cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
52525
Views
0
Helpful
3
Comments
TCC_2
Level 10
Level 10

Resolution

A VPN tunnel can be monitored just like any other interface. If Table is polled, you can see the admin or protocol status on that interface.

This is an example of snmpwalk on ifTable:

# snmpget foo.cisco.com ifDescr.3 ifOperStatus.3 ifAdminStatus.3

ifDescr.3 : DISPLAY STRING: Tunnel0

ifOperStatus.3 : INTEGER: up

ifAdminStatus.3 : INTEGER: up

You can also set up traps for the tunnel. These are the traps that are available from CISCO-IPSEC-FLOW-MONITOR-MIB:

enterprise 1.3.6.1.4.1.9.9.171.2
1 cikeTunnelStart
2 cikeTunnelStop
3 cikeSysFailure
4 cikeCertCrlFailure
5 cikeProtocolFailure
6 cikeNoSa
7 cipSecTunnelStart
8 cipSecTunnelStop
9 cipSecSysFailure
10 cipSecSetUpFailure
11 cipSecEarlyTunTerm
12 cipSecProtocolFailure
13 cipSecNoSa

These are the traps that are available from CISCO-IPSEC-MIB:

enterprise 1.3.6.1.4.1.9.10.62.2
1 cipsIsakmpPolicyAdded
2 cipsIsakmpPolicyDeleted
3 cipsCryptomapAdded
4 cipsCryptomapDeleted
5 cipsCryptomapSetAttached
6 cipsCryptomapSetDetached
7 cipsTooManySAs

These are the traps that are available from CISCO-PORT-SECURITY-MIB:

enterprise 1.3.6.1.4.1.9.9.315
1 cpsSecureMacAddrViolation

Turn on the traps for IPSEC, as shown:

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

Refer to Monitoring and Maintaining VPN session section of  VPN Tunnel Management to monitor and maintain the VPN session.

Comments

Hi,

Are these traps available on the Cisco VPN Concentrator and ASA?

Regards

Pierre Nelson
Level 1
Level 1

I'm curios on how you stop the tunnel number from being redone every time there is a re-key of the tunnel.

Good morning, I'm setting up the firewall ASA 5515-X firewall, I need to monitor the tunnel status or the local and remote VPN IP, I wonder if there is any OID or any other way you could use the tunnel status when you are DOWN or UP, the value is not updated and simulated or destroys the line, monitoring SNMP using IBM Tivoli Network Manager (ITNM) to no avail, or the tunnel when DOWN and deleting the line follows the example below, thank you for now.


DESCRIPTION OF OBJECT:

Name cikeTunStatus
OID 1.3.6.1.4.1.9.9.171.1.2.3.1.35
Type INTEGER
Module CISCO-IPSEC-FLOW-MONITOR-MIB
The status of the MIB table row. This object can be used to bring the tunnel down by setting value of this object to destroy(2). This object cannot be used to create a MIB table row.


snmpwalk before tearing down the VPN tunnel (4 entries)

Host : serverA OID : 1.3.6.1.4.1.9.9.171.1.2.3.1.35
Name Value

cikeTunStatus.35733504 -> 1
cikeTunStatus.69926912 -> 1
cikeTunStatus.150061056 -> 1
cikeTunStatus.244064256 -> 1


cikeTunRemoteName.35733504 -> 200.xxx.xxx.1
cikeTunRemoteName.69926912 -> 200.xxx.xxx.2
cikeTunRemoteName.150061056 -> 200.xxx.xxx.3
cikeTunRemoteName.244064256 -> 200.xxx.xxx.4


cikeTunLocalName.35733504 -> 192.xxx.xxx.1
cikeTunLocalName.69926912 -> 192.xxx.xxx.2
cikeTunLocalName.150061056 -> 192.xxx.xxx.2
cikeTunLocalName.244064256 -> 192.xxx.xxx.2


snmpwalk AFTER tearing down the VPN tunnel (3 entries)

Host : serverA OID : 1.3.6.1.4.1.9.9.171.1.2.3.1.35
Name Value

cikeTunStatus.69926912 -> 1
cikeTunStatus.150061056 -> 1
cikeTunStatus.244064256 -> 1


cikeTunRemoteName.69926912 -> 200.xxx.xxx.2
cikeTunRemoteName.150061056 -> 200.xxx.xxx.3
cikeTunRemoteName.244064256 -> 200.xxx.xxx.4


cikeTunLocalName.69926912 -> 192.xxx.xxx.2
cikeTunLocalName.150061056 -> 192.xxx.xxx.2
cikeTunLocalName.244064256 -> 192.xxx.xxx.2


Trigger Event
Status of tunnel VPN LOCAL PEER: eval(text,"&SNMP.VALUE.cikeTunLocalName") <----> REMOTE PEER: eval(text,"&SNMP.VALUE.cikeTunRemoteName") = "DOWN"


Clear Event
Status of tunnel VPN LOCAL PEER: eval(text,"&SNMP.VALUE.cikeTunLocalName") <----> REMOTE PEER: eval(text,"&SNMP.VALUE.cikeTunRemoteName") = "UP"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: