Manual Chapter :
Troubleshooting an IPsecTunnel
Applies To:
Show Versions
BIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Troubleshooting an IPsecTunnel
Troubleshoot an unhealthy IPsec tunnel
using performance statistics
Before you can troubleshoot the
tunnel using statistics:
- You must have configured BIG-IQ to display statistics for your IPsec tunnel.
- You need to know the IP address or host name of the BIG-IP devices that form the IPsec tunnel.
When you learn that an IPsec tunnel
is unhealthy (for example, your helpdesk might have opened a ticket), you can use the
IPsec performance statistics to troubleshoot the tunnel.
If one end of the tunnel
uses a device other than a BIG-IP device, you can troubleshoot only that end of the
tunnel.
- At the top of the screen, clickDevices.
- Find one of the BIG-IP devices that form the IPsec tunnel.
- If you have the IP address of the device, from theFilterselector, selectAddressand type the IP address of the BIG-IP device.
- If you have the host name of the device, from theFilterselector, selectDevice Nameand type the host name of the BIG-IP device.
The filter you created displays at the top of the screen and only the BIG-IP device you identified is listed. - Click the device name for the BIG-IP device.The properties screen for the device opens.
- On the left, clickHealth.A health summary screen displays current usage levels for the device.
- In the upper right corner, clickView Health Statistics.The Device Health statistics summary page opens, displaying data only for the selected BIG-IP device.
- Scan the graphs for details about the device's performance that reveal the source of the issue. If you find the issue, skip to step 11.
- In the upper left corner, click the back arrow.The health summary screen for the device opens again.
- In the upper right corner, clickView Traffic Statistics.The Device Traffic statistics summary page opens, displaying data only for the selected BIG-IP device.
- Scan the graphs for details about the device's performance that reveal the source of the issue. If you find the issue, skip to step 11.
- If you don't find the source of the problem after examining the traffic and device health statistics, delete the filter you created in step 2, and then repeat the last 8 steps for the other BIG-IP device in the IPsec tunnel. If only one end of the tunnel is made up of a BIG-IP device, proceed to the taskTroubleshoot an unhealthy IPsec tunnel using event logs, to see if you can isolate the issue by inspecting the IPsec event logs. If you find the issue, skip to step 11.
- Fix the issues you discovered with the configuration objects, and then deploy those changes to the relevant BIG-IP devices to resolve the problem.
If you were not able to isolate the
cause of the issue, perform the task:
Troubleshoot an unhealthy IPsec tunnel using
event logs
.Troubleshoot an unhealthy IPsec tunnel
using event logs
Before you can troubleshoot a tunnel
by examining the IPsec event logs, you must have configured IPsec event logging. (See
Configure IPsec event viewing on the BIG-IQ
for details.)When you learn that an IPsec tunnel
is unhealthy (for example, your helpdesk might have opened a ticket), you can
troubleshoot the tunnel by examining the IPsec event logs.
- At the top of the screen, clickMonitoring, then, on the left, click .The IPsec Event Logs screen opens and displays all of the logs collected from your IPsec tunnel.
- Use theDEVICE,TIMEFRAME, andLOG LEVELfilters to display the logs that you think will reveal the source of the issue.
- Analyze the log of events to find the issue that is causing the IPsec tunnel to perform improperly.
- Fix the issues you discover, and then deploy those changes to the relevant BIG-IP devices.