Interpreting the Event Logs

By default, the VPN concentrator is monitoring events and sending them to the console, as well as to an internal log. Events can be classified as any noteworthy incident that the concentrator can log, such as alarms, errors, completed tasks, and status changes. In the Configuration | System | Events screen (Figure 8.16), you can define the level of monitoring that is being maintained by the concentrator, as well as define several outputs for these monitored events.

The severity levels of events range from 1 to 13; whereas 1 is the highest level and the most critical, and 13 is the most detailed and the least critical. By default, general events are being logged if they are in the level ranges of 1 5. In addition, severity levels of 1 3 are events that are automatically sent to the console. You can change these default parameters for general events, in addition to specific hardware or software subsystems of the concentrator known as event classes. The VPN 3000 Concentrator regards severity levels 1 6 as normal; 7 9 are debugging events, and 10 13 are packet decoding hex dumps.

You can configure the concentrator to send event alerts or logs to one of the following: internal log, console, FTP, SNMP, Syslog, and even email. Because of memory limitations, the VPN 3005 Concentrator's internal log can only hold up to 256 events, and models 3015 3080 can contain up to 2048 events. When the internal log buffers have reached their maximum capacity, older events are overwritten by newer events.

It is important to remember the VPN Concentrator's three general severity level ranges: 1 6 are normal, 7 9 are debugging, and 10 13 are hex dumps of packets to decode. Levels 7 13 are typically utilized by Cisco support and should not be normally logged because of memory and processing overhead.

In a fully productive network, the VPN Concentrator might be generating hundreds and thousands of logs depending on the severity level logging configured. To sort your way through this mess, there is a useful monitoring menu that enables you to filter the event log to specific entries.

In Figure 8.17, the Monitoring | Filterable Event Log screen is displayed. This screen enables you to filter the event log by specific or several event classes, client IP addresses, group, or severity level, and sort the events in accordance to the age of the event and how many events per page. In this example, we just wanted to filter out events that were specific to authentication and SCEP enrollment of digital certificates. When you highlight the AUTH and the CERT event classes and press the arrow key, the log page presents only those items requested.

In addition, if you want to monitor the event log in real time, the Monitoring | Live Event Log screen allows you to see the current event logging being refreshed every five seconds. You can pause and resume the display by pushing the appropriate button on the bottom of the screen. Furthermore, you can clear the display (not the log itself) and restart the 5-second counter by selecting those buttons respectively.

System Status

One of the most notable resources for monitoring is the System Status page. Demonstrated in Figure 8.18, the System Status page is an excellent starting point for troubleshooting and monitoring system-wide statistics. The output of this screen is similar to the show version command in a Cisco IOS. Particularly, it shows you the VPN Concentrator model, followed by the bootstrap and software version that is currently running on the device. Another useful set of statistics are the uptime statistics. When users are complaining of intermittent session disconnects/reconnects, this information displays the length of time the concentrator has been running so you can easily determine whether the concentrator is resetting. In addition, the System Status screen displays the status of the memory. If the status is green, the concentrator has memory resources free for functionality. However, if the status is red, the memory resources on the concentrator are critically low and sessions might not be able to connect.

At the bottom of the System Status page, there is a convenient graphical display of the concentrator's front and back panel. You can click on certain areas of the display as shortcuts to statistics of those components, as illustrated in Figure 8.18. For instance, clicking on the front panel on higher-end concentrators displays the current front LED (Light Emitting Diode) statistics so you do not even need to be physically near the device to see the status LEDs. Furthermore, the bottom of the System Status screen displays the current operation of the fans, temperature of the processor, and utilization statuses for the CPU, sessions, and LAN packet throughput.

Monitoring Sessions

The Monitoring | Sessions screen is practically identical to the Administration | Administer Sessions screen, with the exception that you cannot log off sessions or ping the devices in this screen. In addition, you can select submenus (shown in Figure 8.19), which break down the session statistics by the protocols being transported or the encryption algorithms being used by administrator and user sessions. Additionally, the Monitoring | Sessions | Top Ten Lists subscreens list the top ten sessions, based upon the amount of data being received and transmitted, the duration, and the average throughput of the sessions. This is a useful monitoring tool to determine the users who are consuming the most resources on the concentrator. The information from this top ten list can also be invaluable when deciding what type of bandwidth policies you want to implement.

General Statistics

In these pages of the Monitoring division, there is a mother lode of statistics for every aspect of the VPN Concentrator. This vast list of statistics includes all supported protocols, functions, and even MIB-II statistics that are utilized by SNMP management stations for management. Figure 8.20 displays the list of all the supported statistics that can be viewed in the Monitoring | Statistics menus. In addition, Figure 8.20 includes the MIB-II statistics submenus for those supported protocols and interfaces capable of supplying that information. For instance, if you want to view the ARP cache that the concentrator is maintaining to verify whether duplicate IPs exist on the network, you should select the Monitoring | Statistics | MIB-II | ARP Table.