Monitoring Site-to-Site VPNs Status

Unanswered Question
Jan 2nd, 2008
User Badges:

I need to monitor Site to Site VPN tunnels status for the coming period. I need to know which tunnels will go up and which ones will remain down. Can you help with the MIB that can moniotr this requirment or is there any other way to check the status of the tunnes?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
mahmoud.mounir Wed, 01/02/2008 - 08:41
User Badges:


Hi estill,


Are these traps generated from the router the Tunnel start and Tunnel stop traps?


If yes, do you know if these traps can identify the remote peer that went up or down?

gmagillsiemens Wed, 02/27/2008 - 10:23
User Badges:

I think this trap only goes up once the tunnel is configured, but never goes down again until the tunnel is deleted. Can you confirm this?

gmagillsiemens Wed, 02/27/2008 - 10:22
User Badges:

As far as I know, there is no trap to monitor this. Either the tunnel is administratively up, i.e. configured or it is deleted.


The only method I have found to do this is to use Nagios to poll the tunnel status at regular intervals using the MIB.


Does anyone know of a more pro-active way to do this other than polling?

chasm_Ger Wed, 05/07/2008 - 06:41
User Badges:

hi gmagillsiemens,


i'm looking for a way to monitor the tunnel status with nagios. how do you do this checks? can you post your command and service definition? what mib do you use?


thanks

Matthias

rahul0904 Thu, 02/28/2008 - 22:31
User Badges:

You can configure keepalive on the tunnel interface. Once the remote site is not rechable i.e if the destination ip of tunnel is not reachable the tunnel will go down. Futher you can configure SNMP trap and monitor the tunnel. Hope this helps

hmacread Fri, 05/09/2008 - 19:10
User Badges:

Hi There,


There are traps when tunnels go up and down. You can enable the traps with the following IOS configurations:


snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop


Hope this helps.

mahmoud.mounir Sun, 05/11/2008 - 02:30
User Badges:

Hi There,


Thanks for the info. The router sends traps indicating that the tunnel went up or down but i can't find in the trap any identifier to the VPN that had a change in the state incase of having multiple tunnels on the router (like peer addr or etc..). Do you have an idea of how to convert the trap into an info easily identified? I am using solarwinds as a management system

hmacread Mon, 05/12/2008 - 16:27
User Badges:

What is the OID (SNMP Object identifier) for the trap that is received?


Do you have a packet capture?

rdelapen Wed, 05/14/2008 - 10:00
User Badges:

A VPN tunnel can be monitored just like any other interface. If ifTable is polled, you can see the admin or protocol status on that interface.


This is an example of snmpwalk on ifTable:


# snmpget foo.cisco.com ifDescr.3 ifOperStatus.3 ifAdminStatus.3

ifDescr.3 : DISPLAY STRING: Tunnel0

ifOperStatus.3 : INTEGER: up

ifAdminStatus.3 : INTEGER: up


You can also set up traps for the tunnel. These are the traps that are available from CISCO-IPSEC-FLOW-MONITOR-MIB:


enterprise 1.3.6.1.4.1.9.9.171.2

1 cikeTunnelStart

2 cikeTunnelStop

3 cikeSysFailure

4 cikeCertCrlFailure

5 cikeProtocolFailure

6 cikeNoSa

7 cipSecTunnelStart

8 cipSecTunnelStop

9 cipSecSysFailure

10 cipSecSetUpFailure

11 cipSecEarlyTunTerm

12 cipSecProtocolFailure

13 cipSecNoSa


These are the traps that are available from CISCO-IPSEC-MIB:


enterprise 1.3.6.1.4.1.9.10.62.2

1 cipsIsakmpPolicyAdded

2 cipsIsakmpPolicyDeleted

3 cipsCryptomapAdded

4 cipsCryptomapDeleted

5 cipsCryptomapSetAttached

6 cipsCryptomapSetDetached

7 cipsTooManySAs


These are the traps that are available from CISCO-PORT-SECURITY-MIB:


enterprise 1.3.6.1.4.1.9.9.315

1 cpsSecureMacAddrViolation


Turn on the traps for IPSEC, as shown:


snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

Actions

This Discussion