Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1885
Views
1
Helpful
12
Replies

IPSEC TUNNEL MONITORING- ON FMC

Go to solution
fmugambi
VIP
VIP

‎09-25-2023 11:09 PM

Hello,

I have two ftds in HA being managed by fmc on vmware. is there a way for me to monitor these ipsec tunnels, and get alerts if any tunnel goes down?

Ideas on tools that can do this, and how to integrate the same.

your support will be much appreciated.

thank you.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎09-28-2023 11:04 AM

@MHM Cisco World as I showed in my screenshot earlier, the ASA sesnor works fine on FTD 7.2.5.

@fmugambi the SNMP sensor for this set of objects only monitors the number of tunnels. We cannot directly query a specific tunnel using SNMP. You could potentially ping or open a connection to a remote address that requires the tunnel being up to indirectly get tunnel status.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
fmugambi
VIP
VIP

‎09-25-2023 11:56 PM

this is troubleshooting, I meant observability, like the way you can integrate the same with tools like PRTG and so on.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to fmugambi

‎09-26-2023 01:32 AM

PRTG (including the free version) can monitor the IPsec VPN tunnel status on either ASA or FTD devices. If you configure it do do so, it can alert you via email when one goes down.

0 Helpful

Go to solution
fmugambi
VIP
VIP

‎09-26-2023 11:14 PM

fmugambi_0-1695795213893.png

What could I be doing wrong, remember am using fmc to manage my FTDs

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to fmugambi

‎09-27-2023 06:10 AM

Be sure you are querying the FTD from PRTG using the allowed interface (per the device's platform settings). I have confirmed it is working for one of my customers:

PRTG- FTD VPNPRTG- FTD VPN

Go to solution
fmugambi
VIP
VIP

‎09-27-2023 10:26 PM

are you monitoring all at once, or per tunnel peer IP?

0 Helpful

Go to solution
fmugambi
VIP
VIP

‎09-27-2023 10:30 PM

again, is your FTD managed by FMC or FDM, or it does not matter?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎09-27-2023 11:08 PM

I see you post twice about this issue.

Sorry I have little info. But I want to help here.

I check you can use vpn snmp sensor to monitor the ipsec vpn status via prtg.

This can done via fmc.

https://www.paessler.com/manuals/prtg/snmp_cisco_asa_vpn_traffic_sensor

0 Helpful

Go to solution
fmugambi
VIP
VIP

‎09-27-2023 11:13 PM

fmugambi_0-1695881620946.png

Got this error too.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to fmugambi

‎09-28-2023 10:46 AM

That's a PRTG licensing error. PRTG is licensed by number of sensors. You will need to disable some unused ones or buy more licenses to add a new one once you have reached the currently licensed limit.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to fmugambi

‎09-28-2023 10:53 AM

Before buy license and increase sensor number check if the Asa sensor is also work for fpr.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎09-28-2023 11:04 AM

@MHM Cisco World as I showed in my screenshot earlier, the ASA sesnor works fine on FTD 7.2.5.

@fmugambi the SNMP sensor for this set of objects only monitors the number of tunnels. We cannot directly query a specific tunnel using SNMP. You could potentially ping or open a connection to a remote address that requires the tunnel being up to indirectly get tunnel status.

0 Helpful
Review Cisco Networking for a $25 gift card
Top