connections but excluding
those containing only retransmitted bytes. Segment is the official TCP name for what is casually called
a data packet.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-51
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | TCP/UDP
TCP Segments Retransmitted
The total number of segments retransmitted; that is, the number of TCP segments transmitted containing
one or more previously transmitted bytes. Segment is the official TCP name for what is casually called
a data packet.
TCP Timeout Min
The minimum value permitted for TCP retransmission timeout, measured in milliseconds.
TCP Timeout Max
The maximum value permitted for TCP retransmission timeout, measured in milliseconds.
TCP Connection Limit
The limit on the total number of TCP connections that the system can support. A value of -1 means there
is no limit.
TCP Active Opens
The number of TCP connections that went directly from an unconnected state to a
connection-synchronizing state, bypassing the listening state. These connections are allowed, but they
are usually in the minority.
TCP Passive Opens
The number of TCP connections that went from a listening state to a connection-synchronizing state.
These connections are usually in the majority.
TCP Attempt Failures
The number of TCP connection attempts that failed. Technically this is the number of TCP connections
that went to an unconnected state, plus the number that went to a listening state, from a
connection-synchronizing state.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-52
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | TCP/UDP
TCP Established Resets
The number of established TCP connections that abruptly closed, bypassing graceful termination.
TCP Current Established
The number of TCP connections that are currently established or are gracefully terminating.
UDP Datagrams Received
The total number of UDP datagrams received. Datagram is the official UDP name for what is casually
called a data packet.
UDP Datagrams Transmitted
The total number of UDP datagrams sent. Datagram is the official UDP name for what is casually called
a data packet.
UDP Errored Datagrams
The number of received UDP datagrams that could not be delivered for reasons other than the lack of an
application at the destination port (UDP No Port). Datagram is the official UDP name for what is
casually called a data packet.
UDP No Port
The total number of received UDP datagrams that could not be delivered because there was no
application at the destination port. Datagram is the official UDP name for what is casually called a data
packet.
Go to top of help page.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-53
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | IP
Monitoring | Statistics | MIB-II | IP
This screen shows statistics in MIB-II objects for IP traffic on the VPN Concentrator since it was last
booted or reset. RFC 2011 defines IP MIB objects.
Figure 15-24 Monitoring | Statistics | MIB-II | IP Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Packets Received (Total)
The total number of IP data packets received by the VPN Concentrator, including those received with
errors.
Packets Received (Header Errors)
The number of IP data packets received and discarded due to errors in IP headers, including bad
checksums, version number mismatches, other format errors, etc.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-54
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | IP
Packets Received (Address Errors)
The number of IP data packets received and discarded because the IP address in the destination field was
not a valid address for the VPN Concentrator. This count includes invalid addresses (for example,
0.0.0.0) and addresses of unsupported classes (for example, Class E).
Packets Received (Unknown Protocols)
The number of IP data packets received and discarded because of an unknown or unsupported protocol.
Packets Received (Discarded)
The number of IP data packets received that had no problems preventing continued processing, but that
were discarded (for example, for lack of buffer space). This number does not include any packets
discarded while awaiting reassembly.
Packets Received (Delivered)
The number of IP data packets received and successfully delivered to IP user protocols (including ICMP)
on the VPN Concentrator; i.e., the VPN Concentrator was the final destination.
Packets Forwarded
The number of IP data packets received and forwarded to destinations other than the VPN Concentrator.
Outbound Packets Discarded
The number of outbound IP data packets that had no problems preventing their transmission to a
destination, but that were discarded (for example, for lack of buffer space).
Outbound Packets with No Route
The number of outbound IP data packets discarded because no route could be found to transmit them to
their destination. This number includes any packets that the VPN Concentrator could not route because
all of its default routers are down.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-55
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | IP
Packets Transmitted (Requests)
The number of IP data packets that local IP user protocols (including ICMP) supplied to transmission
requests. This number does not include any packets counted in Packets Forwarded.
Fragments Needing Reassembly
The number of IP fragments received by the VPN Concentrator that needed to be reassembled.
Reassembly Successes
The number of IP data packets successfully reassembled.
Reassembly Failures
The number of failures detected by the IP reassembly algorithm (for whatever reason: timed out, errors,
etc.). This number is not necessarily a count of discarded IP fragments since some algorithms can lose
track of the number of fragments by combining them as they are received.
Fragmentation Successes
The number of IP data packets that have been successfully fragmented by the VPN Concentrator.
Fragmentation Failures
The number of IP data packets that have been discarded because they needed to be fragmented but could
not be fragmented (for example, because the Don’t Fragment flag was set).
Fragments Created
The number of IP data packet fragments that have been generated by the VPN Concentrator.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-56
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | RIP
Monitoring | Statistics | MIB-II | RIP
This screen shows statistics in MIB-II objects for RIP version 2 traffic on the VPN Concentrator since
it was last booted or reset. RFC 1724 defines RIP version 2 MIB objects.
To configure RIP on interfaces, see Configuration | Interfaces.
Figure 15-25 Monitoring | Statistics | MIB-II | RIP Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Global Route Changes
The total number of route changes made to the IP route database by RIP. This number does not include
changes that only refresh the age route of a route.
Global Queries
The total number of responses sent to RIP queries from other systems.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-57
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | RIP
Interfaces
This table shows a row of statistics for each configured interface.
Interface Address
The IP address configured on the interface.
Received Bad Packets
The number of RIP response packets received by this interface that were subsequently discarded for any
reason (such as wrong version or unknown command type).
Received Bad Routes
The number of routes in valid RIP packets received by this interface that were ignored for any reason
(such as unknown address family or invalid metric).
Sent Updates
The number of triggered RIP updates actually sent by this interface. This number does not include full
updates sent containing new information.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-58
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | OSPF
Monitoring | Statistics | MIB-II | OSPF
This screen shows statistics in MIB-II objects for OSPF version 2 traffic on the VPN Concentrator since
it was last booted or reset. RFC 1850a defines OSPF version 2 MIB objects.
To configure OSPF on interfaces, see Configuration | Interfaces. To configure system-wide OSPF
parameters, see Configuration | System | IP Routing.
Figure 15-26 Monitoring | Statistics | MIB-II | OSPF Screen
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-59
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | OSPF
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Router ID
The VPN Concentrator OSPF router ID. This ID uniquely identifies the VPN Concentrator to other
OSPF routers in its domain. While the format is that of an IP address, it functions only as an identifier
and not an address. By convention, however, this identifier is the same as the IP address of the interface
that is connected to the OSPF router network. 0.0.0.0 means no router is configured.
Version
The current version number of the OSPF protocol running on the VPN Concentrator.
External LSA Count
The number of external Link-State Advertisements (LSAs) in the link-state database. LSAs from
neighboring OSPF Autonomous Systems (AS) describe the state of the AS router’s interfaces and
routing paths.
External LSA Checksum
The sum of the checksums of the external Link-State Advertisements in the link-state database. You can
use this sum to determine if there has been a change in the OSPF router link-state database of the system,
and to compare its database with other routers.
LSAs Originated
The number of new Link-State Advertisements that the system has originated. This number is
incremented each time the OSPF router originates a new LSA.
New LSAs Received
The number of Link-State Advertisements received that are completely new LSAs. This number does
not include newer instances of self-originated LSAs.
LSA Database Limit
The maximum number of external LSAs that can be stored in the link-state database. A value of -1 means
there is no limit.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-60
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | OSPF
Designated Routers
This table shows a row of statistics for each enabled VPN Concentrator interface. When OSPF routing
is enabled on an interface, that interface communicates with other OSPF routers in its area, and each area
elects one OSPF router to be the Designated Router.
Interface Address
The IP address of the VPN Concentrator interface that communicates with its area.
Interface Name
The VPN Concentrator interface that communicates with its area:
•
Ethernet 1 (Private) = Ethernet 1 (Private) interface.
•
Ethernet 2 (Public) = Ethernet 2 (Public) interface.
•
Ethernet 3 (External) = Ethernet 3 (External) interface.
•
WAN 1.A = WAN interface module in Slot 1, Port A.
•
WAN 1.B = WAN interface module in Slot 1, Port B.
•
WAN 2.A = WAN interface module in Slot 2, Port A.
•
WAN 2.B = WAN interface module in Slot 2, Port B.
Designated Router
The IP address of the Designated Router in this OSPF area.
Backup Designated Router
The IP address of the backup Designated Router in this OSPF area.
Neighbors
This table shows a row of statistics for each OSPF neighbor, for all areas in which the VPN Concentrator
participates. A neighbor is another OSPF router in an OSPF area, and this table includes all such areas
for the VPN Concentrator.
IP Address
The IP address of the neighboring OSPF router.
Router ID
The router ID of the neighboring OSPF router, which uniquely identifies it to other OSPF routers in its
domain. While the format is that of an IP address, it functions only as an identifier. By convention,
however, it is the same as the IP address of the interface that is connected to the OSPF router network.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-61
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | OSPF
State
The state of the relationship with this neighboring OSPF router:
•
Down = (Red) The VPN Concentrator has received no recent information from this neighbor. The
neighbor might be out of service, or it might not have been in service long enough to establish its
presence (at startup).
•
Initializing = The VPN Concentrator has received a Hello packet from this neighbor, but it has not
yet established bidirectional communication.
•
Attempting = This state applies only to neighbors in an NBMA (Non-Broadcast Multi-Access)
OSPF network. It indicates that the VPN Concentrator has received no recent information from this
neighbor, but it is trying to establish contact by sending Hello packets at the Hello Interval.
•
Two Way = The VPN Concentrator has established bidirectional communication with this neighbor,
but has not established adjacency, in other words, they are not exchanging routing information.
•
Exchange Start = The VPN Concentrator and this neighbor are in the first step of establishing an
adjacency relationship.
•
Exchanging = The VPN Concentrator is describing its entire link state database by sending Database
Description packets to this neighbor, to establish an adjacency relationship.
•
Loading = The VPN Concentrator is sending Link State Request packets to this neighbor asking for
the more recent LSAs that have been discovered but not yet received in the Exchange state.
•
Full = (Green) The VPN Concentrator is in a fully adjacent relationship with this neighbor. This
adjacency now appears in router LSAs and network LSAs.
Areas
This table shows a row of statistics for each OSPF Area.
Area ID
The Area ID identifies the subnet area within the OSPF Autonomous System or domain. While its format
is the same as an IP address, it functions only as an identifier and not an address. 0.0.0.0 identifies a
special area—the backbone—that contains all area border routers.
SPF Runs
The number of times that the system has calculated the intra-area route table (SPF, or Shortest Path First
table) using the link-state database of this area.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-62
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | OSPF
AS Border Routers
The total number of Autonomous System border routers reachable within this area.
Area Border Routers
The total number of area border routers reachable within this area.
Area LSA Count
The total number of Link-State Advertisements in the link-state database of this area, excluding AS
external LSAs.
Area LSA Checksum
The sum of the checksums of the Link-State Advertisements in the link-state database of this area. This
sum excludes external LSAs. You can use this sum to determine if there has been a change in the
link-state database of the area, and to compare its database with other routers.
External LSAs
This table shows a row for each external Link-State Advertisement in the link-state database.
Area ID
The Area ID identifies the Area from which the LSA was received.
Type
The LSA type. Each LSA type has a different format:
•
Router Link = Describes the states of the router’s interfaces (LS Type 1).
•
Network Link = Describes the set of routers attached to the network (LS Type 2).
•
Summary Link = Describes routes to networks (LS Type 3).
•
AS Summary Link = Describes routes to AS boundary routers (LS Type 4).
•
AS External Link = Describes routes to destinations external to the AS (LS Type 5).
•
Multicast Link = Describes group membership for multicast OSPF routing (LS Type 6).
•
NSSA External Link = Describes routing for NSSAs: Not-So-Stubby-Areas (LS Type 7).
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-63
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | OSPF
Link State ID
Either a router ID or an IP address that identifies the piece of the routing domain being described by the
LSA.
Router ID
The identifier of the router in the Autonomous System that originated this LSA.
Sequence
The sequence number of this LSA. Sequence numbers are linear. They are used to detect old and
duplicate LSAs. The larger the number, the more recent the LSA.
Age
The age of the LSA in seconds.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-64
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | ICMP
Monitoring | Statistics | MIB-II | ICMP
This screen shows statistics in MIB-II objects for ICMP traffic on the VPN Concentrator since it was
last booted or reset. RFC 2011 defines ICMP MIB objects.
Figure 15-27 Monitoring | Statistics | MIB-II | ICMP Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Total Received / Transmitted
The total number of ICMP messages that the VPN Concentrator received / sent. This number includes
messages counted as Errors Received / Transmitted. ICMP messages solicit and provide information
about the network environment.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-65
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | ICMP
Errors Received / Transmitted
The number of ICMP messages that the VPN Concentrator received but determined to have
ICMP-specific errors (bad ICMP checksums, bad length, etc.).
The number of ICMP messages that the VPN Concentrator did not send due to problems within ICMP
such as a lack of buffers.
Destination Unreachable Received / Transmitted
The number of ICMP Destination Unreachable messages received / sent. Destination Unreachable
messages apply to many network situations, including inability to determine a route, an unusable source
route specified, and the Don’t Fragment flag set for a packet that must be fragmented.
Time Exceeded Received / Transmitted
The number of ICMP Time Exceeded messages received / sent. Time Exceeded messages indicate that
the lifetime of the packet has expired, or that a router cannot reassemble a packet within a time limit.
Parameter Problems Received / Transmitted
The number of ICMP Parameter Problem messages received / sent. Parameter Problem messages
indicate a syntactic or semantic error in an IP header.
Source Quench Received / Transmitted
The number of ICMP Source Quench messages received / sent. Source Quench messages provide
rudimentary flow control; they request a reduction in the rate of sending traffic on the network.
Redirects Received / Transmitted
The number of ICMP Redirect messages received / sent. Redirect messages advise that there is a better
route to a particular destination.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-66
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | ICMP
Echo Requests (PINGs) Received / Transmitted
The number of ICMP Echo (request) messages received / sent. Echo messages are probably the most
visible ICMP messages. They test the communication path between network entities by asking for Echo
Reply response messages.
Echo Replies (PINGs) Received / Transmitted
The number of ICMP Echo Reply messages received / sent. Echo Reply messages are sent in response
to Echo messages, to test the communication path between network entities.
Timestamp Requests Received / Transmitted
The number of ICMP Timestamp (request) messages received / sent. Timestamp messages measure the
propagation delay between network entities by including the originating time in the message, and asking
for the receipt time in a Timestamp Reply message.
Timestamp Replies Received / Transmitted
The number of ICMP Timestamp Reply messages received / sent. Timestamp Reply messages are sent
in response to Timestamp messages, to measure propagation delay in the network.
Address Mask Requests Received / Transmitted
The number of ICMP Address Mask Request messages received / sent. Address Mask Request messages
ask for the address (subnet) mask for the LAN to which a router connects.
Address Mask Replies Received / Transmitted
The number of ICMP Address Mask Reply messages received / sent. Address Mask Reply messages
respond to Address Mask Request messages by supplying the address (subnet) mask for the LAN to
which a router connects.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-67
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | ARP Table
Monitoring | Statistics | MIB-II | ARP Table
This screen shows entries in the Address Resolution Protocol mapping table since the VPN Concentrator
was last booted or reset. ARP matches IP addresses with physical MAC addresses, so the system can
forward traffic to computers on its network. RFC 2011 defines MIB entries in the ARP table.
The entries are sorted first by Interface, then by IP Address. To speed display, the Manager might
construct multiple 64-row tables. Use the scroll controls (if present) to view the entire series of tables.
You can also delete dynamic, or learned, entries in the mapping table.
Figure 15-28 Monitoring | Statistics | MIB-II | ARP Table Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Arp Entries
The total number of entries in the ARP table.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-68
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | ARP Table
Interface
The VPN Concentrator network interface on which this mapping applies:
•
1 = Ethernet 1 (Private) interface.
•
2 = Ethernet 2 (Public) interface.
•
3 = Ethernet 3 (External) interface.
•
8 or greater = WAN interface.
•
1000 and up = VPN tunnels, which are treated as logical interfaces.
Physical Address
The hardwired MAC (Medium Access Control) address of a physical network interface card, in 6-byte
hexadecimal notation, that maps to the IP Address. Exceptions are:
•
00 = a virtual address for a tunnel.
•
FF.FF.FF.FF.FF.FF = a network broadcast address.
IP Address
The IP address that maps to the Physical Address.
Mapping Type
The type of mapping:
•
Other = none of the following.
•
Invalid = an invalid mapping.
•
Dynamic = a learned mapping.
•
Static = a static mapping on the VPN Concentrator.
Action / Delete
To remove a dynamic, or learned, mapping from the table, click Delete. There is no confirmation or
undo. The Manager deletes the entry and refreshes the screen.
To delete an entry, you must have the administrator privilege to Modify Config under General Access
Rights. See Administration | Access Rights | Administrators.
You cannot delete static mappings.
Go to top of help page.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-69
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | Ethernet
Monitoring | Statistics | MIB-II | Ethernet
This screen shows statistics in MIB-II objects for Ethernet interface traffic on the VPN Concentrator
since it was last booted or reset. IEEE standard 802.3 describes Ethernet networks, and RFC 1650
defines Ethernet interface MIB objects.
To configure Ethernet interfaces, see Configuration | Interfaces.
Figure 15-29 Monitoring | Statistics | MIB-II | Ethernet Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Interface
The Ethernet interface to which the data in this row applies. Only configured interfaces are shown.
Alignment Errors
The number of frames received on this interface that are not an integral number of bytes long and do not
pass the FCS (Frame Check Sequence; used for error detection) check.
FCS Errors
The number of frames received on this interface that are an integral number of bytes long but do not pass
the FCS (Frame Check Sequence) check.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-70
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | Ethernet
Carrier Sense Errors
The number of times that the carrier sense signal was lost or missing when trying to transmit a frame on
this interface.
SQE Test Errors
The number of times that the SQE (Signal Quality Error) Test Error message was generated for this
interface. The SQE message tests the collision circuits on an interface.
Frame Too Long Errors
The number of frames received on this interface that exceed the maximum permitted frame size.
Deferred Transmits
The number of frames for which the first transmission attempt on this interface is delayed because the
medium is busy. This number does not include frames involved in collisions.
Single Collisions
The number of successfully transmitted frames on this interface for which transmission is inhibited by
exactly one collision. This number is not included in the Multiple Collisions number.
Multiple Collisions
The number of successfully transmitted frames on this interface for which transmission is inhibited by
more than one collision. This number does not include the Single Collisions number.
Late Collisions
The number of times that a collision is detected on this interface later than 512 bit-times into the
transmission of a packet. 512 bit-times = 51.2 microseconds on a 10-Mbps system.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-71
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | Ethernet
Excessive Collisions
The number of frames for which transmission on this interface failed due to excessive collisions.
MAC Errors: Transmit
The number of frames for which transmission on this interface failed due to an internal MAC sublayer
transmit error. This number does not include Carrier Sense Errors, Late Collisions, or Excessive
Collisions.
MAC Errors: Receive
The number of frames for which reception on this interface failed due to an internal MAC sublayer
receive error. This number does not include Alignment Errors, FCS Errors, or Frame Too Long Errors.
Speed (Mbps)
This interface’s nominal bandwidth in megabits per second.
Duplex
The current LAN duplex transmission mode for this interface:
•
Full = Full-Duplex: transmission in both directions at the same time.
•
Half = Half-Duplex: transmission in only one direction at a time.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-72
78-13274-01
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | SNMP
Monitoring | Statistics | MIB-II | SNMP
This screen shows statistics in MIB-II objects for SNMP traffic on the VPN Concentrator since it was
last booted or reset. RFC 1907 defines SNMP version 2 MIB objects.
To configure the VPN Concentrator SNMP server, see Configuration | System | Management Protocols |
SNMP.
Figure 15-30 Monitoring | Statistics | MIB-II | SNMP Screen
Refresh
To update the screen and its data, click Refresh. The date and time indicate when the screen was last
updated.
Requests Received
The total number of SNMP messages received by the VPN Concentrator.
Bad Version
The total number of SNMP messages received that were for an unsupported SNMP version. The VPN
Concentrator supports SNMP version 2.
Bad Community String
The total number of SNMP messages received that used an SNMP community string the VPN
Concentrator did not recognize. See Configuration | System | Management Protocols |
SNMP Communities to configure permitted community strings. To protect security, the VPN
Concentrator does not include the usual default public community string.
Parsing Errors
The total number of syntax or transmission errors encountered by the VPN Concentrator when decoding
received SNMP messages.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
15-73
Chapter 15
Statistics
Monitoring | Statistics | MIB-II | SNMP
Silent Drops
The total number of SNMP request messages that were silently dropped because the reply exceeded the
maximum allowable message size.
Proxy Drops
The total number of SNMP request messages that were silently dropped because the transmission of the
reply message to a proxy target failed for some reason (other than a timeout).
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
15-74
78-13274-01
A P P E N D I X
A
Using the Command-Line Interface
The VPN 3000 Concentrator Series Command-Line Interface (CLI) is a menu- and command-line-based
configuration, administration, and monitoring system built into the VPN Concentrator. You use it via the
system console or a Telnet (SSL Telnet or SSH) session.
You can use the CLI to completely manage the system. You can access and configure the same
parameters as the HTML-based VPN 3000 Concentrator Series Manager, except for IPSec LAN-to-LAN
configuration.
This chapter describes general features of the CLI and how to access and use it. It does not describe the
individual menu items and parameter entries. For information on specific parameters and options, see
the corresponding section of the VPN Concentrator Manager in the VPN 3000 Series Concentrator
Reference. For example, to understand Ethernet interface configuration parameters and choices, see
Configuration | Interfaces | Ethernet 1 2 3 in the “Interfaces” chapter of VPN 3000 Series Concentrator
Reference Volume I: Configuration.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
A-1
Appendix A
Using the Command-Line Interface
Accessing the CLI
Accessing the CLI
You can access the CLI in two ways: via the system console or a Telnet (or Telnet over SSL) client.
Console access
To access the CLI via console:
Step 1
Connect a PC to the VPN Concentrator via a straight-through RS-232 serial cable (which Cisco supplies
with the system) between the Console port on the VPN Concentrator and the COM1 or serial port on the
PC. For more information, see the VPN Concentrator Getting Started manual.
Step 2
Start a terminal emulator (e.g., HyperTerminal) on the PC. Configure a connection to COM1 with port
settings of:
•
9600 bits per second.
•
8 data bits.
•
No parity.
•
1 stop bit.
•
Hardware flow control.
Step 3
Set the emulator for VT100 emulation, or let it auto-detect the emulation type.
Step 4
Press Enter on the PC keyboard until you see the login prompt. (You might see a password prompt and
error messages as you press Enter; ignore them and stop at the login prompt.)
Login: _
Telnet or Telnet/SSL Access
To access the CLI via a Telnet or Telnet/SSL client:
Step 1
Enable the Telnet or Telnet/SSL server on the VPN Concentrator. (They are both enabled by default.)
See the Configuration | System | Management Protocols | Telnet screen on the VPN Concentrator
Manager.
Step 2
Start the Telnet or Telnet/SSL client, and connect to the remote system using these parameters:
Step 3
•
Host Name or Session Name = The IP address on the VPN Concentrator Ethernet 1 (Private)
interface; e.g., 10.10.147.2
•
Port = Telnet (The default Telnet port is 23; the default Telnet/SSL port is 992.)
•
Terminal Type = VT100 or ANSI
•
Telnet/SSL only: If the client offers it, enable both SSL and SSL Only.
The VPN Concentrator displays a login prompt:
Login: _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
A-2
78-13274-01
Appendix A
Using the Command-Line Interface
Accessing the CLI
SSH Access
To access the CLI via an SSH client:
Step 1
Enable the SSH server on the VPN Concentrator. (It is enabled by default.) See the Configuration |
System | Management Protocols | SSH screen on the VPN Concentrator Manager.
Step 2
Start the SSH client, and connect to the remote system using these parameters:
•
Host Name or Session Name = The IP address on the VPN Concentrator Ethernet 1 (Private)
interface; e.g., 10.10.147.2
•
Port = SSH (The default SSH port is 22.)
•
Terminal Type = VT100 or ANSI
•
User name = admin
Step 3
A security warning might appear stating: “There is no entry for this server in your list of know hosts.”
If this warning appears, continue.
Step 4
Enter your administrative password, and connect to the VPN Concentrator. When your connection is
established, you are already logged in.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
A-3
Appendix A
Using the Command-Line Interface
Starting the CLI
Starting the CLI
You start the CLI by logging in.
CLI login usernames and passwords for both console and Telnet access are the same as those configured
and enabled for administrators. See the Administration | Access Rights | Administrators screen. By
default, only admin is enabled.
This example uses the factory-supplied default admin login and password. If you have changed them,
use your entries.
At the prompts, enter the administrator login name and password. Entries are case-sensitive. (The CLI
does not show your entry.)
Login: admin
Password: admin
The CLI displays the opening welcome message, the main menu, and the Main -> prompt:
Welcome to
Cisco Systems
VPN 3000 Concentrator Series
Command Line Interface
Copyright (C) 1998-2001 Cisco Systems, Inc.
1)
2)
3)
4)
5)
6)
Configuration
Administration
Monitoring
Save changes to Config file
Help Information
Exit
Main -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
A-4
78-13274-01
Appendix A
Using the Command-Line Interface
Using the CLI
Using the CLI
This section explains how to:
•
Choose menu items.
•
Enter values for parameters and options.
•
Specify configured items by number or name.
•
Navigate quickly—using shortcuts—through the menus.
•
Display a brief help message.
•
Save entries to the system configuration file.
•
Stop the CLI.
•
Understand CLI administrator access rights.
The CLI displays menus or prompts at every level to guide you in choosing configurable options and
setting parameters. The prompt always shows the menu context.
Choosing Menu Items
To use the CLI, enter a number at the prompt that corresponds to the desired menu item, and press Enter.
For example, this is the Configuration > System > General > System Identification menu:
1)
2)
3)
4)
Set System Name
Set Contact
Set Location
Back
General -> _
Enter 1 to set the system name.
Entering Values
The CLI shows any current or default value for a parameter in brackets [ ]. To change the value, enter a
new value at the prompt. To leave the value unchanged, just press Enter.
Continuing the example above, this is the prompt to enter a value for the system name:
> Host Name
General -> [ Lab VPN ] _
You can enter a new name at the prompt, or just press Enter to keep the current name.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
A-5
Appendix A
Using the Command-Line Interface
Using the CLI
Specifying Configured Items
Many menus give choices that act on configured items—such as groups, users, filter rules, etc.—and the
CLI lists those items with a number and their name. To specify an item, you can usually enter either its
number or its name. The CLI indicates when you must use a specific identifier (usually the item’s
number).
For example, the Configuration > User Management > Groups menu lists configured groups:
Current User Groups
--------------------------------------------------------------| 1. QuickGroup
| 2. IPSecGroup
--------------------------------------------------------------1)
2)
3)
4)
Add a Group
Modify a Group
Delete a Group
Back
Groups -> _
To delete QuickGroup, enter
3
at the prompt. The CLI displays:
> Enter the Group to Delete
Groups -> _
At the prompt you can enter either its number ( 1) or its name (QuickGroup).
However, this next example shows the prompt for a specific identifier. The Configuration > System >
Servers > Authentication menu lists configured servers:
Authentication Server Summary Table
Num |
Server
|
Type
|
Port
------------------------------------------------------------1 |
Internal
|
Internal
|
0
2 |
192.168.34.56
|
RADIUS
|
0
------------------------------------------------------------1)
2)
3)
4)
5)
6)
7)
Add Authentication Server
Modify Authentication Server
Delete Authentication Server
Move Server Up
Move Server Down
Test Server
Back
Authentication -> _
To delete the RADIUS server, enter 3 at the prompt. The CLI displays:
> Delete Server (number)
Authentication -> _
At the prompt, you must enter 2 for the RADIUS server.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
A-6
78-13274-01
Appendix A
Using the Command-Line Interface
Using the CLI
Navigating Quickly through the CLI
There are two ways to move quickly through the CLI: shortcut numbers, and the Back/Home options.
Both ways work only when you are at a menu, not when you are at a value entry.
Using Shortcut Numbers
Once you become familiar with the structure of the CLI—which parallels the HTML-based VPN
Concentrator Manager—you can quickly access any level by entering a series of numbers separated by
periods. For example, suppose you want to change the General Parameters for the Base Group. The
series of menus that gets to that level from the main menu is:
1)
2)
3)
4)
5)
6)
Configuration
Administration
Monitoring
Save changes to Config file
Help Information
Exit
Main -> 1 (Configuration)
1)
2)
3)
4)
5)
Interface Configuration
System Management
User Management
Policy Management
Back
Config -> 3 (User Management)
1)
2)
3)
4)
Base Group
Groups
Users
Back
User Management -> 1 (Base Group)
1)
2)
3)
4)
5)
General Parameters
Server Parameters
IPSec Parameters
PPTP/L2TP Parameters
Back
Base Group -> 1 (General Parameters)
1)
2)
3)
4)
Access Parameters
Tunneling Protocols
SEP Config
Back
Base Group -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
A-7
Appendix A
Using the Command-Line Interface
Using the CLI
As a shortcut, you can just enter 1.3.1.1 at the Main-> prompt, and move directly to the Base Group
General Parameters menu:
1)
2)
3)
4)
5)
6)
Configuration
Administration
Monitoring
Save changes to Config file
Help Information
Exit
Main -> 1.3.1.1
1)
2)
3)
4)
Access Parameters
Tunneling Protocols
SEP Config
Back
Base Group -> _
The prompt always shows the current context in the menu structure.
Using Back and Home
Most menus include a numbered Back choice. Instead of entering a number, you can just enter b or B to
move back to the previous menu.
Also, at any menu level, you can just enter h or H to move home to the main menu.
Getting Help Information
To display a brief help message, enter 5 at the main menu prompt. The CLI explains how to navigate
through menus and enter values. This help message is available only at the main menu.
Cisco Systems. Help information for the Command Line Interface
From any menu except the Main menu.
-- ’B’ or ’b’ for Back to previous menu.
-- ’H’ or ’h’ for Home back to the main menu.
For Data entry
-- Current values are in ’[ ]’s. Just hit ’Enter’ to accept value.
1) View Help Again
2) Back
Help -> _
To return to the main menu from this help menu, enter h (for home), or 2 or b (for back) at the prompt.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
A-8
78-13274-01
Appendix A
Using the Command-Line Interface
Using the CLI
Saving the Configuration File
Configuration and administration entries take effect immediately and are included in the active, or
running, configuration. However, if you reboot the VPN Concentrator without saving the active
configuration, you lose any changes.
To save changes to the system configuration (CONFIG) file, navigate to the main menu. At the prompt,
enter 4 for Save changes to Config file.
1)
2)
3)
4)
5)
6)
Configuration
Administration
Monitoring
Save changes to Config file
Help Information
Exit
Main -> 4
The system writes the active configuration to the CONFIG file and redisplays the main menu.
Stopping the CLI
To stop the CLI, navigate to the main menu and enter 6 for Exit at the prompt:
1)
2)
3)
4)
5)
6)
Configuration
Administration
Monitoring
Save changes to Config file
Help Information
Exit
Main -> 6
Done
Make sure you save any configuration changes before you exit from the CLI.
Understanding CLI Access Rights
What you see and can configure with the CLI depends on administrator access rights. If you don’t have
permission to configure an option, you see the designation “-)” (rather than a number) in menus.
For example, here is the main menu for the default User administrator:
-)
-)
3)
-)
5)
6)
Configuration
Administration
Monitoring
Save changes to Config file
Help Information
Exit
Main -> _
The default User administrator can only monitor the VPN Concentrator, not configure system parameters
or administer the system.
See Administration | Access Rights | Administrators in Chapter 1, “Administration,” for more
information.
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
A-9
Appendix A
Using the Command-Line Interface
CLI Menu Reference
CLI Menu Reference
This section shows all the menus in the first three levels below the CLI main menu. (There are many
additional menus below the third level; and within the first three levels, there are some non-menu
parameter settings. To keep this chapter at a reasonable size, we show only the menus here.)
The numbers in each heading are the keyboard shortcut to reach that menu from the main menu. For
example, entering 1.3.1 at the main menu prompt takes you to the Configuration > User Management>
Base Group menu.
Note
The CLI menus and options—and thus the keyboard shortcuts—may change with new software
versions. Please check familiar shortcuts carefully when using a new release.
Note
The Model 3005 has two Ethernet interfaces and one expansion card slot, and Models 3015–3080
have three interfaces and four expansion card slots. Therefore, CLI menu shortcuts differ where they
involve interface and expansion card selections. We note some differences here, but please note
carefully the system you are using.
Main Menu
1)
2)
3)
4)
5)
6)
Configuration
Administration
Monitoring
Save changes to Config file
Help Information
Exit
Main -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
A-10
78-13274-01
Appendix A
Using the Command-Line Interface
CLI Menu Reference
1 Configuration
1)
2)
3)
4)
5)
Interface Configuration
System Management
User Management
Policy Management
Back
Config -> _
1.1 Configuration > Interface Configuration
This table shows current IP addresses.
.
.
.
Note
The following menu appears on models 3015–3080 only.
1)
2)
3)
4)
5)
6)
Configure
Configure
Configure
Configure
Configure
Back
Ethernet #1 (Private)
Ethernet #2 (Public)
Ethernet #3 (External)
Power Supplies
Expansion Cards
Interfaces -> _
Note
The following menu appears on model 3005 only.
1)
2)
3)
4)
5)
Configure
Configure
Configure
Configure
Back
Ethernet #1 (Private)
Ethernet #2 (Public)
Power Supplies
Expansion Cards
Interfaces -> _
1.1.1, 1.1.2, or 1.1.3 Configuration > Interface Configuration > Configure Ethernet #1 or #2 or #3
Note
The Configuration > Interface Configuration > Configure Ethernet #3 menu appears only on models
3015-3080. It does not appear on model 3005.
1)
2)
3)
4)
5)
6)
7)
Interface Setting (Disable, DHCP or Static IP)
Set Public Interface
Select IP Filter
Select Ethernet Speed
Select Duplex
Set Port Routing Config
Back
Ethernet Interface 1 -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
A-11
Appendix A
Using the Command-Line Interface
CLI Menu Reference
1.1.4 Configuration > Interface Configuration > Configure Power Supplies
Note
The following menu appears on models 3015–3080 only.
Alarm Thresholds in centivolts (e.g. 361 = 3.61V)
Voltages will be adjusted to conform to the hardware.
1)
2)
3)
4)
5)
Configure
Configure
Configure
Configure
Back
CPU voltage thresholds
Power Supply 1 voltage thresholds
Power Supply 2 voltage thresholds
Board voltage thresholds
Interfaces -> _
1.1.3 Configuration > Interface Configuration > Configure Power Supplies
Note
The following menu appears on model 3005 only.
Alarm Thresholds in centivolts (e.g. 361 = 3.61V)
Voltages will be adjusted to conform to the hardware.
1)
2)
3)
4)
Configure CPU voltage thresholds
Configure Power Supply voltage thresholds
Configure Board voltage thresholds
Back
Interfaces -> _
1.1.5 Configuration > Interface Configuration > Configure Expansion Cards
Note
The following menu appears on models 3015–3080 only.
Expansion Cards
------------------------------------------| 1.
SEP
| 2. Dual T1/E1 WAN |
------------------------------------------| 3.
None
| 4.
None
|
------------------------------------------1)
2)
3)
4)
5)
Configure
Configure
Configure
Configure
Back
Slot
Slot
Slot
Slot
#1
#2
#3
#4
Interfaces -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
A-12
78-13274-01
Appendix A
Using the Command-Line Interface
CLI Menu Reference
1.1.4 Configuration > Interface Configuration > Configure Expansion Cards
Note
The following menu appears on model 3005 only.
Expansion Card:
1) Configure Expansion Card
2) Back
Interfaces -> _
1.2 Configuration > System Management
1) Servers (Authentication, Accounting, etc.)
2) Address Management
3) Tunneling Protocols (PPTP, L2TP, etc.)
4) IP Routing (static routes, OSPF, etc.)
5) Management Protocols (Telnet, TFTP, FTP, etc.)
6) Event Configuration
7) General Config (system name, time, etc.)
8) Client Update
9) Load Balancing Configuration
10) Back
System -> _
1.2.1 Configuration > System Management > Servers
1)
2)
3)
4)
5)
6)
Authentication Servers
Accounting Servers
DNS Servers
DHCP Servers
NTP Servers
Back
Servers -> _
1.2.2 Configuration > System Management > Address Management
1) Address Assignment
2) Address Pools
3) Back
Address -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
A-13
Appendix A
Using the Command-Line Interface
CLI Menu Reference
1.2.3 Configuration > System Management > Tunneling Protocols
1)
2)
3)
4)
PPTP
L2TP
IKE Proposals
Back
Tunnel -> _
Note
The CLI does not include IPSec LAN-to-LAN configuration.
1.2.4 Configuration > System Management > IP Routing
1)
2)
3)
4)
5)
6)
7)
Static Routes
Default Gateways
OSPF
OSPF Areas
DHCP
Redundancy
Back
Routing -> _
1.2.5 Configuration > System Management > Management Protocols
1)
2)
3)
4)
5)
6)
7)
8)
9)
Configure
Configure
Configure
Configure
Configure
Configure
Configure
Congigure
Back
FTP
HTTP/HTTPS
TFTP
Telnet
SNMP
SNMP Community Strings
SSL
SSH
Network -> _
1.2.6 Configuration > System Management > Event Configuration
1)
2)
3)
4)
5)
6)
7)
8)
General
FTP Backup
Classes
Trap Destinations
Syslog Servers
SMTP Servers
Email Recipients
Back
Event -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
A-14
78-13274-01
Appendix A
Using the Command-Line Interface
CLI Menu Reference
1.2.7 Configuration > System Management > General Config
1)
2)
3)
4)
5)
System Identification
System Time and Date
Session Configuration
Global Authentication Parameters
Back
General -> _
1.2.8 Configuration > System Management > Client Update
1) Client Update Enable
2) Client Update Entries
3) Back
Client Update -> _
1.2.9 Configuration > System Management > Load Balancing
1) Cluster Configuration
2) Device Configuration
3) Back
Load Balancing -> _
1.3 Configuration > User Management
1)
2)
3)
4)
Base Group
Groups
Users
Back
User Management -> _
1.3.1 Configuration > User Management > Base Group
1)
2)
3)
4)
5)
6)
General Parameters
Server Parameters
IPSec Parameters
IPSec Client Firewall Parameters
PPTP/L2TP Parameters
Back
Base Group -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
A-15
Appendix A
Using the Command-Line Interface
CLI Menu Reference
1.3.2 Configuration > User Management > Groups
Current User Groups
.
.
.
1) Add a Group
2) Modify a Group
3) Delete a Group
4) Back
Groups -> _
1.3.3 Configuration > User Management > Users
Current Users
.
.
.
1) Add a User
2) Modify a User
3) Delete a User
4) Back
Users -> _
1.4 Configuration > Policy Management
1) Access Hours
2) Traffic Management
3) Back
Policy -> _
1.4.1 Configuration > Policy Management > Access Hours
Current Access Hours
.
.
.
1) Add Access Hours
2) Modify Access Hours
3) Delete Access Hours
4) Back
Access Hours -> _
1.4.2 Configuration > Policy Management > Traffic Management
1)
2)
3)
4)
5)
6)
Network Lists
Rules
Security Associations (SAs)
Filters
Network Address Translation (NAT)
Back
Traffic -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
A-16
78-13274-01
Appendix A
Using the Command-Line Interface
CLI Menu Reference
2 Administration
1)
2)
3)
4)
5)
6)
7)
8)
Administer Sessions
Software Update
System Reboot
Ping
Access Rights
File Management
Certificate Management
Back
Admin -> _
2.1 Administration > Administer Sessions
Active Sessions
.
.
.
1) Refresh Session Status
2) Logoff Session
3) Session Details
4) Filter Sessions on Group
5) Back
Admin -> _
2.2 Administration > Software Update
1) Concentrator
2) Clients
3) Back
Admin -> _
2.3 Administration > System Reboot
1)
2)
3)
4)
Cancel Scheduled Reboot/Shutdown
Schedule Reboot
Schedule Shutdown
Back
Admin -> _
2.3.2 Administration > System Reboot > Schedule Reboot
1)
2)
3)
4)
Save active Configuration and use it at Reboot
Reboot without saving active Configuration file
Reboot ignoring the Configuration file
Back
Admin -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
A-17
Appendix A
Using the Command-Line Interface
CLI Menu Reference
2.3.3 Administration > System Reboot > Schedule Shutdown
1)
2)
3)
4)
Save active configuration and use it at next reboot
Shutdown without saving active Configuration file
Use Factory/Default Configuration at next reboot
Back
Admin -> _
2.5 Administration > Access Rights
1)
2)
3)
4)
5)
Administrators
Access Control List
Access Settings
Admin AAA Servers
Back
Admin -> _
2.5.1 Administration > Access Rights > Administrators
Administrative Users
.
.
.
1) Modify Administrator
2) Back
Admin -> _
2.5.2 Administration > Access Rights > Access Control List
This is the Current Access List
.
.
.
1) Add Manager Workstation
2) Modify Manager Workstation
3) Delete Manager Workstation
4) Move Manager Workstation Up
5) Move Manager Workstation Down
6) Back
Admin -> _
2.5.3 Administration > Access Rights > Access Settings
1)
2)
3)
4)
Set Session Timeout
Set Session Limit
Enable/Disable Encrypt Config File
Back
Admin -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
A-18
78-13274-01
Appendix A
Using the Command-Line Interface
CLI Menu Reference
2.5.4 Administration > Access Rights > Admin AAA Servers
1) Authentication Servers
2) Back
Admin -> _
2.6 Administration > File Management
List of Files
.
.
.
1) Delete File
2) Copy File
3) View File
4) Put File via TFTP
5) Get File via TFTP
6) Swap Config Files
7) Upload Config Files
8) Back
File -> _
2.6.6 Administration > File Management > Swap Configuration File
Every time the active configuration is saved,...
.
.
.
1) Swap
2) Back
Admin -> _
2.7 Administration > Certificate Management
1)
2)
3)
4)
5)
6)
Enrollment
Installation
Certificate Authorities
Identity Certificates
SSL Certificate
Back
Certificates -> _
2.7.2 Administration > Certificate Management > Installation
1)
2)
3)
4)
5)
Install
Install
Install
Install
Back
Certificate Authority
SSL Certificate (from Enrollment)
SSL Certificate (with private key)
Identity Certificate (from Enrollment)
Certificates -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
A-19
Appendix A
Using the Command-Line Interface
CLI Menu Reference
2.7.3 Administration > Certificate Management > Certificate Authorities
Certificate Authorities
.
.
.
1) View Certificate
2) Delete Certificate
3) CRL Configuration
4) Back
Certificates -> _
2.7.4 Administration > Certificate Management > Identity Certificates
Identity Certificates
.
.
.
1) View Certificate
2) Delete Certificate
3) Back
Certificates -> _
2.7.5 Administration > Certificate Management > SSL Certificate
Subject
.
.
.
1) Delete Certificate
2) Generate Certificate
3) Back
Certificates -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
A-20
78-13274-01
Appendix A
Using the Command-Line Interface
CLI Menu Reference
3 Monitoring
1)
2)
3)
4)
5)
6)
Routing Table
Event Log
System Status
Sessions
General Statistics
Back
Monitor -> _
3.1 Monitoring > Routing Table
Routing Table
.
.
.
1) Refresh Routing Table
2) Clear Routing Table
3) Back
Routing -> _
3.2 Monitoring > Event Log
1)
2)
3)
4)
5)
Configure Log viewing parameters
View Event Log
Save Log
Clear Log
Back
Log -> _
3.2.2 Monitoring > Event Log > View Event Log
[Event Log entries]
.
.
.
1) First Page
2) Previous Page
3) Next Page
4) Last Page
5) Back
Log -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
A-21
Appendix A
Using the Command-Line Interface
CLI Menu Reference
3.3 Monitoring > System Status
Note
The following menu appears on models 3015–3080 only.
System Status
.
.
.
1) Refresh System Status
2) View Card Status
3) View LED status
4) Back
Status -> _
Note
The following menu appears on model 3005 only.
System Status
.
.
.
1) Refresh System Status
2) View Card Status
3) Back
Status ->
3.3.2 Monitoring > System Status > View Card Status
Note
The following menu appears on models 3015–3080 only.
1)
2)
3)
4)
5)
Card
Card
Card
Card
Back
in
in
in
in
Slot
Slot
Slot
Slot
1
2
3
4
Card Status -> _
Note
The following menu appears on model 3005 only.
1) Card in Slot 1
2) Back
Card Status -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
A-22
78-13274-01
Appendix A
Using the Command-Line Interface
CLI Menu Reference
3.4 Monitoring > Sessions
Note
The following menu appears on models 3015–3080 only.
1)
2)
3)
4)
5)
6)
7)
View Session
View Top Ten
View Session
View Session
View Session
Select Group
Back
Statistics
Lists
Protocols
SEPs
Encryption
to View
Sessions -> _
Note
The following menu appears on model 3005 only.
1)
2)
3)
4)
5)
6)
View Session
View Top Ten
View Session
View Session
Select Group
Back
Statistics
Lists
Protocols
Encryption
to View
Sessions -> _
3.4.1 Monitoring > Sessions > View Session Statistics
Active Sessions
.
.
.
1) Refresh Session Statistics
2) Session Details
3) Back
Sessions -> _
3.4.2 Monitoring > Sessions > View Top Ten Lists
1)
2)
3)
4)
Top 10 Users based on Data
Top 10 Users based on Duration
Top 10 Users based on Throughput
Back
Sessions -> _
3.4.3 Monitoring > Sessions > View Session Protocols
Session Protocols
.
.
.
1) Refresh Session Protocols
2) Back
Sessions -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
A-23
Appendix A
Using the Command-Line Interface
CLI Menu Reference
3.4.4 View Session SEPS
Session SEPs
.
.
.
1) Refresh Session SEPs
2) Back
Session ->
3.4.5 Monitoring > Sessions > View Session Encryption
Session Encryption
.
.
.
1) Refresh Session Encryption
2) Back
Sessions -> _
3.4.6 Monitoring > Sessions > Select Group to View
Current User Groups
.
.
.
> Group to view (-1 for All Groups, 0 for Base Group)
Sessions ->
3.5 Monitoring > General Statistics
1)
2)
3)
4)
5)
Protocol Statistics
Server Statistics
Event Statistics
MIB II Statistics
Back
General -> _
3.5.1 Monitoring > General Statistics > Protocol Statistics
1) PPTP Statistics
2) L2TP Statistics
3) IPSec Statistics
4) HTTP Statistics
5) Telnet Statistics
6) DNS Statistics
7) VRRP Statistics
8) SSL Statistics
9) SSH Statistics
10) Back
General -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
A-24
78-13274-01
Appendix A
Using the Command-Line Interface
CLI Menu Reference
3.5.2 Monitoring > General Statistics > Server Statistics
1)
2)
3)
4)
5)
6)
7)
8)
9)
Authentication Statistics
Accounting Statistics
Filtering Statistics
DHCP Statistics
Address Pool Statistics
Load Balancing Statistics
Compression Statistics
Admin AAA Authentication Statistics
Back
General -> _
3.5.3 Monitoring > General Statistics > Event Statistics
Event Statistics
.
.
.
1) Refresh Event Statistics
2) Back2
General -> _
3.5.4 Monitoring > General Statistics > MIB II Statistics
1) Interface-based
2) System-level
3) Back
MIB2 -> _
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
A-25
Appendix A
Using the Command-Line Interface
CLI Menu Reference
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
A-26
78-13274-01
A P P E N D I X
B
Troubleshooting and System Errors
Appendix A describes common errors that can occur while configuring and using the system, and how
to correct them. It also describes LED indicators on the system and its expansion modules.
Files for Troubleshooting
The VPN 3000 Concentrator creates several files that you can examine and that can assist Cisco support
engineers when troubleshooting errors and problems:
•
Event log.
•
SAVELOG.TXT—Event log that is automatically saved when the system crashes and when it is
rebooted.
•
CRSHDUMP.TXT—Internal system data file that is written when the system crashes.
•
CONFIG, CONFIG.BAK—Normal configuration file used to boot the system, and backup
configuration file.
Event Logs
The VPN Concentrator records system events in the event log, which is stored in nonvolatile memory
(NVRAM). To troubleshoot operational problems, we recommend that you start by examining the event
log. See Configuration | System | Events and Monitor | Event Log.
The VPN Concentrator automatically saves the event log to a file in flash memory if it crashes, and when
it is rebooted. This log file is named SAVELOG.TXT, and it overwrites any existing file with that name.
The SAVELOG.TXT file is useful for debugging. See Configuration | System | Events and
Administration | File Management | Files.
Crash Dump File
If the VPN Concentrator crashes during operation, it saves internal system data in nonvolatile memory
(NVRAM), and then automatically writes this data to a CRSHDUMP.TXT file in flash memory when it
is rebooted. This file contains the crash date and time, software version, tasks, stack, registers, memory,
buffers, and timers., which are helpful to Cisco support engineers. In case of a crash, we ask that you
send this file when you contact Technical Assistance Center (TAC) for assistance. See Administration |
File Management | Files for information on managing files in flash memory.
VPN 3000 Series Concentrator Reference Volume II; Administration and Monitoring
78-13274-01
B-1
Appendix B
Troubleshooting and System Errors
VPN Concentrator Manager Errors
Configuration Files
The VPN Concentrator saves the current boot configuration file (CONFIG) and its predecessor
(CONFIG.BAK) as files in flash memory. These files may be useful for troubleshooting. See
Administration | File Management | Files for information on managing files in flash memory.
VPN Concentrator Manager Errors
Table B-1 lists errors that might occur while using the HTML-based VPN Concentrator Manager with a
browser.
Table B-1
VPN Concentrator Manager Errors
Symptom
Problem
Possible Cause
Solution
Browser Refresh or
You clicked the Refresh
Reload Button Logs Out or Reload button on the
the Manager.
browser navigation
toolbar, and the
Manager logged out.
The main login screen
appears.
To protect access
security, clicking
Refresh / Reload on the
browser toolbar
automatically logs out
the Manager session.
Do not use the browser navigation toolbar
buttons with the VPN Concentrator Manager.
Browser Back or
Forward Button
displays an Incorrect
Screen or Incorrect
Data.
To protect security and
the integrity of data
entries, clicking Back
or Forward on the
browser toolbar deletes
pointers and values
within the Manager.
Do not use the browser navigation toolbar
buttons with the VPN Concentrator Manager.
You clicked the Back or
Forward button on the
browser navigation
toolbar, and the
Manager displayed the
wrong screen or
incorrect data.
You entered an invalid
The Manager displays
the Invalid Login or
administrator login
Session Timeout screen. name and password
combination.
•
Typing error
•
Invalid
(unrecognized)
login name or
password.
Use only the Manager Refresh button where it
appears on a screen.
We recommend that you hide the browser
navigation toolbar to prevent mistakes.
Navigate using the location bar at the top of the
Manager window, the table of contents in the
left frame, or links on Manager screens.
We recommend that you hide the browser
navigation toolbar to prevent mistakes.
Reenter the login name and password and click
Login. Use a valid login name and password.
type carefully.
VPN 3000 Series Concentrator Reference Volume II; Administration and Monitoring
B-2
78-13274-01
Appendix B
Troubleshooting and System Errors
VPN Concentrator Manager Errors
Table B-1
VPN Concentrator Manager Errors (continued)
Symptom
Problem
Possible Cause
The Manager displays
The Manager session
the Invalid Login or
has been idle longer
Session Timeout screen. than the configured
timeout interval.
The Manager displays a You tried to perform
screen with the
some operation that is
message, “Error/ An
not allowed.
error has occurred while
attempting to perform
the operation. An
additional error
message describes the
erroneous operation.
The Manager displays a
screen with the
message, “You are using
an old browser or have
disabled JavaScript...”
The VPN Concentrator
Manager cannot work
with the browser that
you have invoked.
Solution
•
No activity for
On the Administration | Access Rights | Access
(interval) seconds. Settings screen, change the Session Timeout
The Manager resets interval to a larger value and click Apply.
the inactivity timer
only when you
click an action
button (such as
Apply, Add, or
Cancel) or a link on
a screen—that is,
when you invoke a
different screen.
Entering values or
setting parameters
on a given screen
does not reset the
timer.
•
Default timeout
interval is 600
seconds (10
minutes).
•
Timeout interval set
too low for normal
use.
The screen displays a
message that describes
the cause.
Click Retry the operation to return to the
screen where you were working and correct the
mistake. Carefully check all your previous
entries on that screen. The Manager attempts to
retain valid entries, but invalid entries are lost.
Click Go to main menu to go to the main
Manager screen.
•
You are using the
Manager with an
unsupported
browser.
•
You are using the
Manager with an
obsolete browser.
•
You are using a
browser that does
not have JavaScript
enabled.
Use Microsoft Internet Explorer version 4.0 or
higher.
Use Netscape Navigator version 4.5 or higher.
Be sure JavaScript is enabled in the browser.
See the section “Required Browser” in Chapter
2 of VPN 3000 Concentrator Series Getting
Started, or the section “Browser
Requirements” in Chapter 1 of the VPN 3000
Concentrator Series User Guide.
VPN 3000 Series Concentrator Reference Volume II; Administration and Monitoring
78-13274-01
B-3
Appendix B
Troubleshooting and System Errors
VPN Concentrator Manager Errors
Table B-1
VPN Concentrator Manager Errors (continued)
Symptom
Problem
The Manager displays a
screen with the
message, “Not
Allowed/You do not
have sufficient
authorization to access
the specified page.”
You tried to access an
area of the Manager that
you do not have
authorization to access.
Possible Cause
•
•
You logged in using
an administrator
login name that has
limited privileges.
Solution
Log in using the system administrator login
name and password. (Defaults are
admin/admin.)
Log in from a workstation with greater access
You logged in from privileges.
a workstation that
Have the system administrator change your
has limited access
privileges on the Administration |
privileges.
Access Rights | Administrators screen.
Have the system administrator change the
privileges of your workstation on the
Administration | Access Rights |
Access Control List screen.
The Manager displays a The Manager could not
screen with the
find a screen.
message, “Not Found /
An error has occurred
while attempting to
access the specified
page.” The screen
includes additional
information that
identifies system
activity and parameters.
Microsoft Internet
Explorer displays a
Script Error dialog box
that includes the error
message, “No such
interface supported.”
•
You updated the
Clear the browser cache: delete its temporary
software image and internet files, history files, and location bar
did not clear the
references. Then try again.
browser’s cache.
•
There is an internal Please note the system information on the
Manager error.
screen and contact TAC for assistance.
While using a Manager A bug in the Internet
function that opens
Explorer JavaScript
another browser
interpreter.
window (such as Save
Needed, Help, or
Software Update),
Internet Explorer
cannot open the window
and displays the error
dialog box.
1.
Click No on the error dialog box.
2.
Log out of the Manager.
3.
Close Internet Explorer.
4.
Reinstall Internet Explorer.
VPN 3000 Series Concentrator Reference Volume II; Administration and Monitoring
B-4
78-13274-01
Appendix B
Troubleshooting and System Errors
Command-Line Interface Errors
Command-Line Interface Errors
Table B-2 lists errors that might occur while using the menu-based Command-line Interface from a
console or Telnet session.
Table B-2
VPN 3000 Concentrator Command-Line Interface Errors
Console Message
Problem
ERROR:-- Bad IP
Address/Subnet
Mask/Wildcard
Mask/Area ID.
The system expected a
valid 4-byte dotted
decimal entry, and the
entry wasn’t in that
format.
ERROR:-- Out of
Range Value Entered.
Try Again.
ERROR:-- The
Passwords Do Not
Match. Please Try
Again.
Possible Cause
Solution
•
You entered
At the prompt, reenter a valid 4-byte dotted
something other
decimal number.
than a 4-byte dotted
decimal number.
You might have
omitted a byte
position, or entered
a number greater
than 255 in a byte
position.
•
You entered 0.0.0.0
instead of an
appropriate
address.
The system expected a
number within a certain
range, and the entry was
outside that range.
•
You entered a letter At the prompt, reenter a number in the
instead of a
appropriate range.
number.
•
You entered a
number greater than
the possible menu
numbers.
The entry for a
password and the entry
to verify the password
do not match.
•
You mistyped an
entry.
At the Verify prompt, re-enter the password. If
the original password is incorrect, press Enter
and re-enter both the password and the
• You entered either a
verification at the prompts.
password or verify
entry, but not the
other.
VPN 3000 Series Concentrator Reference Volume II; Administration and Monitoring
78-13274-01
B-5
Appendix B
Troubleshooting and System Errors
LED Indicators
LED Indicators
LED indicators on the VPN Concentrator and its expansion modules are normally green. The usage
gauge LEDs are normally blue. LEDs that are amber or off might indicate an error condition. NA means
not applicable; that is, the LED does not have that state.
Contact TAC if any LED indicates an error condition.
VPN Concentrator (front) LEDs
The LEDs on the front of the VPN 3000 Concentrator are as follows:
LED Indicator
Green
Amber
System
Power on. Normal
System has crashed and Power off. (All other
halted. Error.
LEDs are also off.)
Blinking Green (Model
3005 only)—System is
in a shutdown (halted)
state, ready to power
off.
Off
The LEDs below exist only on Models 3015–3080
Ethernet Link Status
123
Connected to network
and enabled.
NA
Not connected to
network or not enabled.
Blinking
Green—Connected to
network and
configured, but
disabled.
Expansion Modules
Insertion Status
1234
SEP module or WAN
interface module
installed in system.
NA
Module not installed in
system.
Expansion Modules
Run Status
1234
SEP module or WAN
interface module
operational.
Module failed during
operation. Error.
If installed, module
failed diagnostics or
encryption code is not
running. Error.
Fan Status
Operating normally.
Not running or RPM
below normal range.
Error.
NA
Power Supplies
AB
Installed and operating
normally.
Voltage(s) outside of
normal ranges. Error.
Not installed.
CPU Utilization
This statistic selected
NA
for usage gauge display.
Not selected.
Active Sessions
This statistic selected
NA
for usage gauge display.
Not selected.
Throughput
This statistic selected
NA
for usage gauge display.
Not selected.
VPN 3000 Series Concentrator Reference Volume II; Administration and Monitoring
B-6
78-13274-01
Appendix B
Troubleshooting and System Errors
LED Indicators
Usage Gauge LEDs
(Models 3015–3080 only)
Steady or Intermittent Blue
Blinking Blue
Left to right sequential
segments, varying number
Normal operation.
NA
All 10 segments
NA
VPN Concentrator is in a
shutdown (halted) state, ready to
power off.
VPN Concentrator Rear LEDs
The LEDs on the rear of the VPN 3000 Concentrator are as follows:
LED Indicator
Green
Amber
Off
Link
Carrier detected.
Normal.
NA
No carrier detected.
Error.
Tx
Transmitting data.
Normal. Intermittent
on.
NA
Not transmitting data.
Idle. Intermittent off.
Coll
NA
Data collisions
detected.
No collisions. Normal.
100
Speed set at
100 Mbps.
NA
Speed set at
10 Mbps.
Private / Public / External
Ethernet Interfaces
(connected to network)
SEP Module LEDs
SEP (Scalable Encryption Processing) module LEDs are present only on models 3015 through 3080 and
are visible from the rear of the VPN Concentrator.
SEP Module LED
Green
Amber
Off
Power
Power on. Normal.
NA
Power is not reaching
the module. It might not
be seated correctly.
Error.
Status
Encryption code is
running. Normal.
Module failed during
operation. Error.
Module failed
diagnostics or
encryption code is not
running. Error.
VPN 3000 Series Concentrator Reference Volume II; Administration and Monitoring
78-13274-01
B-7
Appendix B
Troubleshooting and System Errors
LED Indicators
WAN Interface Module LEDs
WAN module LEDs are visible from the rear of the VPN Concentrator.
WAN Module LED
On
Blinking
Off
Normal operation.
NA
Power is not reaching
the module. It may not
be seated correctly.
Error.
Module has passed
diagnostics and is
operational. Normal.
Module failed
diagnostics. Error.
Module has failed.
Error.
Power
Status
VPN 3000 Series Concentrator Reference Volume II; Administration and Monitoring
B-8
78-13274-01
Appendix B
Troubleshooting and System Errors
LED Indicators
This table shows all possible combinations for the LEDs on each WAN port.
WAN Port LEDs
Alrm
Alarm
CD
Carrier Detect
Sync
Synchronization
LpBk
Loopback
Condition
Off
On
On
Off
Normal operation.
Carrier detected,
line in synchronization.
Off
Off
Off
On
Line is in loopback mode. This mode
occurs, for example, when you install
the line and the carrier is testing the
signal.
You can also set loopback mode by
pressing the LpBk switch. LpBk is a
recessed momentary-contact switch that
sets loopback mode in this sequence:
Port A on
Port B on
Ports A and B on
Ports A and B off.
All four Port LEDs blinking in unison
Port configured but not enabled.
Alrm
Alarm
CD
Carrier Detect
Sync
Synchronization
LpBk
Loopback
On
Off
Off
Off
Red—Complete loss of signal. Possible
causes: out-of-frame errors,
mismatched framing format (for
example, one side using SF and the
other using ESF), or disconnected line.
On
Off
Off
On
Red in loopback mode.
On
On
On
Off
Yellow—Problem in transmit path; that
is, the remote connection has detected a
problem on this line.
On
On
On
On
Yellow in loopback mode.
On
On
Off
Off
Blue—Problem in receive path; that is,
the line has lost synchronization with
the remote connection.
On
On
Off
On
Blue in loopback mode.
T1/E1 Line Error Condition
VPN 3000 Series Concentrator Reference Volume II; Administration and Monitoring
78-13274-01
B-9
Appendix B
Troubleshooting and System Errors
LED Indicators
VPN 3000 Series Concentrator Reference Volume II; Administration and Monitoring
B-10
78-13274-01
A P P E N D I X
C
Copyrights, Licenses, and Notices
Software License Agreement of Cisco Systems, Inc.
CISCO SYSTEMS, INC. IS WILLING TO LICENSE TO YOU THE SOFTWARE CONTAINED IN
THE ACCOMPANYING CISCO PRODUCT ONLY IF YOU ACCEPT ALL OF THE TERMS AND
CONDITIONS IN THIS LICENSE AGREEMENT. PLEASE READ THIS AGREEMENT
CAREFULLY BEFORE YOU OPEN THE PACKAGE BECAUSE, BY OPENING THE SEALED
PACKAGE, YOU ARE AGREEING TO BE BOUND BY THE TERMS AND CONDITIONS OF THIS
AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CISCO
SYSTEMS WILL NOT LICENSE THIS SOFTWARE TO YOU. IN THAT CASE YOU SHOULD
RETURN THE PRODUCT PROMPTLY, INCLUDING THE PACKAGING, THE UNOPENED
PACKAGE, ALL ACCOMPANYING HARDWARE, AND ALL WRITTEN MATERIALS, TO THE
PLACE OF PURCHASE FOR A FULL REFUND.
Ownership of the Software
1. The software contained in the accompanying Cisco product (“the Software”) and any accompanying
written materials are owned or licensed by Cisco Systems and are protected by United States copyright
laws, laws of other nations, and/or international treaties.
Grant of License
2. Cisco Systems hereby grants to you the right to use the Software with the Cisco VPN 3000
Concentrator product. To this end, the Software contains both operator software for use by the network
administrator and client software for use by clients at remote network nodes. You may transfer the client
software, or portions thereof, only to prospective nodes on the network, and to no one else. You may not
transfer the operator software.
Restrictions on Use and Transfer
3. You may not otherwise copy the Software, except that you may make one copy of the Software solely
for backup or archival purposes. To this end, you may transfer the Software to a single disk provided you
keep the disk solely for backup or archival purposes. You may not copy the written materials and you
may not use the backup or archival copy of the Software except in conjunction with the accompanying
Cisco product.
VPN 3000 Series Concentrator Reference: Administration and Monitoring
78-13274-01
C-1
Appendix C
Copyrights, Licenses, and Notices
Software License Agreement of Cisco Systems, Inc.
4. You may permanently transfer the Software and accompanying written materials (including the most
recent update and all prior versions) only in conjunction with a transfer of the entire Cisco product, and
only if you retain no copies and the transferee agrees to be bound by the terms of this Agreement. Any
transfer terminates your license. You may not rent or lease the Software or otherwise transfer or assign
the right to use the Software, except as stated in this paragraph.
5. You may not export the Software, even as part of the Cisco product, to any country for which the
United States requires any export license or other governmental approval at the time of export without
first obtaining the requisite license and/or approval. Furthermore, you may not export the Software, even
as part of the Cisco product, in violation of any export control laws of the United States or any other
country.
6. You may not modify, translate, decompile, disassemble, use for any competitive analysis, reverse
engineer, distribute, or create derivative works from, the Software or accompanying documentation or
any copy thereof, in whole or in part.
7. The subject license will terminate immediately if you do not comply with any and all of the terms and
conditions set forth herein. Upon termination for any reason, you (the licensee) must immediately
destroy, or return to Cisco Systems, the Software and accompanying documentation and all copies
thereof. Cisco Systems is not liable to you for damages in any form solely by reason of termination of
this license.
8. You may not remove or alter any copyright, trade secret, patent, trademark, trade name, logo, product
designation or other proprietary and/or other legal notices contained in or on the Software and
accompanying documentation. These legal notices must be retained on any copies of the Software and
accompanying documentation made pursuant to paragraphs 2 and 3 hereof.
9. You shall acquire no rights of any kind to any copyright, trade secret, patent, trademark, trade name,
logo, or product designation contained in, or relating to, the Software or accompanying documentation
and shall not make use thereof except as expressly authorized herein or otherwise authorized in writing
by Cisco Systems.
10. Any notice, demand, or request with respect to this Agreement shall be in writing and shall be
effective only if it is delivered by hand or mailed, certified or registered mail, postage prepaid, return
receipt requested, addressed to Cisco Systems, whose address is set forth below. Such communications
shall be effective when they are received by Cisco Systems.
Limited Warranty
11. Cisco Systems warrants that the Software will perform substantially in accordance with the
accompanying written materials for a period of 90 days from the date of your receipt of the Software.
Any implied warranties on the Software are limited to 90 days. Some states do not allow limitations on
duration of an implied warranty, so the above limitation may not apply to you.
12. CISCO SYSTEMS DISCLAIMS ALL OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, WITH RESPECT TO THE
SOFTWARE, THE ACCOMPANYING WRITTEN MATERIALS, AND THE ACCOMPANYING
HARDWARE. This limited warranty gives you specific legal rights. You may have others, which vary
from state to state.
13. CISCO SYSTEMS’ ENTIRE LIABILITY AND YOUR EXCLUSIVE REMEDY SHALL BE, AT
CISCO SYSTEMS’ CHOICE, EITHER (A) RETURN OF THE PRICE PAID OR (B) REPLACEMENT
OF THE SOFTWARE THAT DOES NOT MEET CISCO SYSTEMS’ LIMITED WARRANTY AND
VPN 3000 Series Concentrator Reference: Administration and Monitoring
C-2
78-13274-01
Appendix C
Copyrights, Licenses, and Notices
Other Licenses
WHICH IS RETURNED TO CISCO SYSTEMS TOGETHER WITH A COPY OF YOUR RECEIPT.
Any replacement Software will be warranted for the remainder of the original warranty period or 30
days, whichever is longer. These remedies are not available outside the United States of America.
14. This Limited Warranty is void if failure of the Software has resulted from modification, accident,
abuse, or misapplication.
15. IN NO EVENT WILL CISCO SYSTEMS BE LIABLE TO YOU FOR DAMAGES, INCLUDING
ANY LOSS OF PROFITS, LOST SAVINGS, OR OTHER INCIDENTAL OR CONSEQUENTIAL
DAMAGES ARISING OUT OF YOUR USE OR INABILITY TO USE THE SOFTWARE. Because
some states do not allow the exclusion or limitation of liability for consequential or incidental damages,
the above limitation may not apply to you.
16. This Agreement is governed by the laws of the State of Massachusetts.
17. If you have any questions concerning this Agreement or wish to contact Cisco Systems for any
reason, please call (508) 541-7300, or write to
Cisco Systems, Inc.
124 Grove Street, Suite 205
Franklin, Massachusetts 02038.
18. U.S. Government Restricted Rights. The Software and accompanying documentation are provided
with Restricted Rights. Use, duplication, or disclosure by the Government is subject to restrictions set
forth in subparagraph (c)(1) of The Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 or subparagraphs (c)(1)(ii) and (2) of Commercial Computer Software - Restricted Rights
at 48 CFR 52.227-19, as applicable. Supplier is Cisco Systems, Inc., 124 Grove Street, Suite 205,
Franklin, Massachusetts 02038.
19. This Agreement constitutes the entire agreement between Cisco Systems and the licensee. There are
no understandings, agreements, representations, or warranties, expressed or implied, not specified
herein regarding this Agreement or the Software licensed hereunder. Only the terms and conditions
contained in this Agreement shall govern the transaction contemplated hereunder, notwithstanding any
additional, different, or conflicting terms which may be contained in any purchase order or other
documents pertaining to the subject transaction.
Other Licenses
The VPN 3000 Concentrator Series contains and uses software from other firms, under license. Relevant
copyright and license notices follow.
BSD Software
Copyright © 1990, 1993
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
VPN 3000 Series Concentrator Reference: Administration and Monitoring
78-13274-01
C-3
Appendix C
Copyrights, Licenses, and Notices
Other Licenses
3. All advertising materials mentioning features or use of this software must display the following
acknowledgement:
This product includes software developed by the University of California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors may be used to endorse or
promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
DHCP Client
Copyright © 1995, 1996, 1997 The Internet Software Consortium.
All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of The Internet Software Consortium nor the names of its contributors may be used
to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INTERNET
SOFTWARE CONSORTIUM OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
DNS Resolver (Client)
DNS Resolver / BSD / DEC / Internet Software Consortium
Copyright © 1988, 1993
The Regents of the University of California. All rights reserved.
VPN 3000 Series Concentrator Reference: Administration and Monitoring
C-4
78-13274-01
Appendix C
Copyrights, Licenses, and Notices
Other Licenses
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgement:
This product includes software developed by the University of California, Berkeley and its contributors.
4. Neither the name of the University nor the names of its contributors may be used to endorse or
promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
Portions Copyright © 1993 by Digital Equipment Corporation.
Permission to use, copy, modify, and distribute this software for any purpose with or without fee is
hereby granted, provided that the above copyright notice and this permission notice appear in all copies,
and that the name of Digital Equipment Corporation not be used in advertising or publicity pertaining to
distribution of the document or software without specific, written prior permission.
THE SOFTWARE IS PROVIDED “AS IS” AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL
EQUIPMENT CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
Portions Copyright © 1996 by Internet Software Consortium.
Permission to use, copy, modify, and distribute this software for any purpose with or without fee is
hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED “AS IS” AND INTERNET SOFTWARE CONSORTIUM
DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT,
OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
Portions Copyright © 1995 by International Business Machines, Inc.
VPN 3000 Series Concentrator Reference: Administration and Monitoring
78-13274-01
C-5
Appendix C
Copyrights, Licenses, and Notices
Other Licenses
International Business Machines, Inc. (hereinafter called IBM) grants permission under its copyrights to
use, copy, modify, and distribute this Software with or without fee, provided that the above copyright
notice and all paragraphs of this notice appear in all copies, and that the name of IBM not be used in
connection with the marketing of any product incorporating the Software or modifications thereof,
without specific, written prior permission.
To the extent it has a right to do so, IBM grants an immunity from suit under its patents, if any, for the
use, sale or manufacture of products to the extent that such products are used for performing Domain
Name System dynamic updates in TCP/IP networks by means of the Software. No immunity is granted
for any product per se or for any other function of any product.
THE SOFTWARE IS PROVIDED “AS IS”, AND IBM DISCLAIMS ALL WARRANTIES,
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL, DIRECT,
INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
IPSec
COPYRIGHT1.1a (NRL) 17 August 1995
COPYRIGHT NOTICE
All of the documentation and software included in this software distribution from the US Naval Research
Laboratory (NRL) are copyrighted by their respective developers.
This software and documentation were developed at NRL by various people. Those developers have
each copyrighted the portions that they developed at NRL and have assigned All Rights for those
portions to NRL. Outside the USA, NRL also has copyright on the software developed at NRL. The
affected files all contain specific copyright notices and those notices must be retained in any derived
work.
NRL LICENSE
NRL grants permission for redistribution and use in source and binary forms, with or without
modification, of the software and documentation created at NRL provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgement:
This product includes software developed at the Information Technology Division, US Naval Research
Laboratory.
4. Neither the name of the NRL nor the names of its contributors may be used to endorse or promote
products derived from this software without specific prior written permission.
THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS “AS IS”
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO FINISHED SHALL NRL OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
VPN 3000 Series Concentrator Reference: Administration and Monitoring
C-6
78-13274-01
Appendix C
Copyrights, Licenses, and Notices
Other Licenses
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The views and conclusions contained in the software and documentation are those of the authors and
should not be interpreted as representing official policies, either expressed or implied, of the US Naval
Research Laboratory (NRL).
LDAP
Copyright © 1992-1996 Regents of the University of Michigan.
All rights reserved.
Redistribution and use in source and binary forms are permitted provided that this notice is preserved
and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may
not be used to endorse or promote products derived from this software without specific prior written
permission. This software is provided “as is” without express or implied warranty.
LZS221-C v6
Copyright © 1988-1999 by Hi/fn, Inc. Includes one or more U.S. Patent numbers: 4701745, 5016009,
5126739, 5146221, 5414425, 5463390, and 5506580. Other Patents Pending.
MPPC-C v4
Copyright © 1996-1998 by Hi/fn, Inc. Includes one or more U.S. Patent numbers: 4701745, 5016009,
5126739, 5146221, 5414425, and 5463390. Other Patents Pending.
Outline Style Table of Contents in JavaScript
OUTLINE STYLE TABLE OF CONTENTS in JAVASCRIPT, Version 3.0
by Danny Goodman (dannyg@dannyg.com)
Analyzed and described at length in “JavaScript Bible”, by Danny Goodman
(IDG Books ISBN 0-7645-3022-4)
This program is Copyright 1996, 1997, 1998 by Danny Goodman. You may adapt this outline for your
Web pages, provided these opening credit lines (down to the lower dividing line) are in your outline
HTML document. You may not reprint or redistribute this code without permission from the author.
VPN 3000 Series Concentrator Reference: Administration and Monitoring
78-13274-01
C-7
Appendix C
Copyrights, Licenses, and Notices
Other Licenses
RSA Software
Copyright © 1995-1998 RSA Data Security, Inc. All rights reserved. This work contains
proprietary information of RSA Data Security, Inc. Distribution is limited to authorized
licensees of RSA Data Security, Inc. Any unauthorized reproduction or distribution of this
document is strictly prohibited.
BSAFE is a trademark of RSA Data Security, Inc.
SecureID
SecureID is a product of RSA Security Inc., Bedford, MA. (formerly Security Dynamics Technologies,
Inc.)
Use of SDTI's Trade Name and Trademarks
(a) Any advertising or promotional literature or announcement to the press by the Partner regarding its
relationship with SDTI, or otherwise utilizing SDTI's name or trademarks must be approved by SDTI in
writing in advance, which approval will not be unreasonably withheld or delayed.
(b) The Partner shall include and shall not alter, obscure or remove any SDTI name or any other
trademark or trade name used by SDTI or any markings, colors or other insignia which are contained on
or in or fixed to the Software (collectively, “Proprietary Marks”). Partner agrees to include SDTI's
copyright notice in its help screen as it pertains to the SDTI Translation.
Server SNMP
Copyright 1998 by Carnegie Mellon University
All Rights Reserved
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright notice appear in all copies and that both
that copyright notice and this permission notice appear in supporting documentation, and that the name
of CMU not be used in advertising or publicity pertaining to distribution of the software without specific,
written prior permission.
CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU
BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER
IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Client SNMP
Copyright © 1996, 1997 by Westhawk Ltd.(www.westhawk.co.uk)
Permission to use, copy, modify, and distribute this software for any purpose and without fee is hereby
granted, provided that the above copyright notices appear in all copies and that both the copyright notice
and this permission notice appear in supporting documentation. This software is provided “as is” without
express or implied warranty.
author tpanton@ibm.net (Tim Panton)
VPN 3000 Series Concentrator Reference: Administration and Monitoring
C-8
78-13274-01
Appendix C
Copyrights, Licenses, and Notices
Other Licenses
SSH
Copyright © 1993, 1995-2000 by DataFellows, Inc. All rights reserved.
SSL Plus
Certicom, the Certicom logo, SSL Plus, and Security Builder are trademarks of Certicom Corp.
Copyright © 1997-1999 Certicom Corp. Portions are Copyright © 1997-1998, Consensus Development
Corporation, a wholly owned subsidiary of Certicom Corp. All rights reserved.
Contains an implementation of NR signatures, licensed under U.S. patent 5,600,725. Protected by U.S.
patents 5,787,028; 4,745,568; 5,761,305. Patents pending.
TCP Compression / Uncompression
Routines to compress and uncompress TCP packets (for transmission over low speed serial lines).
Copyright © 1989 Regents of the University of California.
All rights reserved.
Redistribution and use in source and binary forms are permitted provided that the above copyright notice
and this paragraph are duplicated in all such forms and that any documentation, advertising materials,
and other materials related to such distribution and use acknowledge that the software was developed by
the University of California, Berkeley. The name of the University may not be used to endorse or
promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Van Jacobson (van@helios.ee.lbl.gov), Dec 31, 1989:
- Initial distribution.
Modified for KA9Q Internet Software Package by Katie Stevens (dkstevens@ucdavis.edu)
University of California, Davis
Computing Services
- 01-31-90initial adaptation (from 1.19)
PPP.0502-15-90 [ks]
PPP.0805-02-90 [ks]use PPP protocol field to signal compression
PPP.1509-90 [ks]improve mbuf handling
PPP.1611-02 [karn]substantially rewritten to use NOS facilities
- Feb 1991Bill_Simpson@um.cc.umich.edu
variable number of conversation slots
allow zero or one slots
separate routines
status display
VPN 3000 Series Concentrator Reference: Administration and Monitoring
78-13274-01
C-9
Appendix C
Copyrights, Licenses, and Notices
Regulatory Standards Compliance
Telnet Server
Copyright phase2 networks 1996. All rights reserved.
SID: 1.1
Revision History:
1.197/06/23 21:17:43 root
Regulatory Standards Compliance
Standards Compliance
The VPN 3000 Concentrator complies with the following regulatory standards:
Specification
Description
Regulatory compliance
Products bear CE Marking indicating compliance
with (99/5/EEC) directives, which includes the
following safety and EMC standards.
Safety
UL 60950
CAN/CSA-C22.2 No. 60950
EN 60950
IEC 60950
TS 001
AS/NZS 3260
EMC
FCC Part 15 (CFR 47) Class A
ICES-003 Class A
EN55022 Class A
CISPR22 Class A
AS/NZS 3548 Class A
VCCI Class A
EN55024
ETS300 386-2
EN50082-1
EN61000-3-2
EN61000-3-3
Telecom (E1)
CTR 12/13
ACA TS016
Telecom (T1)
US FCC Part 68
Canadian CS03
JATE Green Book
VPN 3000 Series Concentrator Reference: Administration and Monitoring
C-10
78-13274-01
Appendix C
Copyrights, Licenses, and Notices
Regulatory Standards Compliance
FCC Part 68 Notice
The equipment complies with Part 68 of the FCC rules. On the tray of this equipment is a label that
contains, among other information, the FCC registration number. If requested, this information must be
provided to the telephone company.
This equipment cannot be used on telephone company-provided coin services. Connection to the Party
Line Service is subject to state tariffs.
If this equipment causes harm to the telephone network, the telephone company notifies you in advance
that temporary discontinuance of service might be required. If advance notice is not practical, the
telephone company notifies the customer as soon as possible. Also, you are advised of your right to file
a complaint with the FCC if you believe it is necessary.
The telephone company can make changes in its facilities, equipment, operations, or procedures that
could affect the operation of the equipment. If this happens, the telephone company provides advance
notice in order for you to make the necessary modifications to maintain uninterrupted service.
If trouble is experienced with this equipment, please contact us for repair and warranty information. If
the trouble is causing harm to the telephone network, the telephone company can request you remove
the equipment from the network until the problem is resolved.
We recommend that you install an AC surge arrestor in the AC outlet to which this device is connected.
This is to avoid damaging the equipment caused by local lightning strikes and other electrical surges.
This equipment uses the Uniform Service Order Code (USOC) jacks described below.
Model Name
Facility Interface Code
Service Order Code
Jack Type
CVPN_3000-2T
04DU9-1SN
6.0N
RJ48C
CS-03 Certification
The equipment is CS-03 certified. Refer to Table C-1 for CS03 approval details for equipment. Observe
the following general information and safety precautions:
The industry Canada label identifies CS-03 certified equipment. This certification means that the
equipment meets certain telecommunications network protection, operation, and safety requirements as
described in the appropriate terminal equipment requirements document(s). The department does not
guarantee the equipment will operate to the user’s satisfaction.
Before installing the equipment, ensure that it is permissible to connect them to the facilities of the local
telecommunications company. The equipment must also be installed using an acceptable method of
connection. The customer should be aware that compliance with the above conditions may not prevent
degradation of service in some situations.
Repairs to certified equipment should be coordinated by a representative designated by the supplier. Any
repairs or alterations made by the user to this equipment, or equipment malfunctions, may give the
telecommunications company cause to request the user to disconnect the equipment.
Ensure that the electrical ground connections of the power utility, telephone lines, and internal metallic
water pipe system, if present, are connected together. This precaution may be particularly important in
rural areas.
VPN 3000 Series Concentrator Reference: Administration and Monitoring
78-13274-01
C-11
Appendix C
Copyrights, Licenses, and Notices
Regulatory Standards Compliance
Warning
Do not attempt to make such connections yourself. Contact the appropriate electric inspection
authority or electrician as appropriate.
Table C-1
CS03 Approval
Model Number
Approval Number
CVPN3005-T1
#2461 10854 A
CVPN3000-2T1
#2461 10854 A
JATE
The equipment meets the requirements of the Japan Approvals Institute for Telecommunications
Equipment (JATE). Refer to Table C-2 for JATE approval details.
Table C-2
JATE Approval
Applicant Name
Model Number
Approval Number
Nihon Cisco Systems
CVPN3000-2T1
#D00-0687 JP
Nihon Cisco Systems
CVPN3005-T1
#D00-0687 JP
EMC Environmental Conditions for Product to be Installed in the
European Union
This equipment is intended to operate under the following environmental conditions with respect to
EMC:
•
A separate defined location under user’s control.
•
Earthing and bonding shall meet the requirements of ETS 300 253 or CCITT K27.
•
Where applicable, AC power distribution shall be one of the following types: TN-S and TN-C [as
defined in IEC 364-3]
In addition, if equipment is operated in a domestic environment, interference might occur.
VPN 3000 Series Concentrator Reference: Administration and Monitoring
C-12
78-13274-01
Appendix C
Copyrights, Licenses, and Notices
Regulatory Standards Compliance
(FCC) Class A Warning
“Modifying the equipment without Cisco's authorization may result in the equipment no longer
complying with FCC requirements for Class A or Class B digital devices. In that event, your right to use
the equipment may be limited by FCC regulations, and you may be required to correct any interference
to radio or television communications at your own expense.”
[cfr reference 15.21]
For Class A equipment
“NOTE: This equipment has been tested and found to comply with the limits for a Class A digital device,
pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection
against harmful interference when the equipment is operated in a commercial environment. This
equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in
accordance with the instruction manual, may cause harmful interference to radio communications.
Operation of this equipment in a residential area is likely to cause harmful interference in which case
the user will be required to correct the interference at his own expense.”
[cfr reference 15.105]
Canada Class A Warning
This Class ‘A’ digital apparatus complies with Canadian ICES-003.
Cet appareil numerique de la classe ‘A’ e_t conforme á la norme NMB-003 de Canada.
(CISPR 22) Class A Warning
Warning: This is a class A product. In a domestic environment this product may cause radio interference
in which case the user may be required to take adequate measures.
Japan (VCCI) Class A Warning
Translation:
This is a Class A product based on the standard of the Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). If this equipment is used in a domestic environment, radio
disturbance may arise. When such trouble occurs, the user may be required to take corrective actions.
Taiwan (BSMI) Class A Warning
VPN 3000 Series Concentrator Reference: Administration and Monitoring
78-13274-01
C-13
Appendix C
Copyrights, Licenses, and Notices
Regulatory Standards Compliance
Hungarian Class A Warning
Figyelmeztetés a felhasználói kézikönyv számára: Ez a berendezés "A" osztályú termék, felhasználására
és üzembe helyezésére a magyar EMC "A" osztályú követelményeknek (MSZ EN 55022) megfeleloen
kerülhet sor, illetve ezen "A" osztályú berendezések csak megfelelo kereskedelmi forrásból
származhatnak, amelyek biztosítják a megfelelo speciális üzembe helyezési körülményeket és
biztonságos üzemelési távolságok alkalmazását.
Translation:
This equipment is a class A product and should be used and installed properly according to the
Hungarian EMC Class A requirements (MSZEN55022), the Class A equipment are derived for typical
commercial establishments for which special conditions of installation and protection distance are used.
VPN 3000 Series Concentrator Reference: Administration and Monitoring
C-14
78-13274-01
I N D E X
parameters in nonvolatile memory
Numerics
predefined
100 LED (Ethernet)
B-7
7-2
session idle timeout
7-11
admin password, default
Alrm LED (WAN)
A
ARP table
access control list, administration
add
15-68
15-26
7-9
modify
7-9
accessing the CLI
B
A-2
access rights, configuring for administrators
access rights section, administration
accounting statistics
15-28
Active Sessions LED
B-6
7-5
7-1
access settings, general, for administrators
back panel display (monitoring)
Bad IP Address error
7-11
bibliography
filename
version
access control list, administration
7-9
address pools
statistics
13-3
B-5
xiii
bootcode
add
13-2
13-2
browser
Back or Forward button displays incorrect screen or
incorrect data B-2, B-3
15-38
administering the VPN Concentrator
administration, access control list
add
7-3
B-9
authentication statistics
7-7
7-2
1-1
7-7
clear cache after software update
3-4
Refresh / Reload button logs out the Manager
B-2, B-5
7-9
modify
7-9
C
administration section of Manager
CD LED (WAN)
administrators
access rights
B-9
See digital certificates
7-3
7-4
certificate management
9-1
Cisco, contacting
7-6
locking configuration
modify properties
WAN
Certificate Authority
default rights, table
file rights
7-11
7-2
default passwords
B-9
CD LED indicators
7-1, 7-5
access settings, general
configuring
1-1
7-4
2-6
technical support
telephone
xvii
xviii
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
IN-1
Index
Web page
configuring VPN Concentrator with CLI
xvii
Cisco.com Web page
console, accessing CLI via
xvii
Cisco TAC
Web page
documentation
typographic
12-4
CLI
xii
xii
copyrights and licenses
accessing
system
A-2
access rights
A-9
entering values
saves log file
main menu
CRSHDUMP.TXT file
A-5
A-8
B-1
D
A-4
menu reference
A-10
menus, navigating
data
A-7
compression, See compression
saving configuration file
A-9
specifying configured items
starting
formats
A-6
14-21
default
A-9
administrator passwords
A-1, A-5
7-3
administrator rights, table
using Back and Home
A-8
7-4
delete
using shortcut numbers to navigate
Coll LED (Ethernet)
xv
top ten sessions sorted by
A-4
stopping
A-7
B-7
digital certificate
9-18
DHCP
Command Line Interface
statistics
See CLI
15-37
digital certificates
compliance standards
C-10
Certificate Revocation List (CRL) checking
compression
statistics
CRL distribution point
15-43
deleting
configuration files
changes with software update
for troubleshooting
3-2
B-2
saving
A-9
8-4
8-8
4-3
9-16
9-11
enrolling with a Certificate Authority
enrollment request
generating SSL
handling at reboot or shutdown
handling during file upload
8-8
identity
9-16
9-11, 9-18
display all
automatic backup with file upload
swap
B-1
B-5
help command
CLI
B-6
crash
A-2
via Telnet
using
C-1
CPU Utilization LED
A-2
via console
xvii
conventions
xviii
xviii
clear event log
errors
A-2
contacting Cisco with questions
phone numbers
A-1
9-7
9-3
9-12
9-1
installing
9-2, 9-8
managing
9-1
maximum allowed
PKCS-10 request
9-1
9-6
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
IN-2
78-13274-01
Index
root
9-1
old browser
SSL
9-1
out of range value
viewing details
X.509
session timeout
9-1
B-5
B-2, B-3
VPN Concentrator Manager
statistics
Ethernet Link Status LEDs
15-25
documentation
additional
cautions
Ethernet MIB-II statistics
capacity
xiv
15-70
12-4
download to PC
on CD-ROM
xvi
xvi
filterable
12-1
format of
12-4
get
xiv
dual T1/E1 WAN
system status
B-6
12-1
clear (erase)
xii
xiv
ordering
B-2
event log
xii
conventions
tips
B-5
passwords do not match
9-13
DNS
notes
B-3
live
12-3
12-6
monitoring
13-8
duration, top ten sessions sorted by
save
14-24
12-3
12-1, 12-6
12-3
saved at system reboot
saved if system crashes
E
B-1
B-1
save on VPN Concentrator
stored in nonvolatile memory
encryption algorithms used by sessions
(monitoring) 14-18
enrolling with a Certificate Authority
entering values with CLI
view
9-7
12-1
12-1, 12-3, 12-6
events
A-5
statistics
error
12-4
15-21
exiting
an error has occurred ...
insufficient authorization
not allowed
B-3
from CLI
B-4
A-9
Expansion Modules Insertion Status LEDs
B-4
Expansion Modules Run Status LEDs
B-6
B-6
errors
and troubleshooting
B-1
an error has occurred ...
bad IP address
CLI
F
B-3
B-5
fans, cooling (monitoring)
B-5
Fan Status LED
insufficient authorization
invalid login
JavaScript
B-4
not allowed
not found
B-4
7-6
file management on VPN Concentrator
B-3
B-4
B-6
file access rights, administrators’
B-2, B-3
no such interface supported (IE)
13-3
file transfer, TFTP
B-4
8-5
file upload to VPN Concentrator
stopping
8-1, 8-2
3-1, 8-8
3-3, 8-8
filtering statistics
15-30
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
IN-3
Index
flash memory
Ethernet status and statistics
corrupting
MIB-II statistics
3-2, 4-1
file transfer via TFTP
file upload to
rights to files in
size of
Invalid Login or Session Timeout error
8-1, 8-2
7-6
8-2
space used
IP addresses, format
xvi
IP MIB-II statistics
15-54
B-3
B-2
IPSec
8-2
formats
data
13-8
Invalid Login or Session Timeout (error)
8-8
managing files in
15-49
WAN status and statistics
8-5
13-5
statistics
15-11
xv
IP addresses
xvi
front panel display (monitoring)
J
13-3
JavaScript
error
G
generating SSL server certificate
get event log
9-12
B-3
L
12-3
L2TP
statistics
H
15-7
LED indicators
halt system
100 (Ethernet)
4-1
help, CLI
B-7
Active Sessions
A-8
HTTP
Alrm (WAN)
statistics
CD (WAN)
15-18
B-6
B-9
B-9
Coll (Ethernet)
B-7
CPU Utilization
I
B-6
Ethernet Link Status
ICMP MIB-II statistics
identity certificates
maximum allowed
Expansion Modules Insertion Status
15-65
Expansion Modules Run Status
9-1
Fan Status
9-1
idle timeout for administrator sessions
update
7-11
Link (Ethernet)
Power (SEP)
3-3
B-7
B-7
B-8
indicators
Power Supplies
LED
front panel
B-6
Status (SEP)
B-7
B-6
installing digital certificates
interfaces
9-2, 9-8
B-6
B-9
Power (WAN)
3-1
B-6
B-6
LpBk (WAN)
image, software
filenames
B-6
Status (WAN)
B-8
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
IN-4
78-13274-01
Index
status, front panel
Sync (WAN)
System
table
nonvolatile memory
13-21
event log stored in
B-9
12-1
No such interface supported
B-6
error
B-6
Throughput
error
B-7
usage gauge
B-4
Not Allowed
B-6
Tx (Ethernet)
WAN card
7-2
B-4
Not Allowed (error)
B-7
B-4
Not Found
B-8
licenses and copyrights
Link LED (Ethernet)
error
C-1
B-4
notices, regulatory agency
B-7
C-10
load balancing
statistics
15-41
locked configuration
O
2-6
logging out all sessions
2-2
Obtaining
loopback mode
xvi
old browser (error)
setting on WAN card
LpBk LED (WAN)
B-9
B-3
OSPF
B-9
MIB-II statistics
15-59
Out of Range value (error)
B-5
M
main menu, CLI
P
A-4
managing VPN Concentrator with CLI
memory, SDRAM
13-3
menus, CLI, navigating
password
default administrator
A-7
error
15-48
model number, system
B-5
ping a host
13-2
5-1
PKCS-10 enrollment request
modify
access control list, administration
properties of administrators
7-3
Passwords do not match
MIB-II
statistics
A-1
7-4
monitoring
7-9
power, turning off
4-1
Power LED (SEP)
B-7
Power LED( WAN)
B-8
power status (monitoring)
screens, automatic refresh
section of Manager
10-1
6-1
9-6
13-13
Power Supplies LEDs
front panel
B-6
PPTP
statistics
N
prerequisites, system administrator
navigating
CLI menus
15-3
protocols, session (monitoring)
ix
14-14
A-7
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
IN-5
Index
SEP modules used
R
14-16
statistics (administration)
reboot system
4-1
saves log file
top ten
4-1, B-1
14-20
by data
redundancy
14-21
by duration
SEP modules
13-15
14-24
by throughput
references (bibliography)
xiii
refresh Monitoring screens
regulatory agency notices
14-27
Session Timeout (error)
6-1
Session Timeout error
C-10
shutdown system
RIP
2-1
B-3
B-2
4-1
SNMP
MIB-II statistics
root certificates
15-57
MIB-II statistics
9-1
15-73
software image
maximum allowed
9-1
filenames
routing table (monitoring)
11-1
3-3, 13-3
update on VPN Concentrator
stopping
3-3
version info
S
3-1
3-3, 13-3
SSH
save event log
statistics
12-4
SAVELOG.TXT file
SSL
B-1
SAVELOG.TXT file
statistics
4-1
saving configuration file with CLI
SDRAM memory
A-9
SSL certificate
9-1
9-12
standards compliance
functions performed
redundancy
starting the CLI
13-15
statistics
13-15
status and statistics
14-16
sessions
active (administration)
active (monitoring)
count, definition
data (monitoring)
2-12
14-18
2-2
protocols (monitoring)
15-26
2-3, 14-3
2-6, 14-6
14-14
15-43
15-37
15-25
15-21
filtering
2-7, 14-7
parameter definitions
authentication
events
14-1
maximum permitted
15-38
DNS
2-3, 14-3
encryption algorithms used
15-28
address pools
DHCP
14-1
parameter definitions
A-4
data compression
2-1
C-10
15-1
accounting
13-15
used by sessions (monitoring)
logout all
15-35
generating
13-3
SEP modules
detail
15-40
15-30
HTTP
15-18
IPSec
15-11
L2TP
15-7
load balancing
MIB-II
15-41
15-48
ARP table
15-68
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
IN-6
78-13274-01
Index
Ethernet
ICMP
OSPF
accessing CLI
statistics
15-57
A-2
15-23
temperature sensors (monitoring)
15-73
TCP/UDP
file transfer
15-3
sessions (administration)
8-5
throughput, top ten sessions sorted by
2-1
SSH
15-40
Throughput LED
SSL
15-35
timeout, administrator
7-11
live event log overrides
13-8
12-6
13-8
top ten sessions (monitoring)
Telnet
15-23
troubleshooting
VRRP
15-32
consult event log
WAN
13-8
files created for
Status LED
WAN
12-1
B-1
B-7
type (model number), system
typographic conventions
B-8
14-20
B-1
Tx LED (Ethernet)
B-7
14-27
B-6
T1/E1
SEP
13-4
TFTP
15-51
synchronous
15-51
Telnet
15-54
15-59
SNMP
xviii
TCP/UDP MIB-II statistics
15-49
IP traffic
PPTP
phone numbers
15-65
interfaces
RIP
TAC
15-70
13-2
xii
stopping
CLI
A-9
file upload to VPN Concentrator
the VPN Concentrator
3-3, 8-8
4-1
U
update software on VPN Concentrator
superuser See administrators
upload files to VPN Concentrator
support, Cisco
usage graph
xvii
swap configuration files
synchronous statistics
Sync LED (WAN)
System LED
8-4
LEDs (monitoring)
13-8
LEDs (table)
B-9
system reboot
using the CLI
8-8
13-4
B-7
selector button
B-6
3-1
13-21
A-5
4-1
system shutdown
4-1
system status (monitoring)
V
13-1
voltage status
13-13
VPN Concentrator Manager
T
errors
T1/E1
VRRP
line error conditions (WAN card)
statistics
B-2
B-9
statistics
15-32
13-8
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
78-13274-01
IN-7
Index
W
WAN card
LED indicators
B-8
putting in loopback mode
B-9
workstations allowed admnistrator access
7-7
X
X.509 digital certificates
9-1
Y
You are using an old browser or have disabled JavaScript
(error) B-3
VPN 3000 Series Concentrator Reference Volume II: Administration and Monitoring
IN-8
78-13274-01