0 Replies Latest reply on Jan 11, 2015 5:06 PM by patrykk

    VPN S-t-S Status Monitoring, ASA




          I have to set monitoring for ASA S-t-S VPN. I am new in Solawinds and MIB, however, I read the forum and couple of article about MIB.

      I did review MIB ietf-flow-monitoring but I am not sure if what I want to do is possible.

      I am interested about following OID: Cisco SNMP Object Navigator

      however, CISCO shows that only cipSecTunnelStart and cipSecTunnelStop are supported. 

      Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Configuring SNMP [Cisco ASA 5500-X Series Next-Ge…


      The above brought me to following conclusion:

      1) I would like to be informed when VPN tunnel is down (not cause to tunnel Lifetime)

           set trap on ASA "snmp-server enable traps ipsec stop"

      2) Use Trap Viewer and poll earlier associated OID from ASA to gather more information

      3) Use Universal Device Pollers (UNDP) to poll OID: including:

      -- ----------------------------------------------------------------------------

      -- The IPsec Phase-1 Tunnel History Table

      -- ----------------------------------------------------------------------------

      ikeTunHistTermReason OBJECT-TYPE

         DESCRIPTION -   "The reason the IPsec Phase-1 IKE Tunnel was terminated.

        Possible reasons include:

        1 = other

        2 = normal termination

        3 = operator request

        4 = peer delete request was received

        5 = contact with peer was lost

        6 = sequence number rolled over

        7 = local failure occurred."

        ::= { ikeTunnelHistEntry 2 }


      Cisco SNMP Object Navigator


      That would give me information about what happened.

      If the reason appeared to be 5 = contact with the peer was lost - send notification email.


      Can I do it the way I described and via the tools I mentioned?