cisco asa monitoring ipsec sa through snmp

Discussion in 'Cisco' started by H. Steuer, Sep 6, 2009.

  1. H. Steuer

    H. Steuer Guest

    hi guys,

    is there a way to monitor all ipsec sa´s using snmp? i tunnel a couple
    of diffent networks using the same tunnel and i would like to know if a
    single ipsec sa times out or something....

    i did not find anything when walking through the snmp output of the ASA.
    maybe one of you guys can drop me the OID or something....

    cheers,
    /heri
     
    H. Steuer, Sep 6, 2009
    #1
    1. Advertisements

  2. H. Steuer

    alexd Guest

    You'd probably need the Cisco MIBs to find it in the output of a walk. There
    definitely are some OIDs for tunnels, and it was discussed here some time in
    the past few months. Can't find it just now.

    --
    <http://ale.cx/> (AIM:troffasky) ()
    21:53:50 up 9 days, 23:53, 2 users, load average: 0.23, 0.30, 0.22
    "If being trapped in a tropical swamp with Anthony Worral-Thompson and
    Christine Hamilton is reality then I say, pass the mind-altering drugs"
    -- Humphrey Lyttleton
     
    alexd, Sep 7, 2009
    #2
    1. Advertisements

  3. H. Steuer

    Rob Guest

    I have never found any SNMP variables for normal IPsec sa's, not
    tunnel interfaces. Do you think they exist?

    It would be interesting to know if an sa is up, and how much traffic
    is going through. It can be shown with "show crypto ipsec sa" in
    an awkward format, but can it be queried using SNMP?
     
    Rob, Sep 12, 2009
    #3
  4. H. Steuer

    alexd Guest

    Walk the CISCO-IPSEC-FLOW-MONITOR-MIB on your device and see what it says.
     
    alexd, Sep 12, 2009
    #4
  5. H. Steuer

    Rob Guest

    Thanks. It took me some time to figure out how to 'walk a specific MIB'
    as the tools I use can only walk an OID, but I found the OID by reading
    through that CISCO-IPSEC-FLOW-MONITOR-MIB and now it works.
    Always thought that walking from the root would return everything a
    device can support, but apparently that isn't true.
     
    Rob, Sep 13, 2009
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.