Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
54184
Views
0
Helpful
3
Comments

How can I monitor VPN tunnel status through SNMP?

TCC_2
Level 10
Level 10

on ‎06-18-2009 03:56 PM

Resolution

A VPN tunnel can be monitored just like any other interface. If Table is polled, you can see the admin or protocol status on that interface.

This is an example of snmpwalk on ifTable:

# snmpget foo.cisco.com ifDescr.3 ifOperStatus.3 ifAdminStatus.3
ifDescr.3 : DISPLAY STRING: Tunnel0
ifOperStatus.3 : INTEGER: up
ifAdminStatus.3 : INTEGER: up

You can also set up traps for the tunnel. These are the traps that are available from CISCO-IPSEC-FLOW-MONITOR-MIB:

enterprise 1.3.6.1.4.1.9.9.171.2
1 cikeTunnelStart
2 cikeTunnelStop
3 cikeSysFailure
4 cikeCertCrlFailure
5 cikeProtocolFailure
6 cikeNoSa
7 cipSecTunnelStart
8 cipSecTunnelStop
9 cipSecSysFailure
10 cipSecSetUpFailure
11 cipSecEarlyTunTerm
12 cipSecProtocolFailure
13 cipSecNoSa

These are the traps that are available from CISCO-IPSEC-MIB:

enterprise 1.3.6.1.4.1.9.10.62.2
1 cipsIsakmpPolicyAdded
2 cipsIsakmpPolicyDeleted
3 cipsCryptomapAdded
4 cipsCryptomapDeleted
5 cipsCryptomapSetAttached
6 cipsCryptomapSetDetached
7 cipsTooManySAs

These are the traps that are available from CISCO-PORT-SECURITY-MIB:

enterprise 1.3.6.1.4.1.9.9.315
1 cpsSecureMacAddrViolation

Turn on the traps for IPSEC, as shown:

snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas

Refer to Monitoring and Maintaining VPN session section of  VPN Tunnel Management to monitor and maintain the VPN session.

0 Helpful
Comments
saifuddin.miyaji
Level 3
Level 3
‎10-06-2010 12:59 PM

Hi,

Are these traps available on the Cisco VPN Concentrator and ASA?

Regards

Pierre Nelson
Level 1
Level 1
‎09-09-2015 02:40 PM

I'm curios on how you stop the tunnel number from being redone every time there is a re-key of the tunnel.

LeviLEOPOLDINOALVES61585
Level 1
Level 1
‎11-16-2019 07:52 PM

Good morning, I'm setting up the firewall ASA 5515-X firewall, I need to monitor the tunnel status or the local and remote VPN IP, I wonder if there is any OID or any other way you could use the tunnel status when you are DOWN or UP, the value is not updated and simulated or destroys the line, monitoring SNMP using IBM Tivoli Network Manager (ITNM) to no avail, or the tunnel when DOWN and deleting the line follows the example below, thank you for now.


DESCRIPTION OF OBJECT:

Name cikeTunStatus
OID 1.3.6.1.4.1.9.9.171.1.2.3.1.35
Type INTEGER
Module CISCO-IPSEC-FLOW-MONITOR-MIB
The status of the MIB table row. This object can be used to bring the tunnel down by setting value of this object to destroy(2). This object cannot be used to create a MIB table row.


snmpwalk before tearing down the VPN tunnel (4 entries)

Host : serverA OID : 1.3.6.1.4.1.9.9.171.1.2.3.1.35
Name Value

cikeTunStatus.35733504 -> 1
cikeTunStatus.69926912 -> 1
cikeTunStatus.150061056 -> 1
cikeTunStatus.244064256 -> 1


cikeTunRemoteName.35733504 -> 200.xxx.xxx.1
cikeTunRemoteName.69926912 -> 200.xxx.xxx.2
cikeTunRemoteName.150061056 -> 200.xxx.xxx.3
cikeTunRemoteName.244064256 -> 200.xxx.xxx.4


cikeTunLocalName.35733504 -> 192.xxx.xxx.1
cikeTunLocalName.69926912 -> 192.xxx.xxx.2
cikeTunLocalName.150061056 -> 192.xxx.xxx.2
cikeTunLocalName.244064256 -> 192.xxx.xxx.2


snmpwalk AFTER tearing down the VPN tunnel (3 entries)

Host : serverA OID : 1.3.6.1.4.1.9.9.171.1.2.3.1.35
Name Value

cikeTunStatus.69926912 -> 1
cikeTunStatus.150061056 -> 1
cikeTunStatus.244064256 -> 1


cikeTunRemoteName.69926912 -> 200.xxx.xxx.2
cikeTunRemoteName.150061056 -> 200.xxx.xxx.3
cikeTunRemoteName.244064256 -> 200.xxx.xxx.4


cikeTunLocalName.69926912 -> 192.xxx.xxx.2
cikeTunLocalName.150061056 -> 192.xxx.xxx.2
cikeTunLocalName.244064256 -> 192.xxx.xxx.2


Trigger Event
Status of tunnel VPN LOCAL PEER: eval(text,"&SNMP.VALUE.cikeTunLocalName") <----> REMOTE PEER: eval(text,"&SNMP.VALUE.cikeTunRemoteName") = "DOWN"


Clear Event
Status of tunnel VPN LOCAL PEER: eval(text,"&SNMP.VALUE.cikeTunLocalName") <----> REMOTE PEER: eval(text,"&SNMP.VALUE.cikeTunRemoteName") = "UP"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card