Looking for equivalent to "snmp-server ifindex persist" for IPSec tunnels

mat_rouch · ‎06-15-2011

I have a cisco 3945 router on which I am attempting to monitor several IPSec tunnels using SNMP. Specifically I am using

CISCO-IPSEC-FLOW-MONITOR-MIB to do so. I can use "cikeGlobalActiveTunnels.0," for example, to monitor the number of isakmp sas currently up on the router. What I need to do, though, is monitor the state of a specific tunnel. The global commands do not differentiate one tunnel from another, so I tried to use cikePeerTable, cikeTunnelTable, etc. The problem with these is that the index number of a given tunnel changes every time the tunnel drops and comes back up. I tried using the "snmp-server ifindex persist" command to force the indices to remain static but this appears to apply only to interfaces, not tunnels. It looks as though the isakmp index number selected is the connection ID of the isakmp SA.

Example:

---------------------------------------------------------------------------------

perm-coon00mn-1841#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

<dest1> <source> QM_IDLE 1001 ACTIVE

<dest2> <source> QM_IDLE 1004 ACTIVE

IPv6 Crypto ISAKMP SA

perm-coon00mn-1841#

---------------------------------------------------------------------------------

For the above SAs the indices of "cikeTunLocalType," for example, are 1 and 4, corresponding to conn-ids 1001 and 1004. This seems consistent. When I shut one tunnel down and then bring it back up, if it gets assigned conn-id 1006 then the tunnel index when I query via SNMP will be 6.

Is there any way to control this so that the tunnel index remains the same across tunnel state changes and router reboots, the way "snmp-server ifindex persist" does for interfaces? In my SNMP monitoring tool I need to specify the index in order to get info on a particular tunnel, which I cannot do if the index is always changing.

Thanks,

-Mathew Rouch

Joe Clarke · ‎06-18-2011

The snmp-server ifindex persist command only applies to ifIndex values as you have seen. The indices of the cikePeerTable should be well-defined, but the internal index may change on a tunnel flap. The MIB documentation doesn't say that it would, but it is certainly possible. The index structure would look like:

1."10.1.1.1".1."10.1.1.2".1006

Where 1 is the local type, "10.1.1.1" is the local end IP address, 1 is the remote type, "10.1.1.2" is the remote end IP address, and 1006 is the internal peer index.

The cikeTunnelTable on the other hand uses a unique monotonically increasing index each time a tunnel is created (cikeTunIndex). You would need to walk the table and pull out the specific tunnel attributes to know if this was the tunnel you want to monitor.

The short answer is that you may need to script the collection of the table rows to dynamically regenerate your NMS configuration to continually monitor the interesting tunnels.

vpnttg001 · ‎03-25-2024

Hello,

Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP monitoring and measuring the traffic load for IPsec (Site-to-Site, Remote Access) and SSL (With Client, Clientless) VPN tunnels on a Cisco ASA. It allows the user to see traffic load on a VPN tunnel over time in graphical form.

Advantage of VPNTTG over other SNMP based monitoring software's is following: Other (commonly used) software's are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer's IP address and it stores for each VPN tunnel historical monitoring data into the Database.

For more information about VPNTTG please visit www.vpnttg.com