03-24-2020 05:54 AM
hi folks
I am fighting to retrieve site-to-site VPN tunnel status via SNMP. I am trying to get it from multicontext-enabled Cisco ASA version 9.6(4)20 from VPN dedicated ASA context IP address.
- First I tried snmpwalk over OID 1.3.6.1.4.1.9.9.171 from dedicated CISCO-IPSEC-FLOW-MONITOR-MIB for monitoring IPSec-based VPN tunnels, but unfortunately I was always getting "No Such Instance currently exists at this OID".
- Secondly I've tried snmpwalk over OID 1.3.6.1.4.1.9.9.392 from CISCO-REMOTE-ACCESS-MONITOR-MIB which should be dedicatd for RAS VPN instead, but here, yes, I finally get some info back. the problem here is that the only attribute for monitoring this "RAS" (in real it's IKEv2-based IPSec VPN tunnel) session is using crasSessionState, but it is returning value "0", which is by definition of crasSessionState is SessionStatus-based attribute with following valid values: initializing(1), established(2) and terminating(3) and "0" therefore is not defined.
Guys please there any restriction/bug why CISCO-IPSEC-FLOW-MONITOR-MIB is not available under Cisco ASA context for monitoring IKEv2-based IPSec VPN tunnels, but rather CISCO-REMOTE-ACCESS-MONITOR-MIB is available and used instead?
thanks
michal
03-24-2020 06:35 AM
Hi,
The correct OID to get IKE tunnels info seems to be 1.3.6.1.4.1.9.9.171.1.2.1, while for IPsec tunnels 1.3.6.1.4.1.9.9.171.1.3.1
Regards,
Cristian Matei.
03-24-2020 06:56 AM
Hello Cristian
thanks for response.
Doing SNMPwalk over both OIDs I am receiving:
SNMPv2-SMI::enterprises.9.9.171.1.2.1 = No Such Object available on this agent at this OID
SNMPv2-SMI::enterprises.9.9.171.1.3.1 = No Such Object available on this agent at this OID
trying with:
snmpwalk -v 2c -c community ip.ad.dr.es 1.3.6.1.4.1.9.9.171.1.2.1
snmpwalk -v 2c -c community ip.ad.dr.es 1.3.6.1.4.1.9.9.171.1.3.1
03-24-2020 07:44 AM
Hi,
Can you try and specify the context name in your snmpwalk? Here's a reference.
Regards,
Cristian Matei.
03-24-2020 08:08 AM
basically the reference is pointing to this command:
snmpwalk -v 2c -c public <context(user/admin) ip> ifDescr
where "<context(user/admin) ip>" is one string (IP or DNS name) as it is in brackets. as this string I am using IP address of VPN context of ASA firewall. When I do:
snmpwalk -v 2c -c public <context(user/admin) ip> sysName
...I am receiving correct name of ASA VPN context. this is what I was trying/using with my attempts with various OIDs before. Now I've tried to use "admin" context with proposed OIDs, but result is the same:
SNMPv2-SMI::enterprises.9.9.171.1.2.1 = No Such Object available on this agent at this OID
or
SNMPv2-SMI::enterprises.9.9.171.1.3.1 = No Such Object available on this agent at this OID
there is no other way how to specify context name in snmpwalk - just with using proper context IP address. Or I am missing something?
03-25-2020 03:02 AM
For now it really looks like CISCO-IPSEC-FLOW-MONITOR-MIB is not available in multicontext ASA deployments. Can anybody confirm this please?
By the way this is WS-SVC-ASA-SM1-K9 used ASA HW.
03-25-2020 03:38 AM
Hi,
The ASA-SM has those MIB's added as well. As this is not really documented, if there are MIB restrictions (if there are, i suppose it's just a leftover for when multicontext did not have VPN capability). I would open a TAC case to confirm/infirm.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide