Viewing Router Information

Table Of Contents

Viewing Router Information

Overview

Interface Status

VPN Status

Firewall Log

Application Security Log

NAC Status

Logging

Viewing Router Information

The Cisco Router and Security Device Manager (SDM) Monitor mode lets you view a current snapshot of information about your router, the router interfaces, the firewall, and any active VPN connections. You can also view any messages in the router event log.

Note The Monitor window is not dynamically updated with the latest information. To view any information that has changed since you brought up this window, you must click Update.

Monitor mode works by examining the router log and by viewing the results of Cisco IOS show commands. For Monitor mode functions that are based on log entries, such as firewall statistics, logging must be enabled. Logging is enabled by default by SDM, but you can change that setting using the Additional Tasks>Router Properties>Logging window. In addition, individual rules may need configuration so that they generate log events. For more information, see the help topic How Do I View Activity on My Firewall?

If you want to:

Do this:

View information about router interfaces.

From the toolbar, click Monitor, and then in the left frame, click Interface Status. From the Select Interface field select the interface for which you want to view information, then in the Available Items group, select the information you want to view. Then click Show Details.

View graphs of CPU or memory usage.

From the toolbar, click Monitor. The Overview page includes graphs of CPU usage and memory usage.

View information about the firewall.

From the toolbar, click Monitor, and then in the left frame, click Firewall Status.

View information about VPN Connections

From the toolbar, click Monitor, and then in the left frame, click VPN Status. Then select the tab for IPSec Tunnels, DMVPN Tunnels, Easy VPN Servers, or IKE SAs.

View messages in the router event log.

From the toolbar, click Monitor, and then in the left frame, click Logging.

Overview

The Monitor mode Overview screen displays an overview of your router activity and statistics, and serves as a summary of the information contained on the other Monitor mode screens. It contains the information described in this help topic.

Note If you do not see feature information described in this help topic on the Overview screen, the Cisco IOS image does not support the feature. For example, if the router is running a Cisco IOS image that does not support security features, the Firewall Status, and VPN status sections do not appear on the screen.

Update Button

Retrieves current information from the router, updating statistics displayed by this screen.

Resource Status

Shows basic information about your router hardware and contains the following fields:

CPU Usage

Shows the percentage of CPU usage.

Memory Usage

Shows the percent of RAM usage.

Flash Usage

Shows the available flash over the amount of flash installed on the router.

Interface Status

Shows basic information about the interfaces installed on the router and their status.

Note Only interface types supported by SDM are included in these statistics. Unsupported interfaces will not be counted.

Total Interface(s) Up

The total number of enabled (up) interfaces on the router.

Total Interface(s) Down

The total number of disabled (down) interfaces on the router.

Interface

The interface name.

IP

The IP address of the interface.

Status

The status of the interface, either Up, or Down.

Bandwidth Usage

The percent of interface bandwidth being used.

Description

Available description for the interface. SDM may add descriptions such as $FW_OUTSIDE$ or $ETH_LAN$.

Firewall Status Group

Shows basic information about the router resources and contains the following fields:

Number of Attempts Denied

Shows the number of log messages generated by connection attempts (by protocols such as Telnet, HTTP, HTTPS, ping, and others) rejected by the firewall. Note that in order for a log entry to be generated by a rejected connection attempt, the access rule that rejected the connection attempt must be configured to create log entries.

Firewall Log

If enabled, shows the number of firewall log entries.

QoS

The number of interfaces with an associated QoS policy.

VPN Status Group

Shows basic information about the router resources and contains the following fields:

Number of Open IKE SAs

Shows the number of IKE Security Associations ( SAs) connections currently configured and running.

Number of Open IPSec Tunnels

Shows the number of IPSec Virtual Private Network ( VPN) connections currently configured and running.

No. of DMVPN Clients

If the router is configured as a DMVPN hub, the number of DMVPN clients.

No. of Active VPN Clients

If the router is configured as an EasyVPN Server, this field shows the number of Easy VPN Remote clients.

NAC Status Group

Shows a basic snapshot of Network Admission Control (NAC) status on the router.

No. of NAC enabled interfaces field

The number of router interfaces on which NAC is enabled.

No. of validated hosts field

The number of hosts with posture agents that have been validated by the admissions control process.

Log Group

Shows basic information about the router resources and contains the following fields:

Total Log Entries

The total number of entries currently stored in the router log.

High Severity

The number of log entries stored that have a severity level of 2 or lower. These messages require immediate attention. Note that this list will be empty if you have no high severity messages.

Warning

The number of log entries stored that have a severity level of 3 or 4. These messages may indicate a problem with your network, but they do not likely require immediate attention.

Informational

The number of log entries stored that have a severity level of 6 or higher. These information messages signal normal network events.

Interface Status

The Interface Status screen displays the current status of the various interfaces on the router, and the numbers of packets, bytes, or data errors that have travelled through the selected interface. Statistics shown on this screen are cumulative since the last time the router was rebooted, the counters were reset, or the selected interface reset.

Monitor Interface and Stop Monitoring Button

Click this button to start or stop monitoring the selected interface. The button label changes based on whether SDM is monitoring the interface or not.

Test Connection Button

Click to test the selected connection. A dialog appears that enables you to specify a remote host to ping through this connection. The dialog then reports on the success or failure of the test. If the test fails, information about why the test may have failed is given, along with the steps you need to take to correct the problem.

Interface List

Select the interface for which you want to display statistics from this list. The list contains the name, IP address and subnet mask, the slot and port it is located in, and any SDM or user description entered.

Select Chart Types to Monitor Group

These check boxes are the data items for which SDM can show statistics on the selected interface. These data items are as follows:

•Packet Input—The number of packets received on the interface.

•Packet Output—The number of packets sent by the interface.

•Bandwidth Usage—The percent of bandwidth used by the interface, shown as a percentage value. Here is how bandwidth percentage is computed:

Bandwidth percentage=(Kbps/bw) * 100,

where

bits per second= ((change in input+change in output) * 8) / poll interval

Kbps= bits per second/1024

bw=bandwidth capacity of the interface

Because the differences in bytes input and bytes output can only be computed after the second view interval, the bandwidth percentage graph shows the correct bandwidthe usage starting with the second view interval. See the View Interval section of this topic for polling intervals and view intervals.

•Bytes Input—The number of bytes received on the interface.

•Bytes Output—The number of bytes sent by the interface.

•Input Errors—The number of errors occurring while receiving data on the interface.

•Output Errors—The number of errors occurring while sending data from the interface.

To view statistics for any of these items:

Step 1 Select the item(s) you want to view by checking the associated check box(es).

Step 2 Click Monitor Interface to see statistics for all selected data items.

Interface Status Area

View Interval

This pull-down field selects both the amount of data shown for each item and the frequency with which the data is updated. It has the following options

Note The polling frequencies listed are approximations and may differ slightly from the listed times.

•Real-time data every 10 sec. This option will continue polling the router for a maximum of two hours, resulting in approximately 120 data points.

•10 minutes of data polled every 10 sec.

•60 minutes of data, polled every 1 minute.

•12 hours of data, polled every 10 minutes.

Note The last three options will retrieve a maximum of 60 data points. After 60 data points have been retrieved, SDM will continue to poll data, replacing the oldest data points with the newest ones.

Show Table/Hide Table

Click this button to show or hide the performance charts.

Reset button

Click this button to reset the interface statistic counts to zero.

Chart Area

This area shows the charts and simple numerical values for the data specified.

Note The last three options will retrieve a maximum of 30 data points. After 30 data points have been retrieved, SDM will continue to poll data, replacing the oldest data points with the newest ones.

VPN Status

This screen displays statistics about the VPN connections that are active on the router.

Select a Category

From this pull-down field, select the type of VPN for which you want to see statistics. The statistics corresponding to the selection made in this field will appear in the field below. You can select one of the following VPN categories:

• IPSec Tunnels

• DMVPN Tunnels

• Easy VPN Servers

• IKE SAs

Test Tunnel.. Button

Click to test a selected VPN tunnel.The results of the test will be shown in another window.

IPSec Tunnels

This group displays statistics about each IPSec VPN that is configured on the router. Each row in the table represents one IPSec VPN. The columns in the table and the information they display are as follows:

•Interface column

The WAN interface on the router on which the IPSec tunnel is active.

•Local IP column

The IP address of the local IPSec interface.

•Remote IP column

The IP address of the remote IPSec interface.

•Peer column

The IP address of the remote peer.

•Tunnel Status

The current status of the IPSec tunnel. Possible values are:

–Up—The tunnel is active

–Down—The tunnel is inactive due to an error or hardware failure.

•Encapsulation Packets column

The number of packets encapsulated over the IPSec VPN connection.

•Decapsulation Packets column

The number of packets decapsulated over the IPSec VPN connection.

•Send Error Packets column

The number of errors that have occurred while sending packets.

•Receive Error Packets column

The number of errors that have occurred while receiving packets.

•Encrypted Packets column

The number of packets encrypted over the connection.

•Decrypted Packets column

The number of packets decrypted over the connection.

•Update button

Click this button to refresh the IPSec Tunnel table and display the most current data from the router.

•Clear button

Select a row in the table, and click Clear to clear the IPSec tunnel connection.

DMVPN Tunnels

This group displays the following statistics about Dynamic Multi-point VPN (DMVPN) tunnels. Each row reflects one VPN tunnel.

•Remote Subnet column

The network address of the subnet to which the tunnel connects.

•Remote Tunnel IP column

The IP address of the remote tunnel. This is the private IP address given the tunnel by the remote device.

•IP Public Interface of Remote Router column

IP address of the public (outside) interface of the remote router.

•Expiration column

The time and date when the tunnel registration expires and the DMVPN tunnel will be shut down.

•Status column

The status of the DMVPN tunnel.

•Reset button

Resets statistics counters for the tunnel listed, setting number of packets encapsulated and decaspsulated, number of sent and received errors, and number of packets encrypted and decrypted to zero.

Easy VPN Servers

This group displays the following information about each Easy VPN Server group:

•Total number of server clients (in upper right corner)

•Group Name

•Number of client connections

Group Details Button

Clicking Group Details shows the following information about the selected group.

•Group Name

•Key

•Pool Name

•DNS Servers

•WINS Servers

•Domain Name

•ACL

•Backup Servers

•Firewall-R-U-There

•Include local LAN

•Group lock

•Save password

•Maximum connections allowed for this group

•Maximum logins per user

Client Connections in this Group

This area shows the following information about the selected group.

•Public IP address

•Assigned IP address

•Encrypted Packets

•Decrypted Packets

•Dropped Outbound Packets

•Dropped Inbound Packets

•Status

Update button

Click this button to display the most current data from the router.

Disconnect button

•Choose a row in the table and click Disconnect to drop the connection with the client.

IKE SAs

This group displays the following statistics about each active IKE security association configured on the router:

•Source IP column

The IP address of the peer originating the IKE SA.

•Destination IP column

The IP address of the remote IKE peer.

•State column

Describes the current state of IKE negotiations. The following states are possible:

–MM_NO_STATE—The Internet Security Association and Key Management Protocol (ISAKMP) SA has been created but nothing else has happened yet.

–MM_SA_SETUP—The peers have agreed on parameters for the ISAKMP SA.

–MM_KEY_EXCH—The peers have exchanged Diffie-Hellman public keys and have generated a shared secret. The ISAKMP SA remains unauthenticated.

–MM_KEY_AUTH—The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE and a Quick mode exchange begins.

–AG_NO_STATE—The ISAKMP SA has been created but nothing else has happened yet.

–AG_INIT_EXCH—The peers have done the first exchange in Aggressive mode but the SA is not authenticated.

–AG_AUTH—The ISAKMP SA has been authenticated. If the router initiated this exchange, this state transitions immediately to QM_IDLE and a Quick mode exchange begins.

–QM_IDLE—The ISAKMP SA is idle. It remains authenticated with its peer and may be used for subsequent Quick mode exchanges.

•Update button—Click this button to refresh the IKE SA table and display the most current data from the router.

•Clear button—Select a row in the table and click Clear to clear the IKE SA connection.

Firewall Log

This Firewall Status page displays the following statistics about the firewall configured on the router. The statistics and log entries shown in this screen are determined by log messages generated by the firewall. In order for the firewall to generate log entries, you must configure individual access rules to generate log messages when they are invoked. For instructions on configuring access rules to cause log messages, see the help topic How Do I View Activity on My Firewall?

In order for firewall log entries to be collected, you must configure logging for the router. Go to Additional Tasks > Router Properties > Logging. Click Edit, and configure logging. To obtain firewall logging messages, you must configure a logging level of debugging (7).

Firewall Log

Whether or not the router is configured to maintain a log of connection attempts allowed and denied by the firewall.

Number of Attempts Denied by Firewall

Shows the number of connection attempts rejected by the firewall.

Attempts Denied by Firewall Table

Shows a list of connection attempts denied by the firewall. This table includes the following columns:

•Time column

Shows the time that each denied connection attempt occurred.

•Description column

Contains the following information about the denied attempt: log name, access rule name or number, service, source address, destination address, and number of packets. An example follows:

%SEC-6-IPACCESSLOGDP: list 100 denied icmp 171.71.225.148->10.77.158.140 (0/0), 3 packets
Update Button

Polls the router and updates the information shown on the screen with current information.

Monitoring Firewall with an non-Administrator view user account

Firewall monitoring requires that logging buffered be enabled on the router. If logging buffered is not enabled, login to SDM using an Administrator view account or using a non-view based privilege level 15 user account and configure logging.

To configure logging in SDM, go to Additional Tasks > Router Properties > Logging.

Application Security Log

If logging has been enabled, and you have specified that alarms be generated when the router encounters traffic from applications or protocols that you have specified, those alarms are collected in a log that can be viewed from this window.

In order for Application Security log entries to be collected, you must configure logging for the router. Go to Additional Tasks > Router Properties > Logging. Click Edit, and configure logging. To obtain firewall logging messages, you must configure a logging level of informational (6), or higher. If you have already configured logging for debugging(7), the log will contain application security log messages.

The following is example log text:

*Sep 8 12:23:49.914: %FW-6-DROP_PKT: Dropping im-yahoo pkt 128.107.252.142:1481 => 216.155.193.139:5050
*Sep 8 12:24:22.762: %FW-6-DROP_PKT: Dropping im-aol pkt 128.107.252.142:1505 => 205.188.153.121:5190
*Sep 8 12:26:02.090: %FW-6-DROP_PKT: Dropping im-msn pkt 128.107.252.142:1541 => 65.54.239.80:1863
*Sep 8 11:42:10.959: %APPFW-4-HTTP_PORT_MISUSE_IM: Sig:10006 HTTP
Instant Messenger detected - Reset - Yahoo Messenger from 10.10.10.2:1334 to 216.155.194.191:80
*Sep 8 12:27:54.610: %APPFW-4-HTTP_STRICT_PROTOCOL: Sig:15 HTTP protocol violation detected - Reset - HTTP Protocol not detected from 10.10.10.3:1583 to 66.218.75.184:80
*Sep 8 12:26:14.866: %FW-6-SESS_AUDIT_TRAIL_START: Start im-yahoo session: initiator (10.10.10.3:1548) -- responder (66.163.172.82:5050)
*Sep 8 12:26:15.370: %FW-6-SESS_AUDIT_TRAIL: Stop im-yahoo session: initiator (10.10.10.3:1548) sent 0 bytes -- responder (66.163.172.82:5050) sent 0 bytes
*Sep 8 12:24:44.490: %FW-6-SESS_AUDIT_TRAIL: Stop im-msn session: initiator (10.10.10.3:1299) sent 1543 bytes -- responder (207.46.2.74:1863) sent 2577 bytes
*Sep 8 11:42:01.323: %APPFW-6-IM_MSN_SESSION: im-msn un-recognized service session initiator 14.1.0.1:2000 sends 1364 bytes to responder 207.46.108.19:1863
*Sep 8 11:42:01.323: %APPFW-6-IM_AOL_SESSION: im-aol text-chat service session initiator 14.1.0.1:2009 sends 100 bytes to responder 216.155.193.184:5050

NAC Status

If NAC is configured on the router, SDM can display snapshot information about the NAC sessions on the router, the interfaces on which NAC is configured, and NAC statistics for the selected interface.

The top row in the window displays the number of active NAC sessions, the number of NAC sessions being initalized, and a button that allows you to clear all active and initializing NAC sessions

The window lists the router interfaces with associated NAC policies.

FastEthernet0/0 10.10.15.1/255.255.255.0 0

Clicking on an interface entry displays the information returned by posture agents installed on the hosts in the subnet for that interface. An example of the interface information follows:

10.10.10.5 Remote EAP Policy Infected 12

10.10.10.1 is the host's IP address. Remote EAP Policy is the type of authentication policy that is in force. The host's current posture is Infected, and it has been 12 minutes since the host completed the admissions control process.

Note This area of the window contains no data if no posture information is returned by the hosts on the selected subnet.

The authentication types are:

•Local Exception Policy—An exception policy that is configured on the router is used to validate the host.

•Remote EAP Policy—The host returns a posture, and an exception policy assigned by an ACS server is used.

•Remote Generic Access Policy—The host does not have a posture agent installed, and the ACS server assigns an agentless host policy.

The posture agents on the hosts may return the following posture tokens:

•Healthy—The host is free of known viruses, and has the latest virus definition files.

•Checkup—The posture agent is determining if the latest virus definition files have been installed.

•Quarantine—The host does not have the latest virus definition files installed. The user is redirected to the specified remediation site that contains instructions for downloading the latest virus definition files.

•Infected—The host is infected with a known virus. The user is redirected to a remediation site to obtain virus definition file updates.

•Unknown—The host's posture is unknown.

Logging

The router contains a log of events categorized by severity level, like a UNIX syslog service. This screen displays the router log. Note that it is the router log that is displayed, even if log messages are being forwarded to a syslog server.

Logging Buffer

Shows whether or not the logging buffer and syslog logging are enabled. The text "Enabled" is displayed when both are enabled. The logging buffer reserves a specified amount of memory to retain log messages. The setting in this field is not preserved if your router is rebooted. The default settings for these fields are for the logging buffer to be enabled with 4096 bytes of memory.

Logging Hosts

Shows the IP address of any syslog hosts where log messages are being forwarded. This field is read-only. To configure the IP addresses of syslog hosts, use the Additional Tasks>Router Properties>Logging window.

Logging Level (Buffer)

Shows the logging level configured for the buffer on the router.

Number of Messages in Log

Shows the total number of messages stored in the router log.

Select a Logging Level to View

From this field, select the severity level of the messages that you want to view in the log. Changing the setting in this field causes the list of log messages to be refreshed.

Log

Displays all messages with the severity level specified in the Select a Logging Level to View field. Log events contains the following information:

•Severity Column

Shows the severity of the logging event. Severity is shown as a number from 1 through 7, with lower numbers indicating more severe events. The descriptions of each of the severity levels are as follows:

–0 - emergencies

System unusable

–1- alerts

Immediate action needed

–2 - critical

Critical conditions

–3 - errors

Error conditions

–4 - warnings

Warning conditions

–5 - notifications

Normal but significant condition

–6 - informational

Informational messages only

–7 - debugging

Debugging messages

•Time Column

Shows the time that the log event occurred.

•Description Column

Shows a description of the log event.

Update

Updates the screen with current information about log details and the most current log entries.

Clear

Erases all messages from the log buffer on the router.

If you want to:	Do this:
View information about router interfaces.	From the toolbar, click Monitor, and then in the left frame, click Interface Status. From the Select Interface field select the interface for which you want to view information, then in the Available Items group, select the information you want to view. Then click Show Details.
View graphs of CPU or memory usage.	From the toolbar, click Monitor. The Overview page includes graphs of CPU usage and memory usage.
View information about the firewall.	From the toolbar, click Monitor, and then in the left frame, click Firewall Status.
View information about VPN Connections	From the toolbar, click Monitor, and then in the left frame, click VPN Status. Then select the tab for IPSec Tunnels, DMVPN Tunnels, Easy VPN Servers, or IKE SAs.
View messages in the router event log.	From the toolbar, click Monitor, and then in the left frame, click Logging.