PIX MIB to monitor ipsec tunnels

Discussion in 'Cisco' started by Bill F, Nov 27, 2003.

  1. Bill F

    Bill F Guest

    I'm guessing such a thing exists that hooks into cisco works but can't
    find it. Are there such mibs?
    Bill F, Nov 27, 2003
    #1
    1. Advertising

  2. In article <>,
    Bill F <> wrote:
    :I'm guessing such a thing exists that hooks into cisco works but can't
    :find it. Are there such mibs?

    No. PIX up to 6.3(3) provides no way to monitor *anything* about
    IPSec tunnels. Not even the number that exist. Certainly nothing
    like packets transferred or data rates.
    --
    Reviewers should be required to produce a certain number of
    negative reviews - like police given quotas for handing out
    speeding tickets. -- The Audio Anarchist
    Walter Roberson, Nov 27, 2003
    #2
    1. Advertising

  3. Bill F

    Bill F Guest

    I'm just interested in monitoring whether the tunnel is up or not.
    So there's nothing for that? It seems odd that if there's a ciscoworks
    package for vpn/security there would be some way of monitoring that.

    Walter Roberson wrote:
    > In article <>,
    > Bill F <> wrote:
    > :I'm guessing such a thing exists that hooks into cisco works but can't
    > :find it. Are there such mibs?
    >
    > No. PIX up to 6.3(3) provides no way to monitor *anything* about
    > IPSec tunnels. Not even the number that exist. Certainly nothing
    > like packets transferred or data rates.
    Bill F, Nov 27, 2003
    #3
  4. In article <>,
    Bill F <> wrote:
    :I'm just interested in monitoring whether the tunnel is up or not.
    :So there's nothing for that?

    Nope.

    Keep in mind that there can be multiple IPSec tunnels, so you
    would need to have ways of distinguishing which tunnel was being
    referred to. There can also be multiple SA's (Security Associations)
    within a tunnel, some of which can be inactive while the others
    are active, so it becomes unclear what it means for an IPSec
    tunnel to be "up" unless you just want to know if there is a current
    Phase I IKE negotiated (which doesn't tell you anything about
    whether traffic is flowing over any particular Phase II SA.)

    If you look at the PIX traffic measurements, notice they are
    per SA: even with the CLI, you can't really determine
    whether an IPSec tunnel is "up" other than to look at the SAs
    and checking to see if the traffic counters are incrementing over
    any of the SA's. Speaking of which: when you say "up", do you
    mean negotiated IKE, or do you mean "is traffic getting through
    to the other side" ? All the SA for an IKE peer might be
    fully negotiated, but if something in the middle breaks then
    the only way to tell is to look at the per-SA error counters .
    --
    Would you buy a used bit from this man??
    Walter Roberson, Nov 27, 2003
    #4
  5. Bill F

    Ivan Guest

    "Bill F" <> wrote in message
    news:...
    > I'm just interested in monitoring whether the tunnel is up or not.
    > So there's nothing for that? It seems odd that if there's a ciscoworks
    > package for vpn/security there would be some way of monitoring that.
    >


    Well, if you have some router behind pix, you can use SAA to test tunnels.
    With SAA you can get a lot more than just if tunnel is up or down.

    Ivan
    Ivan, Nov 28, 2003
    #5
  6. Bill F

    Bill F Guest

    SAA??
    Bill F, Nov 29, 2003
    #6
  7. Walter Roberson, Nov 30, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul McLaren
    Replies:
    3
    Views:
    3,715
    Paul McLaren
    Jul 17, 2003
  2. chackamakka

    Pix with 2 ipsec tunnels

    chackamakka, Jun 11, 2004, in forum: Cisco
    Replies:
    2
    Views:
    2,589
    chackamakka
    Jun 14, 2004
  3. ljorg
    Replies:
    0
    Views:
    457
    ljorg
    Nov 22, 2006
  4. philbo30
    Replies:
    1
    Views:
    631
    Walter Roberson
    Apr 12, 2007
  5. syd_p

    BGP4-MIB CISCO-BGP4-MIB

    syd_p, Jul 6, 2009, in forum: Cisco
    Replies:
    0
    Views:
    470
    syd_p
    Jul 6, 2009
Loading...

Share This Page