[Top] [All Lists]

RE: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator)

To: "Davis, Donald" <donald.davis@firstcitizens.com>, <nv-l@lists.tivoli.com>
Subject: RE: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator)
From: "Barr, Scott" <Scott_Barr@csgsystems.com>
Date: Fri, 1 Aug 2003 12:54:05 -0500
Delivered-to: mailing list nv-l@lists.tivoli.com
Delivery-date: Fri, 01 Aug 2003 18:54:42 +0100
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
List-help: <mailto:nv-l-help@lists.tivoli.com>
List-post: <mailto:nv-l@lists.tivoli.com>
List-subscribe: <mailto:nv-l-subscribe@lists.tivoli.com>
List-unsubscribe: <mailto:nv-l-unsubscribe@lists.tivoli.com>
Mailing-list: contact nv-l-help@lists.tivoli.com; run by ezmlm
Thread-index: AcNYTbz3MitSJhRzRHisXgtCF2pkewABwKsA
Thread-topic: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator)
Thanks, and here is the offical answer from Cisco for those curious:
Hi Scott,

Regarding your question about how to indentify the tunnel, please check the tunnel index number which is appended at the end of each entry.
For e.g in the following entry :
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.25110 : INTEGER: active

25110 is the tunnel index number.
cipSecTunIndex OBJECT-TYPE
	SYNTAX		Integer (1..2147483647)
	MAX-ACCESS	not-accessible
	STATUS		Current
	DESCRIPTION    "The index of the IPsec Phase-2 Tunnel Table.
          The value of the index is a number which begins 
          at one and is incremented with each tunnel that 
          is created. The value of this object will wrap 
          at 2,147,483,647."

You can then walk mib objects
cipSecTunLocalAddr OBJECT-TYPE
	MAX-ACCESS	read-only
	STATUS		Current
	DESCRIPTION    "The IP address of the local endpoint for the IPsec


cipSecTunRemoteAddr OBJECT-TYPE
	MAX-ACCESS	read-only
	STATUS		Current
	DESCRIPTION    "The IP address of the remote endpoint for the IPsec

          Phase-2 Tunnel."

This entries will also be appended with the tunnel index number...and will give you the ip address of source and destination.
So you can map the result of the three mib objects above as each entry will have a common tunnel index number.

Please let me now if this will give you the info you are looking for ?

I'll check about the support list...as it doesn't look correct....as the following doc does talk about loading ipsec-flow mib,
which means it should be supported.



-----Original Message-----
From: Davis, Donald [mailto:donald.davis@firstcitizens.com]
Sent: Friday, August 01, 2003 11:55 AM
To: Barr, Scott; nv-l@lists.tivoli.com
Subject: RE: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator)

From what I have been reading, if the tunnel is in the active table, it is up.
If it is missing from the active table, it is down.
This query will tell you the IP Address that each tunnel index is remotely connected to.
snmpwalk <hostname>  .
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseOne.cikeTunnelTable.cikeTunnelEntry.cikeTunRemoteValue.7040 : DISPLAY STRING- (ascii):
This example indicates that index:7040 is remotely connected to
nslookup on that address yields:
Name:    adsl-065-082-246-018.sip.clt.bellsouth.net
Don Davis 
First Citizens Bank
Systems Engineer Consultant
Raleigh, NC.  27603-3526
-----Original Message-----
From: Barr, Scott [mailto:Scott_Barr@csgsystems.com]
Sent: Friday, August 01, 2003 11:04 AM
To: Davis, Donald; nv-l@lists.tivoli.com
Subject: RE: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator)

Don, first of all.....YOU ARE AWESOME
Second, THANKS
Third, How the heck do I tell which tunnel is which? I am looking at a field call TunStatus (but TunnelAlive has same problem)
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.25110 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.25111 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.25114 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.25115 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26846 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26850 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26856 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26860 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26865 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26869 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26870 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26871 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26898 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26901 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26939 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26951 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26953 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26955 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26957 : INTEGER: active
It appears there is some "index" added to this but I can't for the life of me figure out which one is which. The index numbers are consistent throughout the rest of the MIB. Also, there are FAR more tunnels then we actually have - so I don't know where the "extra" tunnels are coming from.
-----Original Message-----
From: Davis, Donald [mailto:donald.davis@firstcitizens.com]
Sent: Thursday, July 31, 2003 3:40 PM
To: Barr, Scott; nv-l@lists.tivoli.com
Subject: RE: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator)

I think what you are looking for may be in this mib:

This was downloaded from the cisco ftp site.
I fixed a syntax error on line 135 that NetView would not compile.
IPSIpAddress ::= OCTET STRING(SIZE(4 | 16))
NetView would not compile it with the spaces around the bar.

I queried my Cisco 3000 with it and was able to retrieve tunnel status
cipSecTunnelTable.cipSecTunnelEntry.cipSecTunIkeTunnelAlive.9663 : True

Don Davis
First Citizens Bank
Raleigh, NC.  27603-3526

-----Original Message-----
From: Barr, Scott [mailto:Scott_Barr@csgsystems.com]
Sent: Thursday, July 31, 2003 11:50 AM
To: nv-l@lists.tivoli.com
Subject: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator)

Anyone have massaged versions of the Altiga MIBS that the Cisco 3030 VPN concentrator uses? And better yet, anyone have any trap documentation?

The core problem is I need to alert when the IPSEC tunnel is down. So I either need a trap or a mib variable to poll. Based on Cisco's response, I'm not sure either is possible. The tunnel is NOT an interface on the concentrator so the LinkUp/LinkDown traps don't report the status of a tunnel.

Here is what Cisco gave me back on a TAC case:

Problem Description:  Where can I find details on what traps the VPN 3030 concentrator generates. In particular - when a IPSEC tunnel drops.

Please contact customer via email: scott_barr@csgsystems.com

The VPN concentrators have limited snmp support and not too many traps are supported by this device.

Please go to the following page and check all the mibs supported by the version of code your VPN 3030 is running. The newer code will include the mibs supported in prior codes.

Mib supported by VPN 3000 conenctrator

Next go to the following page and click on the mibs that are present in the previous link .i.e that are supported by VPN 3030 and that is present on this traps page.

The mibs that are not present on this second link means that it does not have any traps.

Snmp traps in mibs

You can use


translate and lookup mib definitions.

AFAIK,  it only sends standard MIB-II traps like linkDown, linkUp etc,  but you can also send VPN3000 Events
as SNMP traps (these Events are NOT defined in any MIBs).  So the Altiga MIBs don't actually have any traps defined.

Verify the VPN3000 SNMP configuration.

Reference Volume I:


Configuration | System | Management Protocols | SNMP
Configuration | System | Events | General
Events to Trap
Configuration | System | Events | Classes
Configuration | System | Events | Trap Destinations

To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com

This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)

This electronic mail and any files transmitted with it are confidential and are intended solely for the use of individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the electronic mail to the intended recipient, be advised that you have received this electronic mail in error and that any use, dissemination, forwarding, printing, or copying of this electronic mail is strictly prohibited. If you have received this electronic mail in error, please immediately notify the sender by return mail.

<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web