Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec aggregate session counters for crypto maps

Hi All,

  I'm attempting to poll / graph the usage of various IPSec tunnels. In this case, my side is a cisco IOS router and the tunnels are static but built with crypto maps. I'd prefer to use VTI, unfortunately, cisco doesn't allow custom SA's per VTI, and the other side won't agree to an SA of *.. but that's a different conversation.

  I can't find an SNMP MIB OID that will give me aggregate statistics for phase 2 data flow for a given end point. I can however, find the index of all existing IPsec phase 2 flows, poll the statistics for each.

  I'm using Cacti to do the polls, and it lacks the ability to perform a complicated query such as this, so I've written a script to do the data collection and I simply collect statistics from the script. This is a bit inefficient, so I thought I'd check to see if any of you knew of an OID to report what I'm after.

  My script should give you a clear idea of what I'm looking for:


snmpwalk -Oqn myrouter . | grep "UNIQUE-ACL-NAME-FOR-IPSEC-PEER-I-AM-LOOKINGFOR" | cut -d' ' -f1 | awk -F. '{ print $NF }' | while read BLAH


        VALUE=`snmpget -Oqvn myrouter .$BLAH | cut -d' ' -f1`

        TOTAL_IN=$(($TOTAL_IN + $VALUE))

        VALUE=`snmpget -Oqvn myrouter .$BLAH | cut -d' ' -f1`

        TOTAL_OUT=$(($TOTAL_OUT + $VALUE))

        echo $TOTAL_IN $TOTAL_OUT

done | tail -1