09-26-2013
05:44 AM
- last edited on
02-21-2020
11:24 PM
by
cc_security_adm
I recently discovered that a number of our remote sites could not connect to each other via dmvpn due to various certificate problems.
They could all connect to our hubs due to pre shared keys, so the problem was never discovered before a colleague discovered MM_KEY_EXCH states on some of the routers.
I therefore want to monitor the state of the certificates, preferably via snmp.
I found a nice looking mib,CISCO-PKI-PARTICIPATION-MIB, on http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.505
but none of our routers seem to support it, and when you click on "view supporting images", it also specifies: "There is no supporting images available for
CISCO-PKI-PARTICIPATION-MIB"
Do you have any experience on how to monitor certificate status on your Cisco routers?
11-06-2014 05:33 AM
I know this is an old post but we're looking for the same thing, did you find a way to do this for your routers or ASA devices (if you have any)?
11-06-2014 07:04 AM
No real solution. I found that they all needed to connect to one specific router, so I fire off "show crypto isakmp sa | inc MM_KEY_EXCH" on that specific router via our management platform, and receive a mail with the output on a daily basis.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: