Hello,
I added the fortigate_ipsecvpn rule but the Checkmk can’t find the service.
How can I find the problem?
Could somebody guide me how to do debugging at that time?
regards,
Yoshihiro
I did debug using “cmk” command then I notice that the Checkmk got the different OID.
Blockquote
~snip~
fortigate_ipsecvpn: Fetching data (SNMP walk cache is disabled)
Executing BULKWALK of “.1.3.6.1.4.1.12356.101.12.2.2.1.3” on Fortigate60e
Executing SNMP GET of .1.3.6.1.4.1.12356.101.12.2.2.1.3 on Fortigate60e
=> [None ] NOSUCHINSTANCE
Executing BULKWALK of “.1.3.6.1.4.1.12356.101.12.2.2.1.20” on Fortigate60e
Executing SNMP GET of .1.3.6.1.4.1.12356.101.12.2.2.1.20 on Fortigate60e
=> [None] NOSUCHINSTANCE
~snip~
It should be “1.3.6.1.4.1.12356.101.12.1.1.X” for retrieving the number of IPsec sessions.
regards,
Yoshihiro
Hi,
did you add the ipsec in switch port discovery rule to detect the port type for ipsec? I think you shoul add 131- tunnel there.
Cheers, Christian
2 Likes
Hi, @ChristianM @gulaschcowboy .
Thank you for your advice. I follow the article “Network Monitoring with Checkmk 2.0: Three rules to rule them all”.
As attached file it shows the “Interface VPN-IPSEC” but what I want is to show the number of available IPSec VPN Tunnels(FortiGate Firewalls: Status of IPSec VPN Tunnels).
Again I executed the “cmk” command but the checkmk still sends wrong OIDs i think.
fortigate_ipsecvpn: Fetching data (SNMP walk cache is disabled)
Executing BULKWALK of “.1.3.6.1.4.1.12356.101.12.2.2.1.3” on Fortigate60e
Executing SNMP GET of .1.3.6.1.4.1.12356.101.12.2.2.1.3 on Fortigate60e
=> [None] NOSUCHINSTANCE
Executing BULKWALK of “.1.3.6.1.4.1.12356.101.12.2.2.1.20” on Fortigate60e
Executing SNMP GET of .1.3.6.1.4.1.12356.101.12.2.2.1.20 on Fortigate60e
=> [None] NOSUCHINSTANCE
Above OIDs are like below. They are not the number of available IPSec VPN Tunnels.
1.3.6.1.4.1.12356.101.12.2.2.1.3 fgVpnTunEntPhase2Name Descriptive name of phase2 configuration for the tunnel
1.3.6.1.4.1.12356.101.12.2.2.1.20 fgVpnTunEntStatus Current status of tunnel (up or down)
The OID should be below.
1.3.6.1.4.1.12356.101.12.1.1 fgVpnTunnelUpCount The number of IPsec VPN tunnels with at least one SA
Any idea appreciated.
regards,
Yoshihiro
This would be another check then. What is strange is that your device has no data on the mentioned OIDs.
What do you get, if you do an manual snmpwalk, on your device for OIDs starting with 1.3.6.1.4.1.12356.101.12 ?
Thank you for your comment.
Attached file is the result of “snmpwalk”.
snmpwalk.txt (17.6 KB)
What do you get, if you do an manual snmpwalk, on your device for OIDs starting with >1.3.6.1.4.1.12356.101.12 ?
As you could see it should get “2021/11/09 16:03:01 (16 ms) : 1.3.6.1.4.1.12356.101.12.1.1.0 = “7” [ASN_INTEGER]”.
Why does checkmk try to get the “1.3.6.1.4.1.12356.101.12.2.2.X.X” instead of “1.3.6.1.4.1.12356.101.12.1.1.X.X”?
regards,
Yoshihiro
The first one is the real important part the second one is only a counter without any information about the status and typ of connection.
What you see is that your system only has Dialup entries and no real tunnel entries.
1.3.6.1.4.1.12356.101.12.2.1 VpnDialupTable
1.3.6.1.4.1.12356.101.12.2.2 VpnTunnelTable
As the check only checks real tunnels and no dialup your counter will not help as this is the overall counter of tunnels and dialups.
@andreas-doehler Thank you for your advice.
I would ask Fortigate support why I can’t get the “1.3.6.1.4.1.12356.101.12.2.2 VpnTunnelTable”.
regards,
Yoshihiro
Inside your snmpwalk is only the VpnDialupTable. What you need now is a new check for this SNMP table. It should be possible to adapt the existing check who is using the VpnTunnelTable.
@andreas-doehler Yup, It was typo. I should check why I can’t get the VpnTunnelTable.
regards,
Yoshihiro
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.