Re: Cisco ASA multicontext S2S VPN tunnel SNMP monitoring

Michal Bruncko · ‎03-24-2020

hi folks

I am fighting to retrieve site-to-site VPN tunnel status via SNMP. I am trying to get it from multicontext-enabled Cisco ASA version 9.6(4)20 from VPN dedicated ASA context IP address.

- First I tried snmpwalk over OID 1.3.6.1.4.1.9.9.171 from dedicated CISCO-IPSEC-FLOW-MONITOR-MIB for monitoring IPSec-based VPN tunnels, but unfortunately I was always getting "No Such Instance currently exists at this OID".

- Secondly I've tried snmpwalk over OID 1.3.6.1.4.1.9.9.392 from CISCO-REMOTE-ACCESS-MONITOR-MIB which should be dedicatd for RAS VPN instead, but here, yes, I finally get some info back. the problem here is that the only attribute for monitoring this "RAS" (in real it's IKEv2-based IPSec VPN tunnel) session is using crasSessionState, but it is returning value "0", which is by definition of crasSessionState is SessionStatus-based attribute with following valid values: initializing(1), established(2) and terminating(3) and "0" therefore is not defined.

Guys please there any restriction/bug why CISCO-IPSEC-FLOW-MONITOR-MIB is not available under Cisco ASA context for monitoring IKEv2-based IPSec VPN tunnels, but rather CISCO-REMOTE-ACCESS-MONITOR-MIB is available and used instead?

thanks

michal

Cristian Matei · ‎03-24-2020

Hi,

The correct OID to get IKE tunnels info seems to be 1.3.6.1.4.1.9.9.171.1.2.1, while for IPsec tunnels 1.3.6.1.4.1.9.9.171.1.3.1

Regards,

Cristian Matei.

Michal Bruncko · ‎03-24-2020

Hello Cristian

thanks for response.

Doing SNMPwalk over both OIDs I am receiving:

SNMPv2-SMI::enterprises.9.9.171.1.2.1 = No Such Object available on this agent at this OID

SNMPv2-SMI::enterprises.9.9.171.1.3.1 = No Such Object available on this agent at this OID

trying with:

snmpwalk -v 2c -c community ip.ad.dr.es 1.3.6.1.4.1.9.9.171.1.2.1

snmpwalk -v 2c -c community ip.ad.dr.es 1.3.6.1.4.1.9.9.171.1.3.1

Cristian Matei · ‎03-24-2020

Hi,

Can you try and specify the context name in your snmpwalk? Here's a reference.

Regards,

Cristian Matei.

Michal Bruncko · ‎03-24-2020

basically the reference is pointing to this command:

snmpwalk -v 2c -c public <context(user/admin) ip> ifDescr

where "<context(user/admin) ip>" is one string (IP or DNS name) as it is in brackets. as this string I am using IP address of VPN context of ASA firewall. When I do:

snmpwalk -v 2c -c public <context(user/admin) ip> sysName

...I am receiving correct name of ASA VPN context. this is what I was trying/using with my attempts with various OIDs before. Now I've tried to use "admin" context with proposed OIDs, but result is the same:

SNMPv2-SMI::enterprises.9.9.171.1.2.1 = No Such Object available on this agent at this OID

or

SNMPv2-SMI::enterprises.9.9.171.1.3.1 = No Such Object available on this agent at this OID

there is no other way how to specify context name in snmpwalk - just with using proper context IP address. Or I am missing something?

Michal Bruncko · ‎03-25-2020

For now it really looks like CISCO-IPSEC-FLOW-MONITOR-MIB is not available in multicontext ASA deployments. Can anybody confirm this please?

By the way this is WS-SVC-ASA-SM1-K9 used ASA HW.

Cristian Matei · ‎03-25-2020

Hi,

The ASA-SM has those MIB's added as well. As this is not really documented, if there are MIB restrictions (if there are, i suppose it's just a leftover for when multicontext did not have VPN capability). I would open a TAC case to confirm/infirm.

Regards,

Cristian Matei.