topic Re: How do you monitor your IPSec connections?? in Network Security

How do you monitor your IPSec connections??

Michael Bartholomæussen — Fri, 21 Feb 2020 16:34:18 GMT

Picking at an old topic here. We have a PRTG installation for monitoring, but It can't handle all IPSec via SNMP.

How do you monitor IPSec connections on ASA, and alert on them? Tools, scripts, anything...

Best regards,

Michael

Re: How do you monitor your IPSec connections??

Sheraz.Salim — Thu, 13 Dec 2018 09:15:39 GMT

check these link might it help you

https://community.cisco.com/t5/security-analytics-and/vpn-monitoring-solution/td-p/742353

https://community.cisco.com/t5/networking-documents/how-can-i-monitor-vpn-tunnel-status-through-snmp/ta-p/3130785

Re: How do you monitor your IPSec connections??

Michael Bartholomæussen — Thu, 13 Dec 2018 09:31:42 GMT

I was unaware of Security Manager until now, I'll have to give it a try.

The snmp approach adds additional manual steps, since the OID changes when the tunnel re-keys. One would have to lookup the new value, and then change the monitoring to poll the new OID. This could potential give false alerts in the time span between a new OID and script execution. I might have approached it the wrong why. so there could be someone who has this running?

Re: How do you monitor your IPSec connections??

Mohammed al Baqari — Thu, 13 Dec 2018 10:08:02 GMT

Hi,

Did you try OID 1.3.6.1.4.1.9.9.171. It is for monitoring IPSec VPN

https://snmp.cloudapps.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.171

Re: How do you monitor your IPSec connections??

Michael Bartholomæussen — Thu, 13 Dec 2018 10:53:46 GMT

Yes, I did look at the IP_SEC_FLOW_MONITOR mib, and the output is like this ->

cikeTunStatus.12640256

active(1)

cikeTunStatus.12787712

active(1)

cikeTunStatus.12800000

active(1)

cikeTunStatus.12808192

active(1)

cikeTunStatus.12820480

active(1)

cikeTunStatus.12865536

active(1)

Where cikeTunStatus = 1.3.6.1.4.1.9.9.171.1.2.3.1.+(TUNNEL OID = 12820480). when the tunnel flaps or re-keys den OID changes. I can lookup the remote peer IP multiple places, to get the new OID, but some automation would have to lookup the new value, and update en entire OID in the monitoring software.

I'm trying Cisco security manager, but the installer takes forever. VPNTTG is able to provide the correct output (havn't tried it, but they promise that it can do the job)

Re: How do you monitor your IPSec connections??

Marvin Rhoads — Thu, 13 Dec 2018 11:05:13 GMT

I'm not sure how they handle the OID, but SolarWinds NPM seems to work fine at monitoring IPsec VPNs.

CSM wouldn't be a good strategic investment in my opinion. I wouldn't be surprised to see it retired in the next year or two.

Re: How do you monitor your IPSec connections??

Mohammed al Baqari — Thu, 13 Dec 2018 11:45:02 GMT

Agreed Marvin. I use solarwinds and using universal device poller you
schedule polling intervals for any OID and display it on chart

Re: How do you monitor your IPSec connections??

Michael Bartholomæussen — Thu, 13 Dec 2018 11:53:24 GMT

I agree, that CSM wouldn't be a viable solution - did Prime Security Manager provide this feature, despite that it's EOL, in favor for FMC on FTD?

How does NPM handle the dynamic OID?

Re: How do you monitor your IPSec connections??

balaji.bandi — Thu, 13 Dec 2018 15:48:17 GMT

We do out of the box using Linux connect to ASA and get the out and graph them using elastic dash board.

Example as below : ( poll every 5min and get the details and make a graph)

sh vpn-sessiondb detail anyconnect