PIX MIB to monitor ipsec tunnels

Discussion in 'Cisco' started by Bill F, Nov 27, 2003.

  1. Bill F

    Bill F Guest

    I'm guessing such a thing exists that hooks into cisco works but can't
    find it. Are there such mibs?
     
    Bill F, Nov 27, 2003
    #1
    1. Advertisements

  2. :I'm guessing such a thing exists that hooks into cisco works but can't
    :find it. Are there such mibs?

    No. PIX up to 6.3(3) provides no way to monitor *anything* about
    IPSec tunnels. Not even the number that exist. Certainly nothing
    like packets transferred or data rates.
     
    Walter Roberson, Nov 27, 2003
    #2
    1. Advertisements

  3. Bill F

    Bill F Guest

    I'm just interested in monitoring whether the tunnel is up or not.
    So there's nothing for that? It seems odd that if there's a ciscoworks
    package for vpn/security there would be some way of monitoring that.
     
    Bill F, Nov 27, 2003
    #3
  4. :I'm just interested in monitoring whether the tunnel is up or not.
    :So there's nothing for that?

    Nope.

    Keep in mind that there can be multiple IPSec tunnels, so you
    would need to have ways of distinguishing which tunnel was being
    referred to. There can also be multiple SA's (Security Associations)
    within a tunnel, some of which can be inactive while the others
    are active, so it becomes unclear what it means for an IPSec
    tunnel to be "up" unless you just want to know if there is a current
    Phase I IKE negotiated (which doesn't tell you anything about
    whether traffic is flowing over any particular Phase II SA.)

    If you look at the PIX traffic measurements, notice they are
    per SA: even with the CLI, you can't really determine
    whether an IPSec tunnel is "up" other than to look at the SAs
    and checking to see if the traffic counters are incrementing over
    any of the SA's. Speaking of which: when you say "up", do you
    mean negotiated IKE, or do you mean "is traffic getting through
    to the other side" ? All the SA for an IKE peer might be
    fully negotiated, but if something in the middle breaks then
    the only way to tell is to look at the per-SA error counters .
     
    Walter Roberson, Nov 27, 2003
    #4
  5. Bill F

    Ivan Guest

    Well, if you have some router behind pix, you can use SAA to test tunnels.
    With SAA you can get a lot more than just if tunnel is up or down.

    Ivan
     
    Ivan, Nov 28, 2003
    #5
  6. Bill F

    Bill F Guest

    SAA??
     
    Bill F, Nov 29, 2003
    #6
  7. Walter Roberson, Nov 30, 2003
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.