Method to monitor Client VPN availability in IOS?

Answered Question
Jan 20th, 2009


Does anyone know of a MIB, or a clever method of using the EEM to monitor if the Client VPN service of an IOS router is available? I am trying to find a way to be alerted by my NMS if my users are not able to connect via the Cisco VPN client back to my network.



I have this problem too.
0 votes
Correct Answer by Joe Clarke about 7 years 8 months ago

I found a typo in my previous version. Use this version instead.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
emphillips00 Thu, 01/22/2009 - 05:58

Hi Jclarke, thank you for your reply.

A few of the IOS commands I would use are:

show crypto engine brief

To make sure my AIM is working, I would make sure I see the line:

State: Enabled

show crypto dynamic-map and show crypto map interface [Outside Int]

To make sure the dynamic-map was still applied I would make sure the map I created was there and applied to my outside interface.

I would also look at "show udp | include _500_" and make sure I am listening on UDP 500.

I am not a Security CCIE, so I am sure there are better commands to verify that Client VPN functions are available.

I am very curious what other folks are doing to monitor their VPN concentrators, ASAs, or IOS devices that provide VPN termination. Do you rely on users to be your "monitoring probe" to alert you when VPN functional is not available? Or is there a way of having my NMS tell me before my users notice?


Joe Clarke Sun, 01/25/2009 - 21:17

I'm not sure what others are doing to monitor VPNs. However, there are some MIB objects that will allow you to do some of this. However, given all of the different commands you're using, it may be easier for you to use EEM, and have EEM alert you when one of these commands does not return expected data.

You can search through for some EEM examples. For this, you'll need a Tcl policy. If you provide specific command output for both the good and bad scenarios of all the commands, I can also post some code examples. The "show udp" and "show crypto engine brief" output is easy, but what exactly are you looking for with the crypto map interface command?

emphillips00 Mon, 01/26/2009 - 08:38

Hi jclarke, thank you very much for your reply and for the link. I have been meaning to look into EEM a bit more; I will definitely review your link!

From the "show crypto map int multilink 1" output I would expect to see:

#sh crypto map int multi 1

Crypto Map "crypto_outside" 30 ipsec-isakmp

Dynamic map template tag: dynmap

Interfaces using crypto map crypto_outside:


So I suppose I am lookign for "dynmap" to still be in that crypto map.

I'm sure this is not the most optimal method of making sure my Client VPN is accessible though, but I suppose it is better than nothing.

I really thank you again for taking the time to make such a personal and thoughtful reply!


Joe Clarke Thu, 01/29/2009 - 20:45

I've been pretty busy this week, but I will try and code an example policy this weekend.

emphillips00 Fri, 01/30/2009 - 14:05

Hi jclarke,

No rush at all, I am very thankful that you are helping me. I have been busy myself too, I just passed my R/S CCIE yesterday in RTP!


Joe Clarke Sat, 01/31/2009 - 09:01

Here is a policy which should do the trick. It will run the three commands you're using to monitor VPN viability, and send a syslog message if any of those commands fail to return the desired output. To use the policy, you will first need to create a directory on the device's flash where EEM policies will live. If your flash does not support mkdir, then just put the policy in the root of the flash file system. For example:

Router#mkdir flash:/policies

Next, copy the policy into this location. Then configure IOS to recognize this location as the EEM policy directory:

Router(config)#event manager directory user policy flash:/policies

Then, set the necessary environment variables for this policy. They are:

crypto_period : How often to check the status of the device.

crypto_interface : Interface on which crypto map is applied.

crypto_map : Name of crypto map for which to check.

For example:

Router(config)#event manager environment crypto_period 300

Router(config)#event manager environment crypto_interface multilink1

Router(config)#event manager environment crypto_map dynamap

Finally, register your policy:

Router(config)#event manager policy tm_crypto_watch.tcl


Congratulations on your CCIE.

Attachment Keywords : 1) tm_crypto_watch.tcl

emphillips00 Tue, 02/03/2009 - 06:42

Hi again jclarke,

Thank you again so very much for this script. I am going to dissect it and use this as a chance to learn all about EEM.

I really can not thank you enough for the tremendous amount of effort you have put forth to help me out!



This Discussion