Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
7749
Views
4
Helpful
10
Replies

Monitoring Site-to-Site VPNs Status

mahmoud.mounir
Level 1
Level 1

‎01-02-2008 05:37 AM - edited ‎02-21-2020 01:50 AM

I need to monitor Site to Site VPN tunnels status for the coming period. I need to know which tunnels will go up and which ones will remain down. Can you help with the MIB that can moniotr this requirment or is there any other way to check the status of the tunnes?

1 person had this problem
0 Helpful
10 Replies 10

estill
Level 1
Level 1

‎01-02-2008 08:29 AM

There is an SNMP trap on IOS routers that will report when a tunnel goes up or down, if that helps.

0 Helpful

mahmoud.mounir
Level 1
Level 1
In response to estill

‎01-02-2008 08:41 AM

Hi estill,

Are these traps generated from the router the Tunnel start and Tunnel stop traps?

If yes, do you know if these traps can identify the remote peer that went up or down?

0 Helpful

gmagillsiemens
Level 1
Level 1
In response to estill

‎02-27-2008 10:23 AM

I think this trap only goes up once the tunnel is configured, but never goes down again until the tunnel is deleted. Can you confirm this?

0 Helpful

gmagillsiemens
Level 1
Level 1

‎02-27-2008 10:22 AM

As far as I know, there is no trap to monitor this. Either the tunnel is administratively up, i.e. configured or it is deleted.

The only method I have found to do this is to use Nagios to poll the tunnel status at regular intervals using the MIB.

Does anyone know of a more pro-active way to do this other than polling?

0 Helpful

chasm_Ger
Level 1
Level 1
In response to gmagillsiemens

‎05-07-2008 06:41 AM

hi gmagillsiemens,

i'm looking for a way to monitor the tunnel status with nagios. how do you do this checks? can you post your command and service definition? what mib do you use?

thanks

Matthias

0 Helpful

rahul0904
Level 1
Level 1

‎02-28-2008 10:31 PM

You can configure keepalive on the tunnel interface. Once the remote site is not rechable i.e if the destination ip of tunnel is not reachable the tunnel will go down. Futher you can configure SNMP trap and monitor the tunnel. Hope this helps

0 Helpful

hmacread
Level 1
Level 1

‎05-09-2008 07:10 PM

Hi There,

There are traps when tunnels go up and down. You can enable the traps with the following IOS configurations:

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

Hope this helps.

0 Helpful

mahmoud.mounir
Level 1
Level 1
In response to hmacread

‎05-11-2008 02:30 AM

Hi There,

Thanks for the info. The router sends traps indicating that the tunnel went up or down but i can't find in the trap any identifier to the VPN that had a change in the state incase of having multiple tunnels on the router (like peer addr or etc..). Do you have an idea of how to convert the trap into an info easily identified? I am using solarwinds as a management system

0 Helpful

hmacread
Level 1
Level 1
In response to mahmoud.mounir

‎05-12-2008 04:27 PM

What is the OID (SNMP Object identifier) for the trap that is received?

Do you have a packet capture?

0 Helpful

rdelapen
Level 1
Level 1

‎05-14-2008 10:00 AM

A VPN tunnel can be monitored just like any other interface. If ifTable is polled, you can see the admin or protocol status on that interface.

This is an example of snmpwalk on ifTable:

# snmpget foo.cisco.com ifDescr.3 ifOperStatus.3 ifAdminStatus.3

ifDescr.3 : DISPLAY STRING: Tunnel0

ifOperStatus.3 : INTEGER: up

ifAdminStatus.3 : INTEGER: up

You can also set up traps for the tunnel. These are the traps that are available from CISCO-IPSEC-FLOW-MONITOR-MIB:

enterprise 1.3.6.1.4.1.9.9.171.2

1 cikeTunnelStart

2 cikeTunnelStop

3 cikeSysFailure

4 cikeCertCrlFailure

5 cikeProtocolFailure

6 cikeNoSa

7 cipSecTunnelStart

8 cipSecTunnelStop

9 cipSecSysFailure

10 cipSecSetUpFailure

11 cipSecEarlyTunTerm

12 cipSecProtocolFailure

13 cipSecNoSa

These are the traps that are available from CISCO-IPSEC-MIB:

enterprise 1.3.6.1.4.1.9.10.62.2

1 cipsIsakmpPolicyAdded

2 cipsIsakmpPolicyDeleted

3 cipsCryptomapAdded

4 cipsCryptomapDeleted

5 cipsCryptomapSetAttached

6 cipsCryptomapSetDetached

7 cipsTooManySAs

These are the traps that are available from CISCO-PORT-SECURITY-MIB:

enterprise 1.3.6.1.4.1.9.9.315

1 cpsSecureMacAddrViolation

Turn on the traps for IPSEC, as shown:

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

Review Cisco Networking for a $25 gift card
Top