Hello,
I am beginner in Checkmk and I am using Checkmk raw edition. I have found Checkmk Exchange recently. I have searched and didn’t found any mkps regarding cisco router vpn monitoring issue. I have found Cisco ASA VPN monitoring mkps in Checkmk exchange. I have tested on cisco routers via snmp but they don’t work. I didn’t find any services after installing those plugins.
Is there any plugin or extension regarding IPSec site to site VPN monitoring for Cisco routers in Checkmk?
Hi,
read this article about monitoring of switch ports and network interfaces with Checkmk: https://checkmk.com/blog/network-monitoring-with-checkmk-2-0
Karl
As the buildin check plugin cisco_vpn_tunnel is only working with ASAs and very old VPN 3000 concentrators, you can give my plugin a try.
Thanks a lot for reply. This article is very informative but not the answer to my question. IPSec tunnel has 2 phases and it don’t create any tunnel interface. So that it can’t be monitored via tunnel interfaces.
Thanks a lot brother. Do I just need to install the package and rediscover the service again or need to do other things? Sorry again I am new in Checkmk.
this should do the trick
I have already done but tunnel phase 2 is not working and VPN tunnels are showing with IP not the names. How can I add the alias to the tunnels and how can it find the phase 2 of the IPSec tunnel? Please find the tunnels screenshot below:
this is by design, as there is no name in the snmp data. You can add an alias via wato for each IP-address.
The check should find the phase 2 SA automatically. If not, and you are sure there is an active P2 SA I might need an snmpwalk from the device in question th check this.
snmpwalk -v2c -c public -ObentU 10.10.10.10 .1.3.6.1.2.1.1.1 > hostname.snmpwalk
snmpwalk -v2c -c public -ObentU 10.10.10.10 .1.3.6.1.2.1.1.2 >> hostname.snmpwalk
snmpwalk -v2c -c public -ObentU 10.10.10.10 .1.3.6.1.4.1.9.9.171 >> hostname.snmpwalk
Thanks for your reply. Now I have put alias and I can now understand the tunnel name.
Now a IPSec VPN link phase 2 is showing ok automatically without configuring snmpwalk. That means snmp can pull the phase 2 data as well. But other IPSec VPN phase 2 is not showing up though their phase 2 is also active. What could be the issue here?
as I said, to investigate this issues I need the snmpwalk form the device.
Please check the out of snmpwalk below. I have hide the IPs here and couldn’t upload the full output as the out is huge.
I have sent mail as per contribution guidelines. Please check.
@shafiullah I have checked your snmpdata. Your router delivers not the correct information nedded. The data are missing the connection between IKE SA and IPSec SAs. These connection is usualy made by the cikeTunIndex (OID: 1.3.6.1.4.1.9.9.171.1.2.3.1.1) and cipSecTunIkeTunnelIndex (OID: ‘1.3.6.1.4.1.9.9.171.1.3.2.1.2’). As Cisco normaly dosen’t return cikeTunIndex this is replaced by OIDEnd() from the IKE SA data. In your case this data dosen’t match, except for one tunnel :-(. But anyway, I have created a little workaround to match the IPSec SA data with the IKE SA by use of the remote tunnel address. If you like you can try it out your selef an let me know if its working for you.
This is what ist looks right now.
Thanks for your great effort. It was really a great observation from you. So how can I solve this issue now?
sorry I didn’t mention it. You can download the updateded mkp, install it on your CMK do a rediscovery/activate. And test 
Thanks a lot brother. It finally worked. I appreciate your work man.
perfect Don’t forget to marke this as resolved.
