cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1776
Views
0
Helpful
3
Replies

IPSEC SNMP Issue

damprieto86
Level 1
Level 1

Hi to all,

i have an odd problem with Cisco MIB for IPSEC:

We have a GETVPN network established for one client. Everything related to encryption works fine between group members (IKE phase 1 and 2). Our client request us to monitor all active VPN tunnels in all group members, so we decided to check cipSecGlobalActiveTunnels in all group members to verify all active ipsec sessions between GM's. the problem is when we check cipSecGlobalActiveTunnels when no ipsec session is established (i.e ISAKMP and IPSEC are disabled) the SNMP object returns a nonzero value, returns "2". IT means two ipsec active sessions, but no IPSEc sessions is established when we check on CLI.

FIrst i thought it may be a software bug, but we have an identical solution for other customer, monitoring the same SNMP object and the SNMP object returns the correct value when IPSEC is disabled (returns "0" active tunnles) and is a GETVPN infraestructure too. We compared the IOS from routers on different solutions and is the same:

sh ver | inc IOS

Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3)

when IPSEC and ISAKMP is enabled, and IPSEC sessions are active, the SNMP returns again the total of ipsec active sessions plus 2. but in the other solution shows just the total of ipsec active sessions.

both solutions diffres only in Phase 1 authentication ( odd one uses Certificates and normal one uses PSK)

Any ideas about this issue?

thanks in advance.

Damián

3 Replies 3

Joe Clarke
Cisco Employee
Cisco Employee

It could be due to a problem in the clearing of a previous IPSec tunnel.  If there is an error reporting a tunnel

termination, then the stats counter is not properly decremented.  There was also a bug in which the "clear crypto session" command did not return this object to a zero value (but that bug could never be reproduced internally).  If you enable "debug crypto mib error" and "debug crypto mib detail", any future problems decrementing the active tunnel counter should be seen in the router log.  However, you may not want that extra overhead.  In any event, a reboot will return the object to zero.  If you find you are able to reliably reproduce this problem, opening a TAC service request would be a good idea.  You can point your engineer to CSCsl16701 which describes the "clear crypto session" issue.

thanks for your help Joe, i'll try your suggestions right now. i will post the results soon.

Damián

Hi Joe:

Finally i performed the test you recommended on one router with IPSEC SNMP issues, First i enabled debug crypto mib error and debug crypto mib detail commands and verified the results after disabling crypto map on the interface.  The logs shows entries like this:

Jan 28 17:56:14.404: crypto_index_array_add:ipsec_fail:  vrf_id:0 | ring index:263
Jan 28 17:56:14.404: crypto_index_array_add:ipsec_fail:  Index at which vrf_id is inserted:199
Jan 28 17:56:14.404: crypto_index_array_add:ipsec_fail:  Value of index in array at index (199): 263
Jan 28 17:56:14.404: scmIPSecTunnelTerminated: Default context, vdi_ptr=gdi_ptr=1701701816/1701701816
Jan 28 17:56:14.404: IPSec active tunnels: 24,IPSec previous tunnels: 264

the IPsec active tunnels begins with 26 and ends witth 2 active tunnels. After the crypto map is enabled, the log entry shows:

begins with:

Jan 28 18:00:46.932: IPSec active tunnels : 3
notify_mib_ipsec_tunnel_activation: peer has  vdi ptr set 0x656DE8B8
scmIpSecTunnelCreated (IKE SA:32)

ends with:

an 28 18:00:46.956: scmIPSecTunnelCreated: Default context, vdi_ptr=gdi_ptr=1701701816/1701701816
Jan 28 18:00:46.956: IPSec active tunnels : 26
notify_mib_ipsec_tunnel_activation: peer has  vdi ptr set 0x656DE8B8
scmIpSecTunnelCreated (IKE SA:32)
...new ipsidx:310

again, in the router mib appears 26 IPSEC tunnels, but manually checking  on the router, it only shows 24 IPSEC tunnels.

  873 Fa0/0      IPsec 3DES+SHA                  0        0 10.132.81.126
  874 Fa0/0      IPsec 3DES+SHA                  0        0 10.132.81.126
  875 Fa0/0      IPsec 3DES+SHA                  0        0 0.0.0.0
  876 Fa0/0      IPsec 3DES+SHA                  0        0 0.0.0.0
  877 Fa0/0      IPsec 3DES+SHA                  0     2347 10.12.0.0
  878 Fa0/0      IPsec 3DES+SHA               2439        0 10.12.0.0
  879 Fa0/0      IPsec 3DES+SHA                  0        0 10.132.0.0
  880 Fa0/0      IPsec 3DES+SHA                  0        0 10.132.0.0
  881 Fa0/0      IPsec 3DES+SHA                  0       77 10.12.0.0
  882 Fa0/0      IPsec 3DES+SHA                 79        0 10.12.0.0
  883 Fa0/0      IPsec 3DES+SHA                  0        0 10.133.0.0
  884 Fa0/0      IPsec 3DES+SHA                  0        0 10.133.0.0
  885 Fa0/0      IPsec 3DES+SHA                  0        1 10.12.0.0
  886 Fa0/0      IPsec 3DES+SHA                  4        0 10.12.0.0
  887 Fa0/0      IPsec 3DES+SHA                  0        0 10.134.0.0
  888 Fa0/0      IPsec 3DES+SHA                  0        0 10.134.0.0
  889 Fa0/0      IPsec 3DES+SHA                  0       96 10.12.0.0
  890 Fa0/0      IPsec 3DES+SHA                114        0 10.12.0.0
  891 Fa0/0      IPsec 3DES+SHA                  0        0 10.136.0.0
  892 Fa0/0      IPsec 3DES+SHA                  0        0 10.136.0.0
  893 Fa0/0      IPsec 3DES+SHA                  0        0 10.12.0.0
  894 Fa0/0      IPsec 3DES+SHA                  0        0 10.12.0.0
  895 Fa0/0      IPsec 3DES+SHA                  0        0 10.135.0.0
  896 Fa0/0      IPsec 3DES+SHA                  0        0 10.135.0.0
  897 Fa0/0      IPsec 3DES+SHA                  0        0 10.10.0.0
  898 Fa0/0      IPsec 3DES+SHA                  0        0 10.10.0.0
  899 Fa0/0      IPsec 3DES+SHA                  0        0 10.132.0.0
  900 Fa0/0      IPsec 3DES+SHA                  0        0 10.132.0.0
  901 Fa0/0      IPsec 3DES+SHA                  0        0 10.10.0.0
  902 Fa0/0      IPsec 3DES+SHA                  0        0 10.10.0.0
  903 Fa0/0      IPsec 3DES+SHA                  0        0 10.133.0.0
  904 Fa0/0      IPsec 3DES+SHA                  0        0 10.133.0.0
  905 Fa0/0      IPsec 3DES+SHA                  0        0 10.10.0.0
  906 Fa0/0      IPsec 3DES+SHA                  0        0 10.10.0.0
  907 Fa0/0      IPsec 3DES+SHA                  0        0 10.134.0.0
  908 Fa0/0      IPsec 3DES+SHA                  0        0 10.134.0.0
  909 Fa0/0      IPsec 3DES+SHA                  0        0 10.10.0.0
  910 Fa0/0      IPsec 3DES+SHA                  0        0 10.10.0.0
  911 Fa0/0      IPsec 3DES+SHA                  0        0 10.136.0.0
  912 Fa0/0      IPsec 3DES+SHA                  0        0 10.136.0.0
  913 Fa0/0      IPsec 3DES+SHA                  0        0 10.10.0.0
  914 Fa0/0      IPsec 3DES+SHA                  0        0 10.10.0.0
  915 Fa0/0      IPsec 3DES+SHA                  0        0 10.135.0.0
  916 Fa0/0      IPsec 3DES+SHA                  0        0 10.135.0.0
  917 Fa0/0      IPsec 3DES+SHA                  0        0 10.12.0.0
  918 Fa0/0      IPsec 3DES+SHA                  0        0 10.12.0.0
  919 Fa0/0      IPsec 3DES+SHA                  0        0 10.161.0.0
  920 Fa0/0      IPsec 3DES+SHA                  0        0 10.161.0.0
2299      IKE   SHA+3DES                  0        0
4034 Fa0/0      IKE   SHA+3DES                  0        0 10.12.99.1

I decided to open a TAC request following your recomendations, even restarting the router the mib problems persist

thanks for your help

Damián

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco