12-13-2018 12:05 AM - edited 02-21-2020 08:34 AM
Picking at an old topic here. We have a PRTG installation for monitoring, but It can't handle all IPSec via SNMP.
How do you monitor IPSec connections on ASA, and alert on them? Tools, scripts, anything...
Best regards,
Michael
12-13-2018 01:15 AM
check these link might it help you
https://community.cisco.com/t5/security-analytics-and/vpn-monitoring-solution/td-p/742353
12-13-2018 01:31 AM
I was unaware of Security Manager until now, I'll have to give it a try.
The snmp approach adds additional manual steps, since the OID changes when the tunnel re-keys. One would have to lookup the new value, and then change the monitoring to poll the new OID. This could potential give false alerts in the time span between a new OID and script execution. I might have approached it the wrong why. so there could be someone who has this running?
12-13-2018 02:08 AM
12-13-2018 02:53 AM
Yes, I did look at the IP_SEC_FLOW_MONITOR mib, and the output is like this ->
cikeTunStatus.12640256 | active(1) |
cikeTunStatus.12787712 | active(1) |
cikeTunStatus.12800000 | active(1) |
cikeTunStatus.12808192 | active(1) |
cikeTunStatus.12820480 | active(1) |
cikeTunStatus.12865536 | active(1) |
Where cikeTunStatus = 1.3.6.1.4.1.9.9.171.1.2.3.1.+(TUNNEL OID = 12820480). when the tunnel flaps or re-keys den OID changes. I can lookup the remote peer IP multiple places, to get the new OID, but some automation would have to lookup the new value, and update en entire OID in the monitoring software.
I'm trying Cisco security manager, but the installer takes forever. VPNTTG is able to provide the correct output (havn't tried it, but they promise that it can do the job)
12-13-2018 03:05 AM
I'm not sure how they handle the OID, but SolarWinds NPM seems to work fine at monitoring IPsec VPNs.
CSM wouldn't be a good strategic investment in my opinion. I wouldn't be surprised to see it retired in the next year or two.
12-13-2018 03:45 AM
12-13-2018 03:53 AM
I agree, that CSM wouldn't be a viable solution - did Prime Security Manager provide this feature, despite that it's EOL, in favor for FMC on FTD?
How does NPM handle the dynamic OID?
12-13-2018 07:48 AM
We do out of the box using Linux connect to ASA and get the out and graph them using elastic dash board.
Example as below : ( poll every 5min and get the details and make a graph)
sh vpn-sessiondb detail anyconnect
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide