Hi All,

( I hope that this post is will be dispalyed visable

We have come across a wired but interesting problem. We are currently setting up monitoring of several VPN concentrators that are scattered across the country. In our data centre, we use a dedicated Cisco router which terminates all the IPSEC VPNs to the remote sites. In this scenario, we have several IPSEC VPN from our DC router to the  several VPN 3000 Concentrators. The VPN itself is up and operational and our monitoring node can successfully PING and Access the VPN 3000  Concentrators via TELENT over the IPSEC VPN.

(Simplified Overview)

Monitoring Node --------- DC VPN Router ------------IPSEC VPN ------<public ip>--VPN 3000 Concentrator <internal Ip>

|                                                                                                                                                                                                                      |

|--------------------------------------------------------------------ICMP , TELENT : ok --------------------------------------------------OK

!----------------------------------------------------------------------SNMP : NOT OK ------------------------------------------------------X

The issue:

The only issue is that SNMP is unable to pull the devices (snmpwalk) over the VPN.  We can see ,when initiating the SNMP WALK on the monitoring node,   packets are leaving the DC platform and leave the VPN encrypted .However, the VPN concentrators at the remote end don’t   respond to these queries.

Command : snmpwalk -v 2c -c <SNMP-STRINKG>  <interal ip>

Response : Timeout: No Response from <interal ip>

Please note : The VPN 3000 Conncentrator can be successfully pulled from the internal LAN by the local IT contact .

Also, I have compared this with another customer which has currently VPN 3000 concentrators under monitoring. These are working fine from the our DC monitoring platform and node and we have already compared the settings with the working example, reentered SMMP Strings etc.. They are all the same and not restrictions are applied.

The only difference with the working and not working setup is that in the non working solution, the VPN betweeen our DC terminates directly on the VPN concentrator itslef:

Working Solution:

Monitoring Node --------- DC VPN Router ------------IPSEC VPN ------  Customer VPN Router ----------- VPN 3000 Concentrator <internal Ip>

|                                                                                                                                                                                     

|-----------------------------------------------------------ICMP , TELENT , SNMP: ok --------------------------------------------------------------------> OK

Not working Solution:

Monitoring Node --------- DC VPN Router ------------IPSEC VPN ------<public ip>--VPN 3000 Concentrator <internal Ip>

|                                                                                                                                                                                                                    

|--------------------------------------------------------------------ICMP , TELENT : ok -------------------------------------------------------------OK

!----------------------------------------------------------------------SNMP : NOT OK --------------------------------------------------------------- X

I would be grateful if you could let me know if If you have ever come across a similar scenario and if you managed to fix SNMP connectivity over the VPN which terminates directly on the VPN conncentraror

Many thanks in advance!