cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
824
Views
5
Helpful
9
Replies

Method to monitor Client VPN availability in IOS?

emphillips00
Level 1
Level 1

Hello,

Does anyone know of a MIB, or a clever method of using the EEM to monitor if the Client VPN service of an IOS router is available? I am trying to find a way to be alerted by my NMS if my users are not able to connect via the Cisco VPN client back to my network.

Thanks!

Eric

1 Accepted Solution

Accepted Solutions

I found a typo in my previous version. Use this version instead.

View solution in original post

9 Replies 9

Joe Clarke
Cisco Employee
Cisco Employee

How would you determine this from the IOS CLI?

Hi Jclarke, thank you for your reply.

A few of the IOS commands I would use are:

show crypto engine brief

To make sure my AIM is working, I would make sure I see the line:

State: Enabled

show crypto dynamic-map and show crypto map interface [Outside Int]

To make sure the dynamic-map was still applied I would make sure the map I created was there and applied to my outside interface.

I would also look at "show udp | include _500_" and make sure I am listening on UDP 500.

I am not a Security CCIE, so I am sure there are better commands to verify that Client VPN functions are available.

I am very curious what other folks are doing to monitor their VPN concentrators, ASAs, or IOS devices that provide VPN termination. Do you rely on users to be your "monitoring probe" to alert you when VPN functional is not available? Or is there a way of having my NMS tell me before my users notice?

-Eric

I'm not sure what others are doing to monitor VPNs. However, there are some MIB objects that will allow you to do some of this. However, given all of the different commands you're using, it may be easier for you to use EEM, and have EEM alert you when one of these commands does not return expected data.

You can search through http://www.cisco.com/go/ciscobeyond for some EEM examples. For this, you'll need a Tcl policy. If you provide specific command output for both the good and bad scenarios of all the commands, I can also post some code examples. The "show udp" and "show crypto engine brief" output is easy, but what exactly are you looking for with the crypto map interface command?

Hi jclarke, thank you very much for your reply and for the link. I have been meaning to look into EEM a bit more; I will definitely review your link!

From the "show crypto map int multilink 1" output I would expect to see:

#sh crypto map int multi 1

Crypto Map "crypto_outside" 30 ipsec-isakmp

Dynamic map template tag: dynmap

Interfaces using crypto map crypto_outside:

Multilink1

So I suppose I am lookign for "dynmap" to still be in that crypto map.

I'm sure this is not the most optimal method of making sure my Client VPN is accessible though, but I suppose it is better than nothing.

I really thank you again for taking the time to make such a personal and thoughtful reply!

-Eric

I've been pretty busy this week, but I will try and code an example policy this weekend.

Hi jclarke,

No rush at all, I am very thankful that you are helping me. I have been busy myself too, I just passed my R/S CCIE yesterday in RTP!

-Eric

Here is a policy which should do the trick. It will run the three commands you're using to monitor VPN viability, and send a syslog message if any of those commands fail to return the desired output. To use the policy, you will first need to create a directory on the device's flash where EEM policies will live. If your flash does not support mkdir, then just put the policy in the root of the flash file system. For example:

Router#mkdir flash:/policies

Next, copy the policy into this location. Then configure IOS to recognize this location as the EEM policy directory:

Router(config)#event manager directory user policy flash:/policies

Then, set the necessary environment variables for this policy. They are:

crypto_period : How often to check the status of the device.


crypto_interface : Interface on which crypto map is applied.


crypto_map : Name of crypto map for which to check.

For example:

Router(config)#event manager environment crypto_period 300

Router(config)#event manager environment crypto_interface multilink1

Router(config)#event manager environment crypto_map dynamap

Finally, register your policy:

Router(config)#event manager policy tm_crypto_watch.tcl

 

Congratulations on your CCIE.

Attachment Keywords : 1) tm_crypto_watch.tcl

I found a typo in my previous version. Use this version instead.

Hi again jclarke,

Thank you again so very much for this script. I am going to dissect it and use this as a chance to learn all about EEM.

I really can not thank you enough for the tremendous amount of effort you have put forth to help me out!

-Eric

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco