Cisco – Nagios Core to monitor Cisco VPN Tunnel

check-snmpcisconagiosvpn

I am able to see if a VPN tunnel is up using check_snmp. The OID for one of my tunnels is .1.3.6.1.4.1.9.9.171.1.2.3.1.35.3002962.

When the tunnel is up, no problems. The problem, is when the tunnel is down, because the OID is gone.

working:

/usr/lib/nagios/plugins/check_snmp -H 10.10.10.1 -C public -o .1.3.6.1.4.1.9.9.171.1.2.3.1.35.3002962

returns:

SNMP OK - 1 | iso.3.6.1.4.1.9.9.171.1.2.3.1.35.300296=1

Tunnel down and OID missing:

External command error: Error in packet
Reason: (noSuchName) There is no such variable name in this MIB.
Failed object: iso.3.6.1.4.1.9.9.171.1.2.3.1.35.30029

Any ideas?

UPDATE:
Looks like I am going to have to write my own. The OID's for the tunnel change, so using a straight check_snmp won't work. Still can't find out why the check_asa_vpn add in errors out.

Best Answer

Seems it is a normal behaviour for OID .1.3.6.1.4.1.9.9.171.1.2.3.1.35

Its value is INTEGER: 1 when tunnel is up, but this OID disappears when tunnel is down.

So your check should handle this : if OID is not found then raise an alert because tunnel is down :

http://www.nycnetworkers.com/management/monitor-cisco-asa-vpn-tunnel-state-via-snmp

Unlike what we think of “up/down”, the value here if present means that the VPN Tunnel is up. If the tunnel is down, this line disappears from the MIB so when you create your poll, if it no longer sees this line you can send out an alert saying the VPN tunnel is down!

By the way, you could monitor OID 1.3.6.1.4.1.9.9.171.1.2.3.1.7 instead.

This gives the peer of both side of the tunnel : local and remote.

https://www.appliedtrust.com/blog/2009/08/monitoring-site-site-vpns-cisco-asa

If the peer IP for a configured tunnel isn't listed here, it's down.

Also, there is a ready to go Perl Nagios plugin that uses this OID : https://exchange.nagios.org/directory/Plugins/Network-and-Systems-Management/check_asa_vpn/details

Related Topic