cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9672
Views
0
Helpful
20
Replies

FTD (Cisco FPR -2100) - IPSec Tunnels Monitoring

netbeginner
Level 2
Level 2

Hi All, 

 

We have to monitor the status of IPSec tunnels created FPR-2100 (managed by FMC) by Network Monitoring System(NMS) .

 

FPR IOS : 6.4.0.7 (Build 53).

 

Requirement is to monitor all IPSec tunnels status through NMS ....if any of the tunnel goes down...NMS should trigger a event or alert , followed by generation of Auto-Ticket from ticketing tool.

 

We tried all possible options , but can't able to find the solution even workaround also. If anyone have gone through such problem please share how it was sorted-out.

 

Rgds

*** 

 

 

20 Replies 20

Hi Mohammed, 

 

Thanks..

 

In our case 2nd OIDs counts are huge as compare to 1st OIDs. 

 

Almost 22 times higher.

 

 

That's not unusual. For instance 5 local subnets with active traffic to 5 remote subnets could form as many as 25 IPsec SAs (depending on how the subnet masks are defined). That's all in one ISAKMP SA.

The common interpretation of "VPN tunnel" would be the active ISAKMP SAs.

Hi Marvin, 

 

Thanks Marvin, I do understand what you mentioning....But probably you aware that here desired outcome of all this queries and exercise is to monitor the Active IPSec Tunnels for Ticketing purpose (in case any of them goes down, we should have incident on tool).

 

But with current circumstances and parameters- what we have on NMS after polling phase-1 and phase-2 OIDs ....does'nt look that i am even close to solution.

 

We have total 45 approx IPSec tunnels available. But getting IPSec phase-2 count  as 110 approx. :-) which'll not helps to monitor the active tunnels on NMS.

Monitor the ISAKMP SAs for general awareness of active IPsec VPNs. The IPSec SAs are generally not interesting unless you are engaged in active troubleshooting.

OK...

But for ISAKMP SAs (phase-1) we can see only 5 counts on NMS (via OID) out of 45 configured tunnels. which is again a wrong figure and does'nt a correct information. 

 

Martin,

 

This is great information on how to setup Solarwinds to poll an ASA running FTD but I'm running into a strange issue with the CLI polling. I entered my credentials and in the syslog I can see Solarwinds login successfully but the Solarwinds test fails with a timeout error. I suspect this has to do with the CLI on FTD where it's not a traditional ASA CLI until you go into system support diagnostic-cli. Did you have to do anything special to get the login to work from Solarwinds? I have a 5516-X running 6.4.0.10 FTD. I am mainly wanting to get VPN stats for audits.

 

Thanks

Review Cisco Networking for a $25 gift card