This is my first post here, and I am by no means an ASA expert but Im hoping you could provide me an elegant solution for my companies needs. A large(and growing) part of our customer base is Medical customers, and as such we use encryption for HIPAA compliance. Our customers are rural and send radiology, medical records, and other medical information to larger organizations for processing and analysis. At this point, we have done it by using IPSec tunnels between ASAs and while these are more than likely sticking around for a while I need to figure out a way to be proactive in responding to these tunnels failing. The original thought was to route ICMP from our monitoring server to the far side of the tunnel, and then have it enter the tunnel to verify it is able to come up and pass traffic. I disagree with this train of thought as it is clunky, doesnt scale well and is hard to manage.
The more expensive option is to deploy small, linux-based boxes that will be marked as interesting traffic and when these nodes go down in our monitoring we will be aware without the customer calling.
The other idea is a bit more foreign to me. Im thinking there has to be a setting in the ASA, or possibly a syslog message that can be sent from these devices to alert us that Phase 1/2 is not coming up. Do you all know of such a thing?
Check out VPNTTG (VPN Tunnel Traffic Grapher) is a software for SNMP monitoring and measuring the traffic load for IPsec (Site-to-Site, Remote Access) and SSL (With Client, Clientless) VPN tunnels on a Cisco ASA. It allows the user to see traffic load on a VPN tunnel over time in graphical form.
Advantage of VPNTTG over other SNMP based monitoring software's is following: Other (commonly used) software's are working with static OID numbers, i.e. whenever tunnel disconnects and reconnects, it gets assigned a new OID number. This means that the historical data, gathered on the connection, is lost each time. However, VPNTTG works with VPN peer's IP address and it stores for each VPN tunnel historical monitoring data into the Database.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :