How to monitor IKE phase 1 of any Site-2-Site VPN tunnels via syslog messages

sl · ‎05-19-2014

I'm having a ASA5520 with multiple site-2-site VPN tunnels (and also RA VPN connections)
I like to monitor when ever a specific (known peer-adress) goes down and reconnects.
I like to use syslog messages to be the tricker, but I'm not certain which syslog messages to look for.
I know that %ASA-5-713119 tells when the phase 1 has completet.

But which syslogmessage tles me when the IKE phase 1 is torn down?

Thanks

/Soren

kaaftab · ‎05-20-2014

well the best was to monitor the link is by using the any NMS you can use both commercial and open source for this.

************Do rate helpful posts*****************

shoaibmerchant89 · ‎07-09-2014

Hello Soren,

Not sure if you've got the solution to this but I recently wrote a post on the same scenario that I wanted to implement. I did this with PIX but the syslog message ID is the same for the ASA (tested it).

http://networkology.net/2014/06/29/monitoring-site-to-site-vpns-in-asapix-syslog/

There is a good chance of false positives. Your VPN tunnel may time out due to inactivity and that can also generate the same Syslog ID.

I have suggested to disable vpn-idle-timeout in the post, but it's not required if you have a comprehensive syslog/SNMP server that can read the log packets in detail. That way further filtering can be done on the Syslog/SNMP server to ignore false positives. I did this in Zenoss.

If you don't have such a comprehensive monitoring tool, you can then try to disable the timeout, so at least you won't get those false positives that may be triggered because of the VPN being idle.

Let me know if you need more information on this. Hope this helps you and anyone else who comes across this.

Regards,

Shoaib