SNMP or SYSLOG status of PIX VPN Tunnel

[DavidHalko]

Is there a way to determine the status of a PIX VPN tunnel either through SNMP Traps, SNMP Gets or Syslog Alerts?

When a PIX to PIX tunnel is established and it fails,
I would like to get an indication of when the tunnel fails.

I would also like to be able to query the device to find
out all tunnels as well as their status... possibly even
statistics (passed packet, passed bytes, etc.)

Thanks, EMS Architect

 

[MikeLacey]

David, hi.

Does PIX write something to the syslog when tunnelling fails? Mike

Want to get great answers to your Tek-Tips questions? Have a look at faq219-2884

 

[DavidHalko]

> Does PIX write something to the syslog when tunnelling fails?

I do not know!

I am also in need of such information using the VPN technology in standard Cisco IOS routers... I have a couple of those too! EMS Architect

 

[MikeLacey]

David,

SNMP. Have you had a look at the MIB for the PIX? There may well be something in there for you. Mike

Want to get great answers to your Tek-Tips questions? Have a look at faq219-2884

 

[DavidHalko]

The "pollable" snmp MIBS are pretty weak.
I have not found any interesting "SNMP traps" either.

Heck - I can't even find any easy command line'ers to tell what IPSEC tunnels are built and operating correctly!

It seems like management was the LAST thing they thought about when building this subsystem. EMS Architect

 

[MikeLacey]

Great....

Is there any online documentation I could look at? Mike

Want to get great answers to your Tek-Tips questions? Have a look at faq219-2884

 

[DavidHalko]

Perhaps Cisco's web page...

http://www.cisco.com/

http://www.cisco.com/univercd/home/home.htm

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm

This does not seem like that difficult of a request!
EMS Architect

 

[MikeLacey]

Hi David,

Right....

Are syslog messages enabled?

Are syslog messages being redirected to a UNIX syslog host?

Assuming you can see your syslog:
If you issue the command:
logging buffered 7
PIX will log everything it can think of - and then some.

Logging levels are:

0 emergency, System unusable.
1 alert, Immediate action needed.
2 critical, Critical condition.
3 error, Error condition.
4 warning, Warning condition.
5 notification, Normal but significant condition.
6 informational, Informational message only.
7 debugging, Appears during debugging only

If you're not currently redirecting syslog messages to a UNIX host then almost any UNIX host will do, so it's worth thinking about...

Am I aiming in the right direction here? Mike

Want to get great answers to your Tek-Tips questions? Have a look at faq219-2884

 

[DavidHalko]

Hey -

Yes - logging to a UNIX syslog server already.

You really never want to log at a debugging level of 7.

That is way too much trash to read through...
... establishing a connection from x to y
... tearing down a connection from x to y
and so forth.

There is just so much stuff coming out that unless you know what you are looking for, it is really useless.

I still have not seen anything on VPN connections via IPSec in those log files... does not mean they are not in there.

I also have not found anything with what the IDS codes are.

I have read through the error messages, and they have been less than helpful.

It is like looking for a needle in a hay stack.

- Thanks,
Dave EMS Architect