Monitoring Cisco router IPSec site to site VPN tunnel


I am beginner in Checkmk and I am using Checkmk raw edition. I have found Checkmk Exchange recently. I have searched and didn’t found any mkps regarding cisco router vpn monitoring issue. I have found Cisco ASA VPN monitoring mkps in Checkmk exchange. I have tested on cisco routers via snmp but they don’t work. I didn’t find any services after installing those plugins.

Is there any plugin or extension regarding IPSec site to site VPN monitoring for Cisco routers in Checkmk?


read this article about monitoring of switch ports and network interfaces with Checkmk:


1 Like

As the buildin check plugin cisco_vpn_tunnel is only working with ASAs and very old VPN 3000 concentrators, you can give my plugin a try.

Thanks a lot for reply. This article is very informative but not the answer to my question. IPSec tunnel has 2 phases and it don’t create any tunnel interface. So that it can’t be monitored via tunnel interfaces.

Thanks a lot brother. Do I just need to install the package and rediscover the service again or need to do other things? Sorry again I am new in Checkmk.

this should do the trick

1 Like

I have already done but tunnel phase 2 is not working and VPN tunnels are showing with IP not the names. How can I add the alias to the tunnels and how can it find the phase 2 of the IPSec tunnel? Please find the tunnels screenshot below:

this is by design, as there is no name in the snmp data. You can add an alias via wato for each IP-address.

The check should find the phase 2 SA automatically. If not, and you are sure there is an active P2 SA I might need an snmpwalk from the device in question th check this.

snmpwalk -v2c -c public -ObentU . > hostname.snmpwalk
snmpwalk -v2c -c public -ObentU . >> hostname.snmpwalk
snmpwalk -v2c -c public -ObentU . >> hostname.snmpwalk
1 Like

Thanks for your reply. Now I have put alias and I can now understand the tunnel name.

Now a IPSec VPN link phase 2 is showing ok automatically without configuring snmpwalk. That means snmp can pull the phase 2 data as well. But other IPSec VPN phase 2 is not showing up though their phase 2 is also active. What could be the issue here?

as I said, to investigate this issues I need the snmpwalk form the device.

Please check the out of snmpwalk below. I have hide the IPs here and couldn’t upload the full output as the out is huge.

Output as follows

to help you i need the walk as file. Please have a look at the contribution guidelines.

I have sent mail as per contribution guidelines. Please check.

@shafiullah I have checked your snmpdata. Your router delivers not the correct information nedded. The data are missing the connection between IKE SA and IPSec SAs. These connection is usualy made by the cikeTunIndex (OID: and cipSecTunIkeTunnelIndex (OID: ‘’). As Cisco normaly dosen’t return cikeTunIndex this is replaced by OIDEnd() from the IKE SA data. In your case this data dosen’t match, except for one tunnel :-(. But anyway, I have created a little workaround to match the IPSec SA data with the IKE SA by use of the remote tunnel address. If you like you can try it out your selef an let me know if its working for you.

This is what ist looks right now.

Thanks for your great effort. It was really a great observation from you. So how can I solve this issue now?

sorry I didn’t mention it. You can download the updateded mkp, install it on your CMK do a rediscovery/activate. And test :wink:


Thanks a lot brother. It finally worked. I appreciate your work man.

perfect :wink: Don’t forget to marke this as resolved.


Now I am getting another issue. SNMP is pulling all tunnel information properly. Also found that checkmk is generating IKE and IPSec graph. But I am not getting any SA graph here.

Though I found that SAs information is present but graph is not generating. How can I generate the SAs graph?