| A VPN tunnel can be monitored just like any other interface. If ifTable is polled, you can see the admin or protocol status on that interface.
This is an example of snmpwalk on ifTable:
# snmpget foo.cisco.com ifDescr.3 ifOperStatus.3 ifAdminStatus.3
ifDescr.3 : DISPLAY STRING: Tunnel0
ifOperStatus.3 : INTEGER: up
ifAdminStatus.3 : INTEGER: up
You can also set up traps for the tunnel. These are the traps that are available from CISCO-IPSEC-FLOW-MONITOR-MIB:
enterprise 1.3.6.1.4.1.9.9.171.2
1 cikeTunnelStart
2 cikeTunnelStop
3 cikeSysFailure
4 cikeCertCrlFailure
5 cikeProtocolFailure
6 cikeNoSa
7 cipSecTunnelStart
8 cipSecTunnelStop
9 cipSecSysFailure
10 cipSecSetUpFailure
11 cipSecEarlyTunTerm
12 cipSecProtocolFailure
13 cipSecNoSa
These are the traps that are available from CISCO-IPSEC-MIB:
enterprise 1.3.6.1.4.1.9.10.62.2
1 cipsIsakmpPolicyAdded
2 cipsIsakmpPolicyDeleted
3 cipsCryptomapAdded
4 cipsCryptomapDeleted
5 cipsCryptomapSetAttached
6 cipsCryptomapSetDetached
7 cipsTooManySAs
These are the traps that are available from CISCO-PORT-SECURITY-MIB:
enterprise 1.3.6.1.4.1.9.9.315
1 cpsSecureMacAddrViolation
Turn on the traps for IPSEC, as shown:
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
Refer to Monitoring and Maintaining VPN session section of VPN Tunnel Management to monitor and maintain the VPN session.
|
