To show the management address on an FTD device drop to expert mode from the clish and run:

ifconfig management0

To show the routes used by it, use:

route  | grep management

Hi Marvin/All, 

We have successfully polled FTD with new IP configured on diagnostic interface(LINA). but a new observation now  is ....only Stand-by unit is sending SNMP traps PDU to monitoring server , whereas no Trap PDU from ACTIVE.

We checked everything, Like Failover State , SNMP Host , SNMP version or other related SNMP configuration.. All are fine. 

Active Unit :

firepower# sh snmp-server statistics
3032 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
19877 Number of requested variables
0 Number of altered variables
4354 Get-request PDUs
0 Get-next PDUs
374 Get-bulk PDUs
0 Set-request PDUs (Not supported)
3032 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
3032 Response PDUs
0 Trap PDUs

Stand-By Unit

firepower# sh snmp-server statistics
3716 SNMP packets input
0 Bad SNMP version errors
0 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
19935 Number of requested variables
0 Number of altered variables
4362 Get-request PDUs
0 Get-next PDUs
374 Get-bulk PDUs
0 Set-request PDUs (Not supported)
4028 SNMP packets output
0 Too big errors (Maximum packet size 1500)
0 No such name errors
0 Bad values errors
0 General errors
3716 Response PDUs
312 Trap PDUs
firepower#

Regards

***

Have there been events on the primary FTD appliance that should have caused traps to be generated?

If so, you might want to open a TAC case. There was a bug (not sure of the BugID) with respect to SNMP on HA pairs that only created an SNMPv3 user on the secondary firewall.

Hi Marvin, 

We are using SNMP version 2.

Thought to add very important information here, The purpose of doing all this exercise [i.e Integrating FTD with monitoring server via SNMP ] is to get VPN IPSec tunnel up/down TRAP notification on monitoring server and that notification event should  be convert to ticket further.

Hello All,

Would like to share that we have raised ticket with Cisco for their suggestion on IPSec-VPN Tunnel status trap from FTD (which is integrated and managed from FMC) on external monitoring server.

Cisco confirmed that as of now there is no provision on FTD for monitoring VPN/IPSec tunnel status on external monitoring server (via snmp). There is already a enhancement filled for this. Workaround is to enable "VPN STATUS" alert on FMC (note here this is FMC) and further call that alert under "Monitor Alert" option in System. this is in global mode.

We have done with above configuration, but problem does'nt end here........further point is ,whenever any IPSec Tunnel trap generated from FTD how the flow of that trap would be towards external NMS. i mean ...as we have successfuly Integrated FTD (through FTD diagnostic IP) with external NMS server but "VPN status" alert  is enabled on FMC and FMC is not integrated with monitoring server. 

what would be source of tunnel status trap on NMS server. will it be FTD or FMC only. if FTD then fine because we have polling enabled for FTD on NMS. If FMC then there would be issue as FMC is not integrated on NMS.

Rgds  

You can use an SNMP query to return the number of IPsec tunnels. I don't know the OID off the top of my head but it's the ASA (LINA code) in FTD that responds. I think (but haven't verified) it is:

Number of IPSec VPN tunnels : 1.3.6.1.4.1.9.9.171.1.3.1.1.0

Another user was able to do that for SVC (SSL VPN Client = Anyconnect) sessions using:

crasSVCNumSessions = 1.3.6.1.4.1.9.9.392.1.3.35.0.

See this thread:

https://community.cisco.com/t5/network-security/firepower-anyconnect-vpn-sessions-snmp-monitoring/m-p/4033613/highlight/false#M1066845

Hi All, 

Still this matter is going on (IPSec Tunnel Status monitoring on Firepower).

 FPR version : Version 6.4.0.7 (Build 53)  - [Cisco Firepower 2130]

Tried all the combination as per suggestion from Cisco. and looks they are now also not sure about the solution. Initially we tried to do on FPR(FTD) but Cisco confirmed that as of now FTD is not supporting IPSec monitoring feature with current code. Then we implemented workaround and configured health events on Cisco FMC(intergrated with FTD for which IPSec tunnels has to be monitored).....We don't see any alerts in couple on months. Cisco also confirmed that this workaround is also not working in their Lab environment.

Overall, we are back to point from where we started....:-( 

Can anyone please advise further on this if have any clue on solution.

Rgds

*** 

Have you configured the diagnostic interface as required? The LINA code (which responds on the diagnostic interface) supports the legacy ASA OIDs.

More details are in the link I posted previously. 

yes Marvin, 

We have configured diagnostic interface, infact can able to poll FTD now with that new IP but still no luck on IPsec tunnel status snmp monitoring. 

What SNMP OID are you using? I believe it should be:

Hi Marvin, 

No, we have not yet checked OID: 1.3.6.1.4.1.9.9.392.1.3.26 for IPSec monitoring on Cisco FTD. 

We have used some 6-7 different OIDs as per suggestion for Cisco Support. 

I beleieve OID which you shared (1.3.6.1.4.1.9.9.392.1.3.26) is for Cisco ASA and not for FTD.

As I noted earlier, "The LINA code (which responds on the diagnostic interface) supports the legacy ASA OIDs."

Hello All, 

Here again to share that we are stucked with this case. 

To refresh the requirement, lemme brief the same here.

We have FPR version : Version 6.4.0.7 (Build 53)  - [Cisco Firepower 2130] , managed by FMC. There are multiple IPSec tunnel configured on the same, and requirement is to monitor status of IPSec tunnel by NMS (Solarwinds). 

We have already done with configuration of DIAGNOSTIC Interface IP on FTD due to  LINA concept. But things are still not moving. We have checked almost all combinations .

If anyone have faced and sorted out the same problem, please share your experience.

Rgds

*** 

It can be done even without using the diagnostic interface.

See my reply to your other post asking the same thing:

https://community.cisco.com/t5/network-security/ftd-cisco-fpr-2100-ipsec-tunnels-monitoring/m-p/4112471/highlight/false#M1071649