Manuals / Cisco Systems / Household Appliance / Home Safety Product

Cisco Systems VPN 3002 Failed Inbound Authentications, Outbound Authentications, Decryptions

Models: VPN 3002

1 282

Download 282 pages 2.25 Kb

Page 209

Chapter 13 Monitoring

Monitoring Statistics IPSec

Sent Packets Dropped

The cumulative total of packets dropped during send processing by all currently and previously active IPSec Phase-2 tunnels. This number should be zero; if not, check for a network problem, check the event log for an internal subsystem failure, or contact Cisco support.

Inbound Authentications

The cumulative total number of inbound individual packet authentications performed by all currently and previously active IPSec Phase-2 tunnels.

Failed Inbound Authentications

The cumulative total of inbound packet authentications that failed, by all currently and previously active IPSec Phase-2 tunnels. Failed authentications could indicate corrupted packets or a potential security attack (“man in the middle”).

Outbound Authentications

The cumulative total of outbound individual packet authentications performed by all currently and previously active IPSec Phase-2 tunnels.

Failed Outbound Authentications

The cumulative total of outbound packet authentications that failed, by all currently and previously active IPSec Phase-2 tunnels. This number should be zero or very small; if not, check the event log for an internal IPSec subsystem problem.

Decryptions

The cumulative total of inbound decryptions performed by all currently and previously active IPSec Phase-2 tunnels.

Failed Decryptions

The cumulative total of inbound decryptions that failed, by all currently and previously active IPSec Phase-2 tunnels. This number should be zero or very small; if not, check for misconfiguration.

Encryptions

The cumulative total of outbound encryptions performed by all currently and previously active IPSec Phase-2 tunnels.

Failed Encryptions

The cumulative total of outbound encryptions that failed, by all currently and previously active IPSec Phase-2 tunnels. This number should be zero or very small; if not, check the event log for an internal IPSec subsystem problem.

		VPN 3002 Hardware Client Reference
		VPN 3002 Hardware Client Reference
	OL-1893-01			13-21
	OL-1893-01			13-21

Image 209

Cisco Systems VPN 3002 Failed Inbound Authentications, Failed Outbound Authentications, Decryptions, Encryptions

Contents

Corporate Headquarters Release NovemberCisco Systems, Inc 170 West Tasman Drive San Jose, CACopyright 2001, Cisco Systems, Inc VPN 3002 Hardware Client ReferenceSystem Configuration ConfigurationConfiguration | System C O N T E N T SConfiguration | System | Tunneling Protocols Configuration | System | Servers | DNSConfiguration | System | IP Routing Configuration System Management ProtocolsAdministration Configuration | Policy ManagementAdministration | Ping Administration | Access RightsMonitoring | Routing Table MonitoringMonitoring | Live Event Log Monitoring | System StatusLED Indicators Files for Troubleshooting A-1Monitoring | Statistics | MIB-II Monitoring | Statistics | MIB-II| IP78-13782-01 viiiContents Prerequisites PrefaceOrganization ChapterTitle ChapterDescription ChapterVPN 3002 Hardware Client Documentation Related DocumentationVPN 3000 Series Concentrator Documentation VPN Client DocumentationOther References Documentation conventionsConvention boldface fontData Formats Obtaining DocumentationWorld Wide Web Documentation CD-ROMOrdering documentation Obtaining technical assistanceDocumentation feedback Cisco.comContacting TAC by telephone Contacting TAC by using the Cisco TAC websiteTechnical Assistance Center OL-1893-01 Preface Obtaining technical assistanceVPN 3002 Hardware Client Reference C H A P T E R Using the VPN 3002 Hardware Client ManagerVPN 3002 Hardware Client Browser Requirements Recommended PC Monitor/Display Settings Connecting to the VPN 3002 Using HTTPJavaScript and Cookies Navigation ToolbarInstalling the SSL Certificate in Your Browser Installing the SSL Certificate in Your BrowserVPN 3002 Hardware Client Reference OL-1893-01Figure 1-2Install SSL Certificate Screen 4.Click Install Certificate 5.Click Next to continue 7.Click Finish Viewing Certificates with Internet Explorer Installing the SSL Certificate with Netscape 1-10 ReinstallationFirst-timeInstallation 2.Click Next> to proceed 1-111-12 1-13 8.Click Continue1-14 Viewing Certificates with NetscapeClick OK when finished 1-151-16 Connecting to the VPN 3002 Using HTTPSConfiguring HTTP, HTTPS, and SSL Parameters 1-17 Logging into the VPN 3002 Hardware Client ManagerFigure 1-27Manager Main Welcome Screen 1-18Logging into the VPN 3002 Hardware Client Manager VPN 3002 Hardware Client ReferenceIndividual User Authentication Interactive Hardware Client Authentication1-19 VPN 3002 Hardware Client Reference1-20 Step 1 Click the Connection Login Status buttonThe Connection/Login Status screen displays Step 1 Click the Connect Now buttonStep 2 Click Connect 1-21Figure 1-31Connection Login Status Screen Figure 1-33Connection/Login Status Screen 1-22Figure 1-32Individual User Authentication Screen OL-1893-01 1-23VPN 3002 Hardware Client Reference Status bar Title barMouse pointer and tips Top frameRestore ResetTable of Contents ConfigurationMain frame Open or expandedManager screen 1-26–Interfaces: Ethernet parameters 1-27Figure 1-35Manager Table of Contents Navigating the VPN 3002 Hardware Client Manager1-28 C H A P T E R ConfigurationConfiguration OL-1893-01 Chapter 2 Configuration ConfigurationVPN 3002 Hardware Client Reference C H A P T E R Configuration | InterfacesInterfaces Ethernet 1 Private, Ethernet 2 Public InterfaceDNS Servers DNS Domain NameStatus Default GatewayIP Address Subnet MaskDisabled Configuration | Interfaces | PrivateStatic IP Addressing IP AddressSubnet Mask Apply/CancelSpeed DuplexDHCP Client Configuration | Interfaces | PublicPPPoE Client DisabledVerify PPPoE Password PPPoE PasswordPPPoE User Name Static IP AddressingReminder Apply / CancelDuplex C H A P T E R System ConfigurationConfiguration | System Configuration | System Chapter 4 System ConfigurationVPN 3002 Hardware Client Reference OL-1893-01Configuration | System | Servers | DNS Configuration | System | ServersServers C H A P T E RDomain EnabledPrimary DNS Server Secondary DNS ServerTimeout Retries Timeout PeriodApply / Cancel Configuration | System | Servers | DNSChapter Configuration | System | Servers | DNSVPN 3002 Hardware Client Reference OL-1893-01C H A P T E R TunnelingConfiguration System Tunneling Protocols Remote Server Backup ServersAbout Backup Servers IPSec over TCP Port IPSec over TCPCertificate Transmission Use CertificateGroup About IPSec over TCPUser PasswordVerify PasswordVPN 3002 Hardware Client Reference ChapterOL-1893-01 TunnelingC H A P T E R Configuration | System | IP RoutingIP Routing Add / Modify / Delete Static RoutesReminder Chapter 7 IP RoutingSubnet Mask Network AddressMetric Destination Add or Apply / CancelDestination Router Address InterfaceApply / Cancel Default GatewayMetric ReminderLease Timeout Configuration | System | IP Routing | DHCPAddress Pool Start/End EnabledAdd/Modify/Delete DHCP OptionApply/Cancel ReminderReminder Option ValueDHCP Option Nonconfigurable DHCP Options Chapter 7 IP Routing 7-10VPN 3002 Hardware Client Reference OL-1893-01C H A P T E R Configuration | System | Management ProtocolsManagement Protocols About HTTP/HTTPS Enable HTTPEnable HTTPS on Public Enable HTTPSHTTP Port HTTPS PortVPN 3002 Hardware Client Reference Enable TelnetChapter 8 Management Protocols Telnet Port Enable Telnet/SSLTelnet/SSL Port Maximum ConnectionsSNMP Port Enable SNMPMaximum Queued Requests Apply / CancelReminder Communities | Add or Modify Community StringsAdd/Modify/Delete ReminderReminder Community StringAdd or Apply / Cancel Related information 8-108-11 Client AuthenticationEncryption Algorithms Generated Certificate Key Size SSL Version8-12 Apply/CancelChapter 8 Management Protocols 8-13VPN 3002 Hardware Client Reference OL-1893-01Enable SSH on Public Enable SSHSSH Port Key Regeneration PeriodApply / Cancel 8-15To apply your SSH settings, and to include your settings in the active configuration, click Apply. The Manager returns to the Configuration | System | Management Protocols screen Reminder8-16 Enable XMLEnable HTTPS on Public Chapter 8 Management ProtocolsHTTPS Wildcard-mask HTTPS IP AddressSSH IP Address SSH Wildcard-maskChapter 8 Management Protocols 8-18VPN 3002 Hardware Client Reference OL-1893-01Event Class EventsClass Description Event Source Class NameClass Name Class Description Event SourceCisco-specificEvent Class EVENTMIBLevel Event Severity LevelCategory DescriptionEvent Log Data Event LogFigure 9-1Configuration | System | Events Screen Configuration | System | EventsConfiguration System Events General String Syslog FormatSeverity to Console Severity to LogSeverity to Syslog Cisco IOS SeverityConfigure either General event Configuration | System | Events | ClassesSeverity to Trap To send this “well-known”Reminder Configured Event ClassesAdd/Modify/Delete Class Name EnableModify screen 9-109-11 Add or Apply/CancelSeverity to Console Severity to Syslog9-12 Trap DestinationsAdd/Modify/Delete ChapterCommunity SNMP Version9-13 DestinationPort Configuration System Events Syslog Servers9-14 Add or Apply/Cancel9-15 Syslog ServersAdd/Modify/Delete ReminderFacility Syslog Server9-16 PortAdd or Apply/Cancel 9-17To add this server to the list of syslog servers, click Add. Or to apply your changes to this syslog server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Events | Syslog Servers screen. Any new server appears in the Syslog Servers list ReminderChapter 9-18VPN 3002 Hardware Client Reference OL-1893-01General Configuration | System | General10-1 C H A P T E RSystem Name Configuration | System | General | IdentificationContact LocationEnable DST Support Configuration | System | General | Time and DateCurrent Time New TimeConfiguration | System | General | Time and Date 10-4Reminder Chapter 10 GeneralClient Mode/PAT Policy ManagementClient Mode with Split Tunneling 11-111-2 Network Extension ModeChapter 11 Policy Management Network Extension Mode11-3 Network Extension Mode with Split TunnelingData Initiation Tunnel InitiationStep 2 Click Connect Now 11-4Traffic Management Configuration | Policy ManagementMode Tunneling PolicyManagement | PAT Configuration Policy Management Traffic11-6 Enable11-7 PAT EnabledApply/Cancel ReminderChapter 11 Policy Management 11-8VPN 3002 Hardware Client Reference OL-1893-01Administration Administration12-1 C H A P T E RFigure 12-1Administration Screen Administration | Software Update12-2 Current Software Revision Upload/CancelBrowse 12-3Software Update Success Software Update ProgressSoftware Update Error 12-412-5 Administration | System RebootChapter 12 Administration Administration | System RebootAction Configuration12-6 Figure 12-6Administration | System Reboot ScreenWhen to Reboot/Shutdown Administration | Ping12-7 Apply/CancelError Ping Ping/CancelAddress/Hostname to Ping Success PingAdministration | Access Rights | Administrators Administration | Access Rights12-9 Figure 12-10Administration | Access Rights ScreenPassword AdministratorVerify 12-10Session Idle Timeout Administration | Access Rights | Access SettingsEncrypt Config File Session LimitView Save Administration | File ManagementDelete 12-12Config File Upload via HTTP Swap Config FilesOK/Cancel 12-13File Upload Progress Local Config File/Browse12-14 Upload/Cancel12-15 File Upload ErrorFile Upload Success 12-16 Enrolling and Installing Digital CertificatesCertificate Management 12-17 12-18 12-19 Installing CA Certificates ManuallyRecommended Content Enrolling and Installing Identity CertificatesAbbrev Field NameVerify Challenge Password 12-2112-22 Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The VPN 3002 sends the certificate request to the CA 12-2312-24 Step 5 Fill in the fields and click Enroll. For information on the fields on this screen, see Table 12-1.The Manager displays the Administration | Certificate Management | Enrollment | Request Generated screen. See Figure 12-25Certificate Obtained via Enrollment Screen 12-2612-27 Obtaining SSL Certificates 12-29 Enabling Digital Certificates on the VPN12-30 Deleting Digital Certificates12-31 Administration | Certificate ManagementCertificate Authority Certificate Authorities Table ContentIdentity Certificates Table Fields12-33 SSL Certificate Table GenerateContent 12-34Subject/Issuer FieldsRemove All Enrollment Status Table12-35 ContentContent 12-36Field StatusIdentity Certificate Administration | Certificate Management | EnrollSSL Certificate 12-37Type Install a New SA Using SCEP before EnrollingEnroll via PKCS10 Request Manual Enroll via SCEP at Name of SCEP CA12-39 Enroll / CancelFields Go to Certificate Enrollment Go to Certificate Management12-40 Chapter 12 AdministrationFields Go to Certificate Installation12-41 Enroll / Cancel 12-42Chapter 12 Administration VPN 3002 Hardware Client ReferenceEnroll Cancel12-43 FieldsInstall CA Certificate Administration | Certificate Management | InstallInstall SSL Certificate with Private Key Install Certificate Obtained via EnrollmentCertificate Obtained via Enrollment Screen 12-45Enrollment Status Table Cut & Paste Text SCEP Simple Certificate Enrollment ProtocolUpload File from Workstation 12-4612-47 Retrieve / CancelCA Descriptor Certificate Text Install / Cancel12-48 Password12-49 Filename / BrowsePassword Install / Cancel12-50 Administration | Certificate Management | ViewChapter 12 Administration Administration | Certificate Management | View12-51 Certificate FieldsContent Field12-52 BackContent FieldConfigure CA Certificate Administration | Certificate Management |SCEP Configuration CertificatePolling Limit Administration | Certificate Management | Renewal12-54 Apply / CancelVerify Challenge Password Challenge PasswordRenew / Cancel Renewal TypeGo to Certificate Installation 12-56Status Go to Certificate ManagementFields Administration | Certificate Management | Delete12-57 Yes / No View Enrollment Request12-58 Administration | Certificate Management |12-59 Enrollment Request FieldsContent Field12-60 Cancel Enrollment RequestAdministration Certificate Management Content12-61 Delete Enrollment RequestAdministration | Certificate Management | FieldsFields 12-62Yes / No To delete this enrollment request, click Yes13-1 MonitoringC H A P T E R Figure 13-1Monitoring ScreenClear Routes Monitoring | Routing TableValid Routes Address13-3 Monitoring | Filterable Event LogMetric Event Class Select Filter OptionsSeverities Client IP AddressGet Log Event Log FormatClear Log There is no undoEvent Time Monitoring | Live Event LogEvent Severity Event Class/NumberPause Display/Resume Display TimerClear Display RestartRestore ResetMonitoring | System Status 13-8Refresh Bootcode RevVPN Client Type Software RevTunnel Established to AuthenticationDuration Security AssociationsBack Panel Front PanelOther 13-11Restore 13-12Refresh BackTx Unicast Rx UnicastRx Multicast Tx MulticastLogin Time Cisco IP Phone Bypass Enabled/DisabledMonitoring | User Status Username13-15 Monitoring | Statistics13-16 Monitoring Statistics IPSecReset RestoreActive Tunnels IKE Phase 1 StatisticsTotal Tunnels Received BytesSent Phase-2Exchanges Received Phase-2ExchangesInvalid Phase-2Exchanges Received Invalid Phase-2Exchanges SentAuthentication Failures Phase-2SA Delete Requests SentInitiated Tunnels Failed Initiated TunnelsReceived Packets Dropped Anti-Replay IPSec Phase 2 Statistics13-20 Active TunnelsFailed Inbound Authentications Inbound AuthenticationsOutbound Authentications Failed Outbound AuthenticationsProtocol Use Failures Monitoring Statistics HTTP13-22 System Capability FailuresPackets Sent/Received Octets Sent/ReceivedPackets Sent Sockets/Sessions PeakLogin Time Login NameHTTP Sessions Max ConnectionsActive Sessions Monitoring | Statistics | Telnet13-25 ResetAttempted Sessions Inbound Octets CommandSuccessful Sessions Telnet SessionsRequests Monitoring | Statistics | DNSResponses 13-27Monitoring | Statistics | SSL TimeoutsServer Unreachable Other FailuresEncrypted Inbound Octets Unencrypted Inbound OctetsUnencrypted Outbound Octets Encrypted Outbound OctetsActive Leases Monitoring | Statistics | DHCPMaximum Active Leases 13-30Pool End Pool StartLeased IP Address Time Left13-32 Monitoring | Statistics | SSHReset RestoreRemote IP Address:Port SSH Sessions13-33 Login NamePackets In/Out Monitoring | Statistics | NAT13-34 ResetTranslations Active NAT SessionsTranslations Peak Translations TotalTranslated Bytes/Packets Monitoring | Statistics | PPPoE13-36 ResetPADI Timeouts PPPoE Access ConcentratorPADR Timeouts User NamePADT Rx Generic Errors RxPADT Tx Malformed Packets Rx13-39 Monitoring | Statistics | MIB-II13-40 Monitoring | Statistics | MIB-II| InterfacesReset RestoreUnicast Out Unicast InMulticast In Multicast OutTCP Segments Received Monitoring | Statistics | MIB-II| TCP/UDP13-42 ResetTCP Timeout Max TCP Timeout MinTCP Segments Transmitted TCP Segments RetransmittedUDP Errored Datagrams TCP Established ResetsTCP Current Established UDP Datagrams Received13-45 Monitoring | Statistics | MIB-II| IPReset RestorePackets Received Address Errors Packets Received Header ErrorsPackets Received Total Packets Received Unknown ProtocolsReassembly Successes Fragments Needing ReassemblyReassembly Failures Outbound Packets with No RouteTotal Received/Transmitted Monitoring Statistics MIB-II ICMP13-48 ResetParameter Problems Received/Transmitted Errors Received/TransmittedDestination Unreachable Received/Transmitted Time Exceeded Received/TransmittedTimestamp Replies Received/Transmitted Timestamp Requests Received/TransmittedAddress Mask Requests Received/Transmitted Address Mask Replies Received/Transmitted13-51 Monitoring | Statistics | MIB-II| ARP TableRefresh Chapter 13 MonitoringMapping Type Physical AddressAction/Delete 13-5213-53 Monitoring | Statistics | MIB-II| EthernetReset RestoreFCS Errors Alignment ErrorsCarrier Sense Errors SQE Test ErrorsMAC Errors: Receive MAC Errors: TransmitExcessive Collisions Speed MbpsRequests Received Monitoring | Statistics | MIB-II| SNMPBad Version 13-56Bad Community String Parsing ErrorsSilent Drops Proxy DropsChapter 13 Monitoring 13-58Monitoring | Statistics | MIB-II| SNMP VPN 3002 Hardware Client ReferenceAccessing the Command-lineInterface Using the Command-LineInterfaceConsole Access 14-114-2 Starting the Command-lineInterfaceTelnet or Telnet/SSL access Choosing Menu Items Using the Command-lineInterfaceEntering Values 14-314-4 Using Shortcut NumbersNavigating Quickly 14-5 Using Back and HomeGetting Help Information Stopping the Command-lineInterface Saving the Configuration FileUnderstanding Access Rights 14-61.1 Configuration > Quick Configuration 1Configuration1.2 Configuration > Interface Configuration Menu Reference1.3.1Configuration > System Management > Servers 1.3Configuration > System Management2.1 Administration > Software Update 2Administration1.4Configuration > Policy Management 2.3Administration > Ping 2.2Administration > System Reboot2.4Administration Access Rights 14-102.6Administration > Certificate Management 2.5 Administration > File Management3 Monitoring 3.2Monitoring > Event Log 3.1 Monitoring > Routing Table3.2.2 Monitoring > Event Log > View Event Log 3.3 Monitoring > System Status3.5Monitoring > General Statistics 3.4 Monitoring > User StatusFiles for Troubleshooting Troubleshooting and System ErrorsEvent Logs Crash Dump FileConfiguration Files LED IndicatorsVPN 3002 Front LEDs Crash Dump FileProblem or Symptom System ErrorsPossible Solution VPN 3002 Rear LEDsSeries Concentrator Reference Volume Settings on the VPN Concentratorthe VPN 3002 Hardware Client User Reference on Connect NowInvalid Login or Session Timeout VPN 3002 Hardware Client Manager ErrorsSolution ProblemLogin Manager Logs OutIncorrect Display Error MessageBack or Forward on Possible causeProblem Not Allowed MessageSolution Possible causeinterface supported Not FoundProblem SolutionError Command-lineInterface ErrorsA-10 ProblemIN-1 NumericsI N D E IN-2 See CLIerrors A-10 help commandIN-3 IN-4 IN-5 IN-6 IN-7 IN-8 See also tunnelIN-9 IN-10 IN-11 Index IN-12VPN 3002 Hardware Client Reference OL-1893-01