Manual Chapter : Troubleshooting an IPsecTunnel

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.3.0
Manual Chapter

Troubleshoot an unhealthy IPsec tunnel using performance statistics

Before you can troubleshoot the tunnel using statistics:
  • You must have configured BIG-IQ® to display statistics for your IPsec tunnel.
  • You need to know the IP address or host name of the BIG-IP® devices that form the IPsec tunnel.
When you learn that an IPsec tunnel is unhealthy (for example, your helpdesk might have opened a ticket), you can use the IPsec performance statistics to troubleshoot the tunnel.
Note: If one end of the tunnel uses a device other than a BIG-IP device, you can troubleshoot only that end of the tunnel.
  1. At the top of the screen, click Devices.
  2. Find one of the BIG-IP devices that form the IPsec tunnel.
    • If you have the IP address of the device, from the Filter selector, select Address and type the IP address of the BIG-IP device.
    • If you have the host name of the device, from the Filter selector, select Device Name and type the host name of the BIG-IP device.
    The filter you created displays at the top of the screen and only the BIG-IP device you identified is listed.
  3. Click the device name for the BIG-IP device.
    The properties screen for the device opens.
  4. On the left, click Health.
    A health summary screen displays current usage levels for the device.
  5. In the upper right corner, click View Health Statistics.
    The Device Health statistics summary page opens, displaying data only for the selected BIG-IP device.
  6. Scan the graphs for details about the device's performance that reveal the source of the issue. If you find the issue, skip to step 11.
  7. In the upper left corner, click the back arrow.
    The health summary screen for the device opens again.
  8. In the upper right corner, click View Traffic Statistics.
    The Device Traffic statistics summary page opens, displaying data only for the selected BIG-IP device.
  9. Scan the graphs for details about the device's performance that reveal the source of the issue. If you find the issue, skip to step 11.
  10. If you don't find the source of the problem after examining the traffic and device health statistics, delete the filter you created in step 2, and then repeat the last 8 steps for the other BIG-IP device in the IPsec tunnel. If only one end of the tunnel is made up of a BIG-IP device, proceed to the task Troubleshoot an unhealthy IPsec tunnel using event logs, to see if you can isolate the issue by inspecting the IPsec event logs. If you find the issue, skip to step 11.
  11. Fix the issues you discovered with the configuration objects, and then deploy those changes to the relevant BIG-IP devices to resolve the problem.
If you were not able to isolate the cause of the issue, perform the task: Troubleshoot an unhealthy IPsec tunnel using event logs.

Troubleshoot an unhealthy IPsec tunnel using event logs

Before you can troubleshoot a tunnel by examining the IPsec event logs, you must have configured IPsec event logging. (See Configure IPsec event viewing on the BIG-IQ for details.)
When you learn that an IPsec tunnel is unhealthy (for example, your helpdesk might have opened a ticket), you can troubleshoot the tunnel by examining the IPsec event logs.
  1. At the top of the screen, click Monitoring.
  2. On the left, expand EVENTS > IPsec and click Events.
    The IPsec Event Logs screen opens and displays all of the logs collected from your IPsec tunnel.
  3. Use the DEVICE, TIMEFRAME, and LOG LEVEL filters to display the logs that you think will reveal the source of the issue.
  4. Analyze the log of events to find the issue that is causing the IPsec tunnel to perform improperly.
  5. Fix the issues you discover, and then deploy those changes to the relevant BIG-IP® devices.