Submit a ticketCall us

AnnouncementsChange Is Inevitable

Get valuable help when it comes to tracking and monitoring changes. SolarWinds® Server Configuration Monitor (SCM) is designed to help you: detect, track, and receive alerts when changes occur, correlate system performance against configuration changes, compare server and application configuration against custom baselines, and verify application and system changes.

Learn more.

Home > Success Center > Network Performance Monitor (NPM) > NPM - Knowledgebase Articles > Ignore site-to-site tunnel errors for ASA tunnels

Ignore site-to-site tunnel errors for ASA tunnels

Updated: September 13, 2017

Overview

When a monitored ASA device reports an error for a pair of source-target endpoints, the VPN Site-to-Site tunnel is marked as Down in the Orion Web Console. You can specify a list of errors that are not reflected in the tunnel's status.

Environment

  • NPM 12.2 and later

Resolution

  1. Log in to the Orion Web Console, and go to Advanced Configuration by typing the following address to your browser:

    <ip address of your orion:port>/Orion/Admin/AdvancedConfiguration/global.aspx

  2. Enter the error codes for phase 1 errors you want to ignore into the ASA.ASAIgnoredPhaseOneErrors field.

    These values are polled by the following OID: cikeFailReason 1.3.6.1.4.1.9.9.171.1.5.2.1.1.2

    Error code (IKE) Description
    1 other
    2 peer delete request was received
    3 contact with peer was lost
    4 local failure occurred
    5 authentication failure
    6 hash validation failure
    7 encryption failure
    8 internal error occurred
    9 system capacity failure
    10 proposal failure
    11 peer's certificate is unavailable
    12 peer's certificate was found invalid
    13 local certificate expired
    14 certificate revoke list (crl) failure
    15 peer encoding error
    16 non-existent security association
    17 operator requested termination
  3. Enter the error codes for phase 2 errors you want to ignore into the ASA.ASAIgnoredPhaseTwoErrors field.
    Error code (IPSec) Description
    1 other
    2 internal error occurred
    3 peer encoding error
    4 proposal failure
    5 protocol use failure
    6 non-existent security association
    7 decryption failure
    8 encryption failure
    9 inbound authentication failure
    10 outbound authentication failure
    11 compression failure
    12 system capacity failure
    13 peer delete request was received
    14 contact with peer was lost
    15 sequence number rolled over
    16 operator requested termination
  4. Save the Advanced Configuration settings.

When the monitored ASAs report phase 1 and phase 2 errors specified in the Advanced Configuration, the ASAs do not display as down in the Orion Web Console. The specified errors are ignored.

 

Note:

 

It is not possible to remove the VPN's which have a status of down

  • Failed or down VPNs are polled from the device using SNMP via the cikeFailTable (1.3.6.1.4.1.9.9.171.1.5.2.1) and cipSecFailTable (1.3.6.1.4.1.9.9.171.1.5.3.1).
  • We poll these entire tables in order to get individual VPN status.
  • Cisco have implemented these tables as a sliding window in which only the last 'X' entries are maintained.
  • The maximum number of entries for this table is specified by the cipSecFailTableSize (1.3.6.1.4.1.9.9.171.1.5.1.1.1) object which is typically 50
  • So this means where there is more than 50 failed VPNs, the oldest one will be removed from FailTable on the device and with next poll will also removed from the list in NPM.

 

Last modified

Tags

Classifications

Public