on 06-18-2009 03:56 PM
A VPN tunnel can be monitored just like any other interface. If Table is polled, you can see the admin or protocol status on that interface.
This is an example of snmpwalk on ifTable:
# snmpget foo.cisco.com ifDescr.3 ifOperStatus.3 ifAdminStatus.3
ifDescr.3 : DISPLAY STRING: Tunnel0
ifOperStatus.3 : INTEGER: up
ifAdminStatus.3 : INTEGER: up
You can also set up traps for the tunnel. These are the traps that are available from CISCO-IPSEC-FLOW-MONITOR-MIB:
enterprise 1.3.6.1.4.1.9.9.171.2
1 cikeTunnelStart
2 cikeTunnelStop
3 cikeSysFailure
4 cikeCertCrlFailure
5 cikeProtocolFailure
6 cikeNoSa
7 cipSecTunnelStart
8 cipSecTunnelStop
9 cipSecSysFailure
10 cipSecSetUpFailure
11 cipSecEarlyTunTerm
12 cipSecProtocolFailure
13 cipSecNoSa
These are the traps that are available from CISCO-IPSEC-MIB:
enterprise 1.3.6.1.4.1.9.10.62.2
1 cipsIsakmpPolicyAdded
2 cipsIsakmpPolicyDeleted
3 cipsCryptomapAdded
4 cipsCryptomapDeleted
5 cipsCryptomapSetAttached
6 cipsCryptomapSetDetached
7 cipsTooManySAs
These are the traps that are available from CISCO-PORT-SECURITY-MIB:
enterprise 1.3.6.1.4.1.9.9.315
1 cpsSecureMacAddrViolation
Turn on the traps for IPSEC, as shown:
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
Refer to Monitoring and Maintaining VPN session section of VPN Tunnel Management to monitor and maintain the VPN session.
Hi,
Are these traps available on the Cisco VPN Concentrator and ASA?
Regards
I'm curios on how you stop the tunnel number from being redone every time there is a re-key of the tunnel.
Good morning, I'm setting up the firewall ASA 5515-X firewall, I need to monitor the tunnel status or the local and remote VPN IP, I wonder if there is any OID or any other way you could use the tunnel status when you are DOWN or UP, the value is not updated and simulated or destroys the line, monitoring SNMP using IBM Tivoli Network Manager (ITNM) to no avail, or the tunnel when DOWN and deleting the line follows the example below, thank you for now.
DESCRIPTION OF OBJECT:
Name cikeTunStatus
OID 1.3.6.1.4.1.9.9.171.1.2.3.1.35
Type INTEGER
Module CISCO-IPSEC-FLOW-MONITOR-MIB
The status of the MIB table row. This object can be used to bring the tunnel down by setting value of this object to destroy(2). This object cannot be used to create a MIB table row.
snmpwalk before tearing down the VPN tunnel (4 entries)
Host : serverA OID : 1.3.6.1.4.1.9.9.171.1.2.3.1.35
Name Value
cikeTunStatus.35733504 -> 1
cikeTunStatus.69926912 -> 1
cikeTunStatus.150061056 -> 1
cikeTunStatus.244064256 -> 1
cikeTunRemoteName.35733504 -> 200.xxx.xxx.1
cikeTunRemoteName.69926912 -> 200.xxx.xxx.2
cikeTunRemoteName.150061056 -> 200.xxx.xxx.3
cikeTunRemoteName.244064256 -> 200.xxx.xxx.4
cikeTunLocalName.35733504 -> 192.xxx.xxx.1
cikeTunLocalName.69926912 -> 192.xxx.xxx.2
cikeTunLocalName.150061056 -> 192.xxx.xxx.2
cikeTunLocalName.244064256 -> 192.xxx.xxx.2
snmpwalk AFTER tearing down the VPN tunnel (3 entries)
Host : serverA OID : 1.3.6.1.4.1.9.9.171.1.2.3.1.35
Name Value
cikeTunStatus.69926912 -> 1
cikeTunStatus.150061056 -> 1
cikeTunStatus.244064256 -> 1
cikeTunRemoteName.69926912 -> 200.xxx.xxx.2
cikeTunRemoteName.150061056 -> 200.xxx.xxx.3
cikeTunRemoteName.244064256 -> 200.xxx.xxx.4
cikeTunLocalName.69926912 -> 192.xxx.xxx.2
cikeTunLocalName.150061056 -> 192.xxx.xxx.2
cikeTunLocalName.244064256 -> 192.xxx.xxx.2
Trigger Event
Status of tunnel VPN LOCAL PEER: eval(text,"&SNMP.VALUE.cikeTunLocalName") <----> REMOTE PEER: eval(text,"&SNMP.VALUE.cikeTunRemoteName") = "DOWN"
Clear Event
Status of tunnel VPN LOCAL PEER: eval(text,"&SNMP.VALUE.cikeTunLocalName") <----> REMOTE PEER: eval(text,"&SNMP.VALUE.cikeTunRemoteName") = "UP"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: