Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Network Performance Monitor (NPM) > Monitor Cisco ASA VPN Tunnel

Monitor Cisco ASA VPN Tunnel

Table of contents

Overview

This article describes how to monitor Cisco ASA VPN tunnels by monitoring a secondary variable from the Cisco MIB trees and using this information to infer the status of the tunnel.

 

Monitoring of the UP/Down status of a Cisco ASA VPN tunnel is not as straight forward as a regular physical or VLAN interface. This is because VPN tunnels fall outside the scope of  RFC 1213 MIB's ifTabletree.

 

Note:If you are receiving false alerts for tunnel up/down status, this could be due to incorrect OID being monitored via that alert. follow the steps in this KB to resolve the issue.

Environment

  • All NPM versions
  • Cisco ASA VPN/IPSEC

Steps

  1. Configure a Universal Device Poller for monitoring of a your required MIB. Refer to Monitoring MIBs with Universal Device Pollers.
  2. Configure the custom MIB to point to the cikeGlobalActiveTunnels oid : 1.3.6.1.4.1.9.9.171.1.2.1.1, this gives you the number of IPSec Tunnels or you can use the “ciscoIpSecFlowMonitorMIB" “1.3.6.1.4.1.9.9.171 which is one that has been recommended by CISCO.
  • The OID used in Step 2 is one of many options that could be used to monitor depending on what specific information you require but for the purposes of this example it is deemed most suitable for monitoring of active VPNs.
  • One other option is to configure the IP SLA Monitor to each tunnel endpoint and use the inherit trap capabilities of IPSLA to monitor tunnel failures.

 

Last modified
01:30, 17 Oct 2017

Tags

Classifications

Public