cisco asa monitoring ipsec sa through snmp

Discussion in 'Cisco' started by H. Steuer, Sep 6, 2009.

  1. H. Steuer

    H. Steuer Guest

    hi guys,

    is there a way to monitor all ipsec sa´s using snmp? i tunnel a couple
    of diffent networks using the same tunnel and i would like to know if a
    single ipsec sa times out or something....

    i did not find anything when walking through the snmp output of the ASA.
    maybe one of you guys can drop me the OID or something....

    H. Steuer, Sep 6, 2009
  2. H. Steuer

    alexd Guest

    You'd probably need the Cisco MIBs to find it in the output of a walk. There
    definitely are some OIDs for tunnels, and it was discussed here some time in
    the past few months. Can't find it just now.

    alexd, Sep 7, 2009
  3. H. Steuer

    Rob Guest

    I have never found any SNMP variables for normal IPsec sa's, not
    tunnel interfaces. Do you think they exist?

    It would be interesting to know if an sa is up, and how much traffic
    is going through. It can be shown with "show crypto ipsec sa" in
    an awkward format, but can it be queried using SNMP?
    Rob, Sep 12, 2009
  4. H. Steuer

    alexd Guest

    Walk the CISCO-IPSEC-FLOW-MONITOR-MIB on your device and see what it says.
    alexd, Sep 12, 2009
  5. H. Steuer

    Rob Guest

    Thanks. It took me some time to figure out how to 'walk a specific MIB'
    as the tools I use can only walk an OID, but I found the OID by reading
    through that CISCO-IPSEC-FLOW-MONITOR-MIB and now it works.
    Always thought that walking from the root would return everything a
    device can support, but apparently that isn't true.
    Rob, Sep 13, 2009
