I posted this yesterday, but it seems to have disappeared? If I'm missing something and I just can't find my own post, please feel free to point me back to it. The question was:
Can anyone shed some light on how NPM determines the difference between "Down" vs. "Inactive" status for ASA VPN tunnels monitored through Cisco Insight?
I have 2 ASA5545-X with the same configurations for tunnels with primary and secondary peers. On both firewalls, the first peer is active. One on firewall, the secondary peer shows "Down" and is triggering an alarm. On the other firewall, the secondary peer shows "Inactive" which I believe is more accurate.
Firewall 1 config:
crypto map map_outside 10 match address acl-xxxxxxxxx
crypto map map_outside 10 set pfs
crypto map map_outside 10 set peer 3x.xxx.xxx.xx6 5x.xx.xx.xx3
crypto map map_outside 10 set ikev1 transform-set transform-xxxxxxxxx
crypto map map_outside 10 set security-association lifetime seconds 3600
In the Device 1 screenshot, we can see that the secondary peer to 5x.xx.xx.xx3 shows Down.
Firewall 2 config:
crypto map map_outside 10 match address acl-xxxxxxxxx
crypto map map_outside 10 set pfs
crypto map map_outside 10 set peer 3x.xxx.xxx.xx1 5x.xx.xx.xx9
crypto map map_outside 10 set ikev1 transform-set transform-xxxxxxxxx
crypto map map_outside 10 set security-association lifetime seconds 3600
In the Device 2 screenshot, we can see that the secondary peer to 5x.xx.xx.xx9 shows "Inactive."
Thanks!