Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Monitoring Site-to-Site VPNs Status

I need to monitor Site to Site VPN tunnels status for the coming period. I need to know which tunnels will go up and which ones will remain down. Can you help with the MIB that can moniotr this requirment or is there any other way to check the status of the tunnes?

10 REPLIES
New Member

Re: Monitoring Site-to-Site VPNs Status

There is an SNMP trap on IOS routers that will report when a tunnel goes up or down, if that helps.

New Member

Re: Monitoring Site-to-Site VPNs Status

Hi estill,

Are these traps generated from the router the Tunnel start and Tunnel stop traps?

If yes, do you know if these traps can identify the remote peer that went up or down?

New Member

Re: Monitoring Site-to-Site VPNs Status

I think this trap only goes up once the tunnel is configured, but never goes down again until the tunnel is deleted. Can you confirm this?

New Member

Re: Monitoring Site-to-Site VPNs Status

As far as I know, there is no trap to monitor this. Either the tunnel is administratively up, i.e. configured or it is deleted.

The only method I have found to do this is to use Nagios to poll the tunnel status at regular intervals using the MIB.

Does anyone know of a more pro-active way to do this other than polling?

New Member

Re: Monitoring Site-to-Site VPNs Status

hi gmagillsiemens,

i'm looking for a way to monitor the tunnel status with nagios. how do you do this checks? can you post your command and service definition? what mib do you use?

thanks

Matthias

New Member

Re: Monitoring Site-to-Site VPNs Status

You can configure keepalive on the tunnel interface. Once the remote site is not rechable i.e if the destination ip of tunnel is not reachable the tunnel will go down. Futher you can configure SNMP trap and monitor the tunnel. Hope this helps

New Member

Re: Monitoring Site-to-Site VPNs Status

Hi There,

There are traps when tunnels go up and down. You can enable the traps with the following IOS configurations:

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

Hope this helps.

New Member

Re: Monitoring Site-to-Site VPNs Status

Hi There,

Thanks for the info. The router sends traps indicating that the tunnel went up or down but i can't find in the trap any identifier to the VPN that had a change in the state incase of having multiple tunnels on the router (like peer addr or etc..). Do you have an idea of how to convert the trap into an info easily identified? I am using solarwinds as a management system

New Member

Re: Monitoring Site-to-Site VPNs Status

What is the OID (SNMP Object identifier) for the trap that is received?

Do you have a packet capture?

New Member

Re: Monitoring Site-to-Site VPNs Status

A VPN tunnel can be monitored just like any other interface. If ifTable is polled, you can see the admin or protocol status on that interface.

This is an example of snmpwalk on ifTable:

# snmpget foo.cisco.com ifDescr.3 ifOperStatus.3 ifAdminStatus.3

ifDescr.3 : DISPLAY STRING: Tunnel0

ifOperStatus.3 : INTEGER: up

ifAdminStatus.3 : INTEGER: up

You can also set up traps for the tunnel. These are the traps that are available from CISCO-IPSEC-FLOW-MONITOR-MIB:

enterprise 1.3.6.1.4.1.9.9.171.2

1 cikeTunnelStart

2 cikeTunnelStop

3 cikeSysFailure

4 cikeCertCrlFailure

5 cikeProtocolFailure

6 cikeNoSa

7 cipSecTunnelStart

8 cipSecTunnelStop

9 cipSecSysFailure

10 cipSecSetUpFailure

11 cipSecEarlyTunTerm

12 cipSecProtocolFailure

13 cipSecNoSa

These are the traps that are available from CISCO-IPSEC-MIB:

enterprise 1.3.6.1.4.1.9.10.62.2

1 cipsIsakmpPolicyAdded

2 cipsIsakmpPolicyDeleted

3 cipsCryptomapAdded

4 cipsCryptomapDeleted

5 cipsCryptomapSetAttached

6 cipsCryptomapSetDetached

7 cipsTooManySAs

These are the traps that are available from CISCO-PORT-SECURITY-MIB:

enterprise 1.3.6.1.4.1.9.9.315

1 cpsSecureMacAddrViolation

Turn on the traps for IPSEC, as shown:

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

1363
Views
4
Helpful
10
Replies
CreatePlease to create content