Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1298
Views
5
Helpful
6
Replies

SNMP monitoring of Bypass mode on a 4255

d.chevalier
Level 1
Level 1

‎01-17-2012 10:51 AM - edited ‎03-10-2019 05:35 AM

Hi,

I am trying to monitor if the IPS is in bypass mode or not through SNMP.

Does anyone know which OID I should be looking at?

Thanks

Labels:
0 Helpful
6 Replies 6

murphy.brandon
Level 1
Level 1

‎01-19-2012 12:42 PM

.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.0 = STRING: "Indicates that the specified network interface has lost link."

.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.1 = STRING: "Indicates that the specified network interface has established link."

.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.2 = STRING: "Indicates that packet traffic has started on the specified network interface."

.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.3 = STRING: "Indicates that packet traffic has stopped on the specified network interface."

.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.4 = STRING: "Indicates that the percentage of missed packets on the specified interface has exceeded the configured threshold."

.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.5 = STRING: "Indicates that the inline data bypass has started."

.1.3.6.1.4.1.9.9.138.1.1.2.1.3.0.6 = STRING: "Indicates that the inline data bypass has stopped."

There seems to be some mibs releated to this, but i'm guessing these are SNMP traps that can be sent.  I haven't tested this, but might be worth a shot to setup SNMP traps and manually start bypass to see if you get them.

d.chevalier
Level 1
Level 1
In response to murphy.brandon

‎01-23-2012 10:10 AM

Thanks Brandon

I cannot seem to be able to relate these oids to anyting. 

Where did you get them from?

Daniel

0 Helpful

murphy.brandon
Level 1
Level 1
In response to d.chevalier

‎01-24-2012 02:35 PM

I did an SNMPWALK of the IDS.

snmpwalk -c communitystringhere -v2c ip.address.goes.here  .1.3.6.1.4.1.9.9.138.1.1.2.1.3.0

I plan on testing some SNMP trap options in the near future, i'll let you know what I find out, but it might be a couple weeks.

0 Helpful

d.chevalier
Level 1
Level 1
In response to murphy.brandon

‎01-30-2012 04:11 AM

Thank you Brandon

0 Helpful

mkodali
Cisco Employee
Cisco Employee
In response to d.chevalier

‎02-01-2012 08:26 AM

In the recent releases like 7.1-3 we can do a SNMP GET for ByPass State

By name :

qats-229:75> ./getone -v2c 10.89.148.204 public cidsHealthSecMonByPassMode.0

cidsHealthSecMonByPassMode.0 = on(1)

By OID:

qats-229:76> ./getone -v2c 10.89.148.204 public  1.3.6.1.4.1.9.9.383.1.4.27.0

cidsHealthSecMonByPassMode.0 = on(1)

In prior versions we can monitor through SNMP traps. Traps should look something like this :

Received SNMPv2c Trap: Community: "public" 
From: 10.89.149.204 mib_2.1.3.0 = 38429472 
snmpModules.1.1.4.1.0 = ciscoMgmt.138.2.0.1 
ciscoMgmt.138.1.3.3.1.3 = 3                      <====    This tells the index is 3 which means GigabitEthernet0/0 (from above) 
ciscoMgmt.138.1.3.3.1.4 = 5                      <====    Traffic bypass started ( 6 for stopped) 
ciscoMgmt.138.1.3.3.1.5 = 4 
ciscoMgmt.138.1.3.3.1.6 = 38429472

Hope this helps
Madhu
0 Helpful

d.chevalier
Level 1
Level 1
In response to mkodali

‎02-06-2012 04:24 AM

Hi Mahdu,

Thanks for the information on the trap side.

I do not know where you took version 7.1-3 but I have no access to that
the version I have is 7.0(6) E4

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card