Does anyone know of a MIB, or a clever method of using the EEM to monitor if the Client VPN service of an IOS router is available? I am trying to find a way to be alerted by my NMS if my users are not able to connect via the Cisco VPN client back to my network.
Solved! Go to Solution.
Hi Jclarke, thank you for your reply.
A few of the IOS commands I would use are:
show crypto engine brief
To make sure my AIM is working, I would make sure I see the line:
show crypto dynamic-map and show crypto map interface [Outside Int]
To make sure the dynamic-map was still applied I would make sure the map I created was there and applied to my outside interface.
I would also look at "show udp | include _500_" and make sure I am listening on UDP 500.
I am not a Security CCIE, so I am sure there are better commands to verify that Client VPN functions are available.
I am very curious what other folks are doing to monitor their VPN concentrators, ASAs, or IOS devices that provide VPN termination. Do you rely on users to be your "monitoring probe" to alert you when VPN functional is not available? Or is there a way of having my NMS tell me before my users notice?
I'm not sure what others are doing to monitor VPNs. However, there are some MIB objects that will allow you to do some of this. However, given all of the different commands you're using, it may be easier for you to use EEM, and have EEM alert you when one of these commands does not return expected data.
You can search through http://www.cisco.com/go/ciscobeyond for some EEM examples. For this, you'll need a Tcl policy. If you provide specific command output for both the good and bad scenarios of all the commands, I can also post some code examples. The "show udp" and "show crypto engine brief" output is easy, but what exactly are you looking for with the crypto map interface command?
Hi jclarke, thank you very much for your reply and for the link. I have been meaning to look into EEM a bit more; I will definitely review your link!
From the "show crypto map int multilink 1" output I would expect to see:
#sh crypto map int multi 1
Crypto Map "crypto_outside" 30 ipsec-isakmp
Dynamic map template tag: dynmap
Interfaces using crypto map crypto_outside:
So I suppose I am lookign for "dynmap" to still be in that crypto map.
I'm sure this is not the most optimal method of making sure my Client VPN is accessible though, but I suppose it is better than nothing.
I really thank you again for taking the time to make such a personal and thoughtful reply!
No rush at all, I am very thankful that you are helping me. I have been busy myself too, I just passed my R/S CCIE yesterday in RTP!
Here is a policy which should do the trick. It will run the three commands you're using to monitor VPN viability, and send a syslog message if any of those commands fail to return the desired output. To use the policy, you will first need to create a directory on the device's flash where EEM policies will live. If your flash does not support mkdir, then just put the policy in the root of the flash file system. For example:
Next, copy the policy into this location. Then configure IOS to recognize this location as the EEM policy directory:
Router(config)#event manager directory user policy flash:/policies
Then, set the necessary environment variables for this policy. They are:
crypto_period : How often to check the status of the device.
crypto_interface : Interface on which crypto map is applied.
crypto_map : Name of crypto map for which to check.
Router(config)#event manager environment crypto_period 300
Router(config)#event manager environment crypto_interface multilink1
Router(config)#event manager environment crypto_map dynamap
Finally, register your policy:
Router(config)#event manager policy tm_crypto_watch.tcl
Congratulations on your CCIE.
Attachment Keywords : 1) tm_crypto_watch.tcl
Hi again jclarke,
Thank you again so very much for this script. I am going to dissect it and use this as a chance to learn all about EEM.
I really can not thank you enough for the tremendous amount of effort you have put forth to help me out!