cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2297
Views
0
Helpful
1
Replies
Andriy Sidko
Beginner

ASA VPN snmp monitoring

Hi guys.

 

I have monitoring (SNMP) for l2l VPN tunnels with PSK authentication terminated at  ASA5506-x using OID: 1.3.6.1.4.1.9.9.171.1.2.3.1.7

it returns remote public IP for UP tunnel:

 

[asisslog-ydclpp01 ~]$ snmpwalk -v2c -c community1 10.130.25.11 1.3.6.1.4.1.9.9.171.1.2.3.1.7

SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.2547712 = STRING: "195.243.xxx.xxx"
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.2560000 = STRING: "96.71.xxx.xxx"

 

but as soon as I implemented certificate authentication for both tunnels same OID returns me certificate info:

 

[asisslog-ydclpp01 ~]$ snmpwalk -v2c -c community1 10.130.25.11 1.3.6.1.4.1.9.9.171.1.2.3.1.7

SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.1043 = STRING: "c=CA,st=Ontario,l=Barrie,o=Barrie Star Ltd.,cn=*.bstar.com"

 

could you suggest OID for VPN remote public IP?

 

Thank you.

1 REPLY 1
Shinpei Kono
Cisco Employee

OID 1.3.6.1.4.1.9.9.171.1.2.3.1.7 returns the string of the remote peer identity, which will exactly be the ID payload presented by the remote peer in IKE nego - can be either IP Address or entire DN of the certificate etc.

Remote IP address of active IPsec Phase2 Tunnel can be pulled with OID 1.3.6.1.4.1.9.9.171.1.3.2.1.5. ASA is expected to produce hexadecimal entry I think. 


SNMP Object Navigator - Object Information (A Cisco.com login is required.)
https://snmp.cloudapps.cisco.com/Support/SNMP/do/BrowseOID.do?objectInput=1.3.6.1.4.1.9.9.171.1.3.2.1.5&translate=Translate

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (35%)

Content for Community-Ad