nv-l
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator)

from [Barr, Scott] [Permanent Link][Original]
To: "Davis, Donald" <donald.davis@firstcitizens.com>, <nv-l@lists.tivoli.com>
Subject: RE: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator)
From: "Barr, Scott" <Scott_Barr@csgsystems.com>
Date: Fri, 1 Aug 2003 12:54:05 -0500
Delivered-to: mailing list nv-l@lists.tivoli.com
Delivery-date: Fri, 01 Aug 2003 18:54:42 +0100
Envelope-to: nv-l-archive@lists.skills-1st.co.uk
List-help: <mailto:nv-l-help@lists.tivoli.com>
List-post: <mailto:nv-l@lists.tivoli.com>
List-subscribe: <mailto:nv-l-subscribe@lists.tivoli.com>
List-unsubscribe: <mailto:nv-l-unsubscribe@lists.tivoli.com>
Mailing-list: contact nv-l-help@lists.tivoli.com; run by ezmlm
Thread-index: AcNYTbz3MitSJhRzRHisXgtCF2pkewABwKsA
Thread-topic: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator)
Thanks, and here is the offical answer from Cisco for those curious:
 
Hi Scott,

Regarding your question about how to indentify the tunnel, please check the tunnel index number which is appended at the end of each entry.
For e.g in the following entry :
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.25110 : INTEGER: active

25110 is the tunnel index number.
Definition
.1.3.6.1.4.1.9.9.171.1.3.2.1.1
cipSecTunIndex OBJECT-TYPE
	-- FROM	CISCO-IPSEC-FLOW-MONITOR-MIB
	SYNTAX		Integer (1..2147483647)
	MAX-ACCESS	not-accessible
	STATUS		Current
	DESCRIPTION    "The index of the IPsec Phase-2 Tunnel Table.
          The value of the index is a number which begins 
          at one and is incremented with each tunnel that 
          is created. The value of this object will wrap 
          at 2,147,483,647."

You can then walk mib objects 
.1.3.6.1.4.1.9.9.171.1.3.2.1.4
cipSecTunLocalAddr OBJECT-TYPE
	-- FROM	CISCO-IPSEC-FLOW-MONITOR-MIB
	-- TEXTUAL CONVENTION IPSIpAddress
	SYNTAX		OCTET STRING (4|16)
	MAX-ACCESS	read-only
	STATUS		Current
	DESCRIPTION    "The IP address of the local endpoint for the IPsec

and 

.1.3.6.1.4.1.9.9.171.1.3.2.1.5
cipSecTunRemoteAddr OBJECT-TYPE
	-- FROM	CISCO-IPSEC-FLOW-MONITOR-MIB
	-- TEXTUAL CONVENTION IPSIpAddress
	SYNTAX		OCTET STRING (4|16)
	MAX-ACCESS	read-only
	STATUS		Current
	DESCRIPTION    "The IP address of the remote endpoint for the IPsec


          Phase-2 Tunnel."

This entries will also be appended with the tunnel index number...and will give you the ip address of source and destination.
So you can map the result of the three mib objects above as each entry will have a common tunnel index number.

Please let me now if this will give you the info you are looking for ?

I'll check about the support list...as it doesn't look correct....as the following doc does talk about loading ipsec-flow mib,
which means it should be supported.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a00800946e8.shtml

Thanks,

Nauman
-----Original Message-----
From: Davis, Donald [mailto:donald.davis@firstcitizens.com]
Sent: Friday, August 01, 2003 11:55 AM
To: Barr, Scott; nv-l@lists.tivoli.com
Subject: RE: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator)

Scott,
From what I have been reading, if the tunnel is in the active table, it is up.
If it is missing from the active table, it is down.
 
This query will tell you the IP Address that each tunnel index is remotely connected to.
 
snmpwalk <hostname>  .1.3.6.1.4.1.9.9.171.1.2.3.1.7
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseOne.cikeTunnelTable.cikeTunnelEntry.cikeTunRemoteValue.7040 : DISPLAY STRING- (ascii):  65.82.246.18
...
...
 
This example indicates that index:7040 is remotely connected to 65.82.246.18
 
nslookup on that address yields:
Name:    adsl-065-082-246-018.sip.clt.bellsouth.net
Address:  65.82.246.18
Don Davis 
First Citizens Bank
Systems Engineer Consultant
Raleigh, NC.  27603-3526
 
-----Original Message-----
From: Barr, Scott [mailto:Scott_Barr@csgsystems.com]
Sent: Friday, August 01, 2003 11:04 AM
To: Davis, Donald; nv-l@lists.tivoli.com
Subject: RE: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator)

Don, first of all.....YOU ARE AWESOME
 
Second, THANKS
 
Third, How the heck do I tell which tunnel is which? I am looking at a field call TunStatus (but TunnelAlive has same problem)
 
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.25110 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.25111 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.25114 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.25115 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26846 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26850 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26856 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26860 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26865 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26869 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26870 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26871 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26898 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26901 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26939 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26951 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26953 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26955 : INTEGER: active
cisco.ciscoMgmt.ciscoIpSecFlowMonitorMIB.cipSecMIBObjects.cipSecPhaseTwo.cipSecTunnelTable.cipSecTunnelEntry.cipSecTunStatus.26957 : INTEGER: active
 
It appears there is some "index" added to this but I can't for the life of me figure out which one is which. The index numbers are consistent throughout the rest of the MIB. Also, there are FAR more tunnels then we actually have - so I don't know where the "extra" tunnels are coming from.
-----Original Message-----
From: Davis, Donald [mailto:donald.davis@firstcitizens.com]
Sent: Thursday, July 31, 2003 3:40 PM
To: Barr, Scott; nv-l@lists.tivoli.com
Subject: RE: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator)

Scott,
I think what you are looking for may be in this mib:
CISCO-IPSEC-FLOW-MONITOR-MIB-V1SMI.my

This was downloaded from the cisco ftp site.
I fixed a syntax error on line 135 that NetView would not compile.
IPSIpAddress ::= OCTET STRING(SIZE(4 | 16))
NetView would not compile it with the spaces around the bar.

I queried my Cisco 3000 with it and was able to retrieve tunnel status
cipSecTunnelTable.cipSecTunnelEntry.cipSecTunIkeTunnelAlive.9663 : True



Don Davis
First Citizens Bank
Raleigh, NC.  27603-3526
 


-----Original Message-----
From: Barr, Scott [mailto:Scott_Barr@csgsystems.com]
Sent: Thursday, July 31, 2003 11:50 AM
To: nv-l@lists.tivoli.com
Subject: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator)


Anyone have massaged versions of the Altiga MIBS that the Cisco 3030 VPN concentrator uses? And better yet, anyone have any trap documentation?

The core problem is I need to alert when the IPSEC tunnel is down. So I either need a trap or a mib variable to poll. Based on Cisco's response, I'm not sure either is possible. The tunnel is NOT an interface on the concentrator so the LinkUp/LinkDown traps don't report the status of a tunnel.

Here is what Cisco gave me back on a TAC case:

<
Problem Description:  Where can I find details on what traps the VPN 3030 concentrator generates. In particular - when a IPSEC tunnel drops.

Please contact customer via email: scott_barr@csgsystems.com
>

The VPN concentrators have limited snmp support and not too many traps are supported by this device.

Please go to the following page and check all the mibs supported by the version of code your VPN 3030 is running. The newer code will include the mibs supported in prior codes.

Mib supported by VPN 3000 conenctrator
ftp://ftp.cisco.com/pub/mibs/supportlists/vpn3000/vpn3000-supportlist.html

Next go to the following page and click on the mibs that are present in the previous link .i.e that are supported by VPN 3030 and that is present on this traps page.

The mibs that are not present on this second link means that it does not have any traps.

Snmp traps in mibs
ftp://ftp.cisco.com/pub/mibs/traps

You can use

http://jaguar.ir.miami.edu/~marcus/snmptrans.html

translate and lookup mib definitions.

AFAIK,  it only sends standard MIB-II traps like linkDown, linkUp etc,  but you can also send VPN3000 Events
as SNMP traps (these Events are NOT defined in any MIBs).  So the Altiga MIBs don't actually have any traps defined.

Verify the VPN3000 SNMP configuration.

Reference Volume I:

http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_0/index.htm

Configuration | System | Management Protocols | SNMP
Configuration | System | Events | General
Events to Trap
Configuration | System | Events | Classes
Configuration | System | Events | Trap Destinations

---------------------------------------------------------------------
To unsubscribe, e-mail: nv-l-unsubscribe@lists.tivoli.com
For additional commands, e-mail: nv-l-help@lists.tivoli.com

*NOTE*
This is not an Offical Tivoli Support forum. If you need immediate
assistance from Tivoli please call the IBM Tivoli Software Group
help line at 1-800-TIVOLI8(848-6548)

------------------------------------------------------------------------------
This electronic mail and any files transmitted with it are confidential and are intended solely for the use of individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the electronic mail to the intended recipient, be advised that you have received this electronic mail in error and that any use, dissemination, forwarding, printing, or copying of this electronic mail is strictly prohibited. If you have received this electronic mail in error, please immediately notify the sender by return mail.
==============================================================================

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator), Davis, Donald
Next by Date:  Re: [nv-l] RE: Switch Analyzer, kent robinson
Previous by Thread:  RE: [nv-l] Altiga MIBS / TRAPS (read: Cisco VPN Concentrator), Davis, Donald
Next by Thread:  Re: [nv-l] RE: Switch Analyzer, kent robinson
Indexes:  [Date] [Thread] [Top] [All Lists]

Archive operated by Skills 1st Ltd

See also: The NetView Web