Monitor Cisco ASA VPN Tunnel State Via SNMP

Cisco ASA multicontext S2S VPN tunnel SNMP monitoring

I am fighting to retrieve site-to-site VPN tunnel status via SNMP. I am trying to get it from multicontext-enabled Cisco ASA version 9.6(4)20 from VPN dedicated ASA context IP address.

– First I tried snmpwalk over OID 1.3.6.1.4.1.9.9.171 from dedicated CISCO-IPSEC-FLOW-MONITOR-MIB for monitoring IPSec-based VPN tunnels, but unfortunately I was always getting “No Such Instance currently exists at this OID”.

– Secondly I’ve tried snmpwalk over OID 1.3.6.1.4.1.9.9.392 from CISCO-REMOTE-ACCESS-MONITOR-MIB which should be dedicatd for RAS VPN instead, but here, yes, I finally get some info back. the problem here is that the only attribute for monitoring this “RAS” (in real it’s IKEv2-based IPSec VPN tunnel) session is using crasSessionState, but it is returning value “0”, which is by definition of crasSessionState is SessionStatus-based attribute with following valid values: initializing(1), established(2) and terminating(3) and “0” therefore is not defined.

Guys please there any restriction/bug why CISCO-IPSEC-FLOW-MONITOR-MIB is not available under Cisco ASA context for monitoring IKEv2-based IPSec VPN tunnels, but rather CISCO-REMOTE-ACCESS-MONITOR-MIB is available and used instead?

Thanks,

error: