Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

VPN Monitoring

Hello everyone,

    This is my first post here, and I am by no means an ASA expert but Im hoping you could provide me an elegant solution for my companies needs. A large(and growing) part of our customer base is Medical customers, and as such we use encryption for HIPAA compliance. Our customers are rural and send radiology, medical records, and other medical information to larger organizations for processing and analysis. At this point, we have done it by using IPSec tunnels between ASAs and while these are more than likely sticking around for a while I need to figure out a way to be proactive in responding to these tunnels failing. The original thought was to route  ICMP from our monitoring server to the far side of the tunnel, and then have it enter the tunnel to verify it is able to come up and pass traffic. I disagree with this train of thought as it is clunky, doesnt scale well and is hard to manage.

The more expensive option is to deploy small, linux-based boxes that will be marked as interesting traffic and when these nodes go down in our monitoring we will be aware without the customer calling.

The other idea is a bit more foreign to me. Im thinking there has to be a setting in the ASA, or possibly a syslog message that can be sent from these devices to alert us that Phase 1/2 is not coming up. Do you all know of such a thing?

Thanks in advance.

2 REPLIES

VPN Monitoring

Hi Kyle,

You can use 'syslog' for this purpose. Iam not sure if free syslog servers has option to send you a email based on rules.

Two steps:

1. Based on your ASA version (show version), check the 'system log message IDs related to phase1/2 up/down.

   ex- check the link : http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html

2. Configure Head-end ASA with syslog server and required message IDs.

links:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b83d04.shtml

hth

MS

New Member

VPN Monitoring

Hi,

Check  out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP  monitoring and measuring the traffic load for IPsec  (Site-to-Site,  Remote Access) and SSL (With Client, Clientless) VPN  tunnels on a Cisco  ASA. It allows the user to see traffic load on a VPN  tunnel over time  in graphical form.

Advantage of VPNTTG over other SNMP based monitoring software's is   following: Other (commonly used) software's are working with static OID   numbers, i.e. whenever tunnel disconnects and reconnects, it gets   assigned a new OID number. This means that the historical data,  gathered  on the connection, is lost each time. However, VPNTTG works  with VPN  peer's IP address and it stores for each VPN tunnel  historical  monitoring data into the Database.

For more information about VPNTTG please visit www.vpnttg.com

247
Views
0
Helpful
2
Replies
CreatePlease to create content