Re: How to monitor inactive IPSec for cisco Asa 5516

satheesh2908 · ‎10-14-2023

I need to monitor Cisco Asa 5516 IPsec tunnels, While checking I could see I can capture only active tunnels OID values, but I am unable to capture which tunnel going inactive from active,, is there any way to capature which tunnel moving from active to inactive?

If I capture active tunnel details using OID while monitoring I am unable to capture which tunnel is going inactive because it's fetching only active tunnel details, if I can fetch active and inactive tunnels their status like up or down, I can make the alert if the tunnel goes down

Is there any other way to monitor the active and inactive tunnels in the Cisco asa 5516 firewall?

Please help me with this

balaji.bandi · ‎10-15-2023

Personally this never worked with me - when i tried it not got the results as expected.

So i have to stick with SNMP Trap or Log message based on that send alerts.

You may look this thread - mentioned resolved. it was not clear that was solved based on the OID (but my solution i stick with Trap)

https://community.cisco.com/t5/network-security/monitoring-asa-ipsec-using-snmp/td-p/4424341

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

satheesh2908 · ‎10-17-2023

Thanks Balaji

MHM Cisco World · ‎10-15-2023

https://itsecworks.com/2014/05/05/query-ipsec-vpns-with-snmpwalk-on-cisco-asa/

M02@rt37 · ‎10-15-2023

Hello @satheesh2908,

SNMP OIDs that allow you to monitor IPsec tunnels. The OID for IPsec SA status is CISCO-IPSEC-FLOW-MONITOR-MIB (OID: 1.3.6.1.4.1.9.9.171).

--cipSecTunStatus OID 1.3.6.1.4.1.9.9.171.1.2.3.1.3.

This OID provides the status of the IPsec tunnel (1 for up, 2 for down).

https://oidref.com/1.3.6.1.4.1.9.9.171

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

satheesh2908 · ‎10-17-2023

Ya, it's correct but here I want to capture if the tunnel goes inactive not down, if i monitor based on above, it's went way when tunnel became inactive, it;'s not showing down

Rob Ingram · ‎10-17-2023

@satheesh2908 to determine when a tunnel goes from active to inactive, create a filter on a syslog ID on the ASA and send that event to your NMS and use that to alert you.

Example syslog IDs:

%ASA-3-713123: Group = 3.3.3.1, IP = 3.3.3.1, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
%ASA-5-713259: Group = 3.3.3.1, IP = 3.3.3.1, Session is being torn down. Reason: Lost Service
%ASA-4-113019: Group = 3.3.3.1, Username = 3.3.3.1, IP = 3.3.3.1, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:19m:14s, Bytes xmt: 7500, Bytes rcv: 7500, Reason: Lost Service

Example ASA logging filtering guide - https://integratingit.wordpress.com/2023/02/09/asa-logging/

satheesh2908 · ‎10-19-2023

Thanks for your help i am trying this solution only

balaji.bandi · ‎10-19-2023

let us know how it goes, if all ok make it as resolved here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

balaji.bandi · ‎10-17-2023

yes based on the activity it create a syslog, so you can generate alerts same right ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

vpnttg001 · ‎03-25-2024

Hello,

Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP monitoring and measuring the traffic load for IPsec (Site-to-Site, Remote Access) and SSL (With Client, Clientless) VPN tunnels on a Cisco ASA. It allows the user to see traffic load on a VPN tunnel over time in graphical form.

Advantage of VPNTTG over other SNMP based monitoring software's is following: Other (commonly used) software's are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer's IP address and it stores for each VPN tunnel historical monitoring data into the Database.

For more information about VPNTTG please visit www.vpnttg.com