Administer Sessions
You can use the Administration > Administer Sessions window on the VPN Concentrator to find out if the VPN tunnel is getting built up, and processing data across the tunnel by looking at counters for both Bytes Tx (Transmit), and Bytes Rx (Receive). This helps in quickly identifying if the problem is with the tunnel not coming up, or with the inability to pass any data across the tunnel. You can also find out which side of the tunnel device is causing the problem. The following example illustrates this point. Assume that in your Concentrator, you see that Bytes Tx is incrementing over time, but Bytes Rx is staying at zero or at the same number over a period of time. You know that your Concentrator is processing and sending the data over the tunnel, but the other Concentrator may not be responding. The problem could be a drop in transit by another device that is sitting between the Concentrators. Or for some reason the other side of the VPN Concentrator could be failing to respond to your Concentrator. You can confirm what is actually happening by looking at the Bytes Rx and Bytes Tx counters. In theory, these two counters should be exactly opposite each other. The Bytes Tx of your side should be the Bytes Rx of the other side and vice versa, assuming there are no packet drops in transit. Merely by looking at these statistics, you can cut the scope of the problem analysis phase in half by ensuring that your Concentrator is not causing the problem. This means that you do not have to troubleshoot the Concentrator on your side. Figure 8-5 shows an IPsec LAN-to-LAN tunnel that has both Bytes Tx and Bytes Rx counters, which is an indication that the tunnel is processing data traffic properly.
Figure 8-5. Administer Sessions Window Showing an IPsec LAN-to-LAN Tunnel
[View full size image]
In addition to the tunnel statistics for troubleshooting, Administer Sessions windows also allow you to terminate any VPN session.
Configuration Files
The VPN Concentrator saves the current boot configuration file with both the name CONFIG and the previously running configuration as CONFIG.BAK in flash memory. The location of these files is Administration > File Management. These files can be used for troubleshooting, especially when you need to send these files to the Cisco Support Team or for offline analysis.
LED Indicators
Under normal operations, LED indicators on the VPN Concentrator are green. The usage gauge LEDs are normally blue. LEDs that are amber or off may indicate an error condition. NA means not applicable; that is, the LED does not have that state. If you have different LED colors, you might be experiencing hardware issues. Consult the Cisco Support Team for additional analysis.
Crash Dump File
If the VPN Concentrator crashes during operation, it saves internal system data in nonvolatile memory (NVRAM), and then automatically writes this data to a CRSHDUMP.TXT file in flash memory when it is rebooted. This file contains the crash date and time, software version, tasks, stack, registers, memory, buffers, and timers, which are helpful to Cisco support engineers. The location of the file is Administration > File Management > Files. If your VPN Concentrator crashes, send the CRSHDUMP.TXT file to the Cisco Support Team for analysis.
VPN Client Log
As mentioned before, while troubleshooting Remote Access VPN connection, you need to analyze the log from both sides of the tunnel: VPN Concentrator log and the VPN client log. Just as with the VPN Concentrator, the Cisco VPN client has monitoring capability and a fairly robust debug capability (called Log Viewer).
To open Log Viewer, open the VPN Client window by going to Start > Programs > Cisco Systems VPN Client > VPN Client. In the opened VPN Client, you can click on the Log tab or bring up a separate log window by clicking on Log Window. By default the logging is turned on, and you can disable it by clicking on Disable. Click on Log Settings to change the log level of different classes as shown in Figure 8-6.
It is recommended to turn all classes of the VPN client log to high and remember to disable event logging when you have finished troubleshooting.
Figure 8-6. Turning on Debug Logging for Different Classes on VPN Client
[View full size image]
Table 8-2 shows how to read an IKE message collected from the Log Viewer.
Table 8-2. Reading the IKE Message on the Log Viewer Time
Connection Name
Transmit Direction
IKE Message
01:38:02.570
Cisco VPN
- SENDING>>>>
ISAKMP OAK MM (SA)
Details on the VPN Client GUI Error Lookup Tool and location can be found at the following URL:
http://www.cisco.com/warp/public/471/vpn-clnt-err-dict.html
Log Viewer shows only the debug messages relating to the VPN tunnel. To view the statistics of the tunnel, for example, whether the packets are encrypted and decrypted or not, you need to right-click on the VPN Client Icon > Statistics. These statistics are important for troubleshooting any data packet transmission issue after the tunnel is built up.
Release notes of the VPN clients can be found in the following location:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/index.htm
VPN client software can be downloaded from the following location:
http://www.cisco.com/cgi-bin/tablebuild.pl/vpnclient-3des