Found oid to monitor if ipsec tunnel is alive but...

I created an item with the oid of cipsectuniketunnelalive but the item wont stay active. Also, when I do a show snmp-server oid command on the asa that particular oid shows up in the list. However, when I do an snmpwalk, it does not show up. any ideas?

vpn state monitoring

Never mind, I figured it out. Thanks for all the help from the community.

VPN state monitoring

Hi team,

Can you tell me step by step procedure how did you monitor the ipsec tunnel using zabbix. I am very new to zabbix.

If you hunt around you'll find some prior work on monitoring site to site tunnels, but not all that easy to follow. Part of the issue is that the MIB structures are both confusing and ephemeral. There are two layers, of course, and the mibs monitor both. Both layers at different times can have tunnels tear down and recreate, which gives the tunnel instances in the mibs different instance numbers, and some of those instance numbers are not simple indexes, but will have multiple items as their "index". Further, L2L and client tunnels get mixed in (though there is a distinguishing MIB item) and you may want to monitor them differently. Finally a tunnel that is down has no MIB data, making it very hard to monitor properly.

I wrote a set of scripts for this. They are not quite ready for prime time, so I am not posting them. Also, they depend on using Rancid to have ASA configs handy, and they don't support anything but static L2L tunnel groups, no dynamic tunnels (I have none to test against). What I did was use the router configs to find tunnels that exist, so I could notice tunnels that are configured but not up. It also reconciles tunnel end points against other zabbix nodes, so you can figure out where each tunnel terminates (host name wise not just an IP address), and builds persistent items that do not change as indexes change, so you can monitor traffic.

When I get them a bit more debugged, I'll post a note here and probably put it on git.

Wish I had a more complete answer for you, but the ASA Mibs for these are not very friendly to zabbix monitoring (or any kind, frankly; they really need defined tunnels to be persistent in the mibs, not transient with ever changing indexes)).