cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6872
Views
4
Helpful
10
Replies

Monitoring Site-to-Site VPNs Status

mahmoud.mounir
Level 1
Level 1

I need to monitor Site to Site VPN tunnels status for the coming period. I need to know which tunnels will go up and which ones will remain down. Can you help with the MIB that can moniotr this requirment or is there any other way to check the status of the tunnes?

10 Replies 10

estill
Level 1
Level 1

There is an SNMP trap on IOS routers that will report when a tunnel goes up or down, if that helps.

Hi estill,

Are these traps generated from the router the Tunnel start and Tunnel stop traps?

If yes, do you know if these traps can identify the remote peer that went up or down?

I think this trap only goes up once the tunnel is configured, but never goes down again until the tunnel is deleted. Can you confirm this?

gmagillsiemens
Level 1
Level 1

As far as I know, there is no trap to monitor this. Either the tunnel is administratively up, i.e. configured or it is deleted.

The only method I have found to do this is to use Nagios to poll the tunnel status at regular intervals using the MIB.

Does anyone know of a more pro-active way to do this other than polling?

hi gmagillsiemens,

i'm looking for a way to monitor the tunnel status with nagios. how do you do this checks? can you post your command and service definition? what mib do you use?

thanks

Matthias

rahul0904
Level 1
Level 1

You can configure keepalive on the tunnel interface. Once the remote site is not rechable i.e if the destination ip of tunnel is not reachable the tunnel will go down. Futher you can configure SNMP trap and monitor the tunnel. Hope this helps

hmacread
Level 1
Level 1

Hi There,

There are traps when tunnels go up and down. You can enable the traps with the following IOS configurations:

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

Hope this helps.

Hi There,

Thanks for the info. The router sends traps indicating that the tunnel went up or down but i can't find in the trap any identifier to the VPN that had a change in the state incase of having multiple tunnels on the router (like peer addr or etc..). Do you have an idea of how to convert the trap into an info easily identified? I am using solarwinds as a management system

What is the OID (SNMP Object identifier) for the trap that is received?

Do you have a packet capture?

rdelapen
Level 1
Level 1

A VPN tunnel can be monitored just like any other interface. If ifTable is polled, you can see the admin or protocol status on that interface.

This is an example of snmpwalk on ifTable:

# snmpget foo.cisco.com ifDescr.3 ifOperStatus.3 ifAdminStatus.3

ifDescr.3 : DISPLAY STRING: Tunnel0

ifOperStatus.3 : INTEGER: up

ifAdminStatus.3 : INTEGER: up

You can also set up traps for the tunnel. These are the traps that are available from CISCO-IPSEC-FLOW-MONITOR-MIB:

enterprise 1.3.6.1.4.1.9.9.171.2

1 cikeTunnelStart

2 cikeTunnelStop

3 cikeSysFailure

4 cikeCertCrlFailure

5 cikeProtocolFailure

6 cikeNoSa

7 cipSecTunnelStart

8 cipSecTunnelStop

9 cipSecSysFailure

10 cipSecSetUpFailure

11 cipSecEarlyTunTerm

12 cipSecProtocolFailure

13 cipSecNoSa

These are the traps that are available from CISCO-IPSEC-MIB:

enterprise 1.3.6.1.4.1.9.10.62.2

1 cipsIsakmpPolicyAdded

2 cipsIsakmpPolicyDeleted

3 cipsCryptomapAdded

4 cipsCryptomapDeleted

5 cipsCryptomapSetAttached

6 cipsCryptomapSetDetached

7 cipsTooManySAs

These are the traps that are available from CISCO-PORT-SECURITY-MIB:

enterprise 1.3.6.1.4.1.9.9.315

1 cpsSecureMacAddrViolation

Turn on the traps for IPSEC, as shown:

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: