Found myself in a situation where I was at a client site building a new monitoring system and asked me what the “usual” is.
Of course you want to monitor your crucial devices, configure netflow, update visios, etc. but one thing I wanted to try out was monitoring VPN Tunnels.
Out of the box, the monitoring system I was using did have any nice “click on this box to monitor this tunnel” option. And google around I saw many other vendors didn’t either. Alot of “fixes” was to monitor systems at the other end of the tunnel via ICMP. I guess that works, but I wanted to know if they actual tunnel was up, not the servers at the other end.
Something that isn’t taught too often is the complexities of SNMP. Youtube has a few good videos on the topic which I highly suggest everyone to watch. If your decent at SNMP you’ll be OK.
That 2nd video is pretty good too, gets deep into SNMP.
Anyhow, the way you can loosely look at SNMP and OID and MIBs, its the MIB is the “book”, and the OIDs are the “pages”. Most vendors ship with their books complete will all the pages, but sometimes therer are extra pages missing from the book. You use the pages to let the SNMP server know what to “page to turn to” in order to view the imformation on the page. Without the right page number (OID), the SNMP server won’t know what “page” to turn to in order to get what information it needs.
So the case I ran into was the “page”/OID I had to monitor was not in the vendors MIB/book. I had to reach out to Cisco in order to get the page/OID what I needed to look at.
A value of 1 means the tunnel is up
Cisco has on their site a SNMP Object Browser which is all (hopefully all) of the pages/OIDs they offer You may have reach out to TAC to get the right OID or google around for the right OID.
Once you get the right ID, you can create the alert/poll you need! More importantly, you’ll want to know going forward when you create new VPN tunnels, how do I know which OID to poll?
Do a SNMPWalk of the ASA and look for something like this….
.220.127.116.11.18.104.22.168.22.214.171.124.1.35.12169216 = INTEGER: 1
.126.96.36.199.188.8.131.52.184.108.40.206.1.35.12197888 = INTEGER: 1
.220.127.116.11.18.104.22.168.22.214.171.124.1.7.12169216 = STRING: “126.96.36.199”
.188.8.131.52.184.108.40.206.220.127.116.11.1.7.12197888 = STRING: “18.104.22.168”
These lines above mean we have two VPN tunnels up with the peer address of 22.214.171.124 and 126.96.36.199. If you put in a hostname instead for the peer, you’ll see the hostname listed here. Remember to poll for the .35, the .7 just lets you ID which tunnel your looking at
Unlike what we think of “up/down”, the value here if present means that the VPN Tunnel is up. If the tunnel is down, this line disappears from the MIB so when you create your poll, if it no longer sees this line you can send out an alert saying the VPN tunnel is down!
Hope that helps someone out there trying to monitor tunnels via SNMP!