Solved: IPSEC TUNNEL MONITORING- ON FMC

fmugambi · ‎09-25-2023

Hello,

I have two ftds in HA being managed by fmc on vmware. is there a way for me to monitor these ipsec tunnels, and get alerts if any tunnel goes down?

Ideas on tools that can do this, and how to integrate the same.

your support will be much appreciated.

thank you.

Marvin Rhoads · ‎09-28-2023

@MHM Cisco World as I showed in my screenshot earlier, the ASA sesnor works fine on FTD 7.2.5.

@fmugambi the SNMP sensor for this set of objects only monitors the number of tunnels. We cannot directly query a specific tunnel using SNMP. You could potentially ping or open a connection to a remote address that requires the tunnel being up to indirectly get tunnel status.

View solution in original post

MHM Cisco World · ‎09-25-2023

https://www.networktcpip.com/post/ipsec-troubleshooting-on-cisco-firepower-by-fmc

fmugambi · ‎09-25-2023

this is troubleshooting, I meant observability, like the way you can integrate the same with tools like PRTG and so on.

Marvin Rhoads · ‎09-26-2023

PRTG (including the free version) can monitor the IPsec VPN tunnel status on either ASA or FTD devices. If you configure it do do so, it can alert you via email when one goes down.

fmugambi · ‎09-26-2023

What could I be doing wrong, remember am using fmc to manage my FTDs

Marvin Rhoads · ‎09-27-2023

Be sure you are querying the FTD from PRTG using the allowed interface (per the device's platform settings). I have confirmed it is working for one of my customers:

PRTG- FTD VPN

fmugambi · ‎09-27-2023

are you monitoring all at once, or per tunnel peer IP?

fmugambi · ‎09-27-2023

again, is your FTD managed by FMC or FDM, or it does not matter?

MHM Cisco World · ‎09-27-2023

I see you post twice about this issue.

Sorry I have little info. But I want to help here.

I check you can use vpn snmp sensor to monitor the ipsec vpn status via prtg.

This can done via fmc.

https://www.paessler.com/manuals/prtg/snmp_cisco_asa_vpn_traffic_sensor

fmugambi · ‎09-27-2023

Got this error too.

Marvin Rhoads · ‎09-28-2023

That's a PRTG licensing error. PRTG is licensed by number of sensors. You will need to disable some unused ones or buy more licenses to add a new one once you have reached the currently licensed limit.

MHM Cisco World · ‎09-28-2023

Before buy license and increase sensor number check if the Asa sensor is also work for fpr.

Marvin Rhoads · ‎09-28-2023

@MHM Cisco World as I showed in my screenshot earlier, the ASA sesnor works fine on FTD 7.2.5.

@fmugambi the SNMP sensor for this set of objects only monitors the number of tunnels. We cannot directly query a specific tunnel using SNMP. You could potentially ping or open a connection to a remote address that requires the tunnel being up to indirectly get tunnel status.