Re: [Observium] snmpwalk observations Cisco ASA 5505

30 Mar 2016


      So I upgraded to ASA 9.1.7(4) and I still can't monitor IPSEC tunnels on 
1 of the Firewalls.... (so that would point at a Cisco configuration 
issue?)
FW1 - working
/usr/bin/snmpwalk -v2c -c *** -Pu  -OQUs -m CISCO-IPSEC-FLOW-MONITOR-MIB 
-M 
/var/www/observium/mibs/rfc:/var/www/observium/mibs/net-snmp:/var/www/observium/mibs/cisco 
'udp':'192.168.20.254':'161' cikeTunnelEntry
cikeTunLocalType.260030464 = ipAddrPeer
cikeTunLocalType.260034560 = ipAddrPeer
.....
FW2 - No such OID
  /usr/bin/snmpwalk -v2c -c dfdl-snmp -Pu  -OQUs -m 
CISCO-IPSEC-FLOW-MONITOR-MIB -M 
/var/www/observium/mibs/rfc:/var/www/observium/mibs/net-snmp:/var/www/observium/mibs/cisco 
'udp':'192.168.1.254':'161' cikeTunnelEntry
*cikeTunnelEntry = No Such Object available on this agent at this OID*
FW2 - will show entries for OID cikePeerActiveTunnelIndex
/usr/bin/snmpwalk -v2c -c dfdl-snmp -Pu  -OQUs -m 
CISCO-IPSEC-FLOW-MONITOR-MIB -M 
/var/www/observium/mibs/rfc:/var/www/observium/mibs/net-snmp:/var/www/observium/mibs/cisco 
'udp':'bkk-asa':'161' cikePeerActiveTunnelIndex
cikePeerActiveTunnelIndex.ipAddrPeer."x.x.x.x".ipAddrPeer."x.x.x.x".500 
= 40960
cikePeerActiveTunnelIndex.ipAddrPeer."x.x.x.x".ipAddrPeer."x.x.x.x".500 
= 20480
cikePeerActiveTunnelIndex.ipAddrPeer."x.x.x.x".ipAddrPeer."x.x.x.x".500 
= 12288
On both Cisco 5505 firewalls I run /show snmp-server oidlist/, and 
neither list cikeTunnelEntry .1.3.6.1.4.1.9.9.171.1.2.3.1
yet 1 firewall will respond to a walk and the other will not. Pulling my 
hair out.
[344]    1.3.6.1.4.1.9.9.171.1.2.3.1.2.    cikeTunLocalType
[345]    1.3.6.1.4.1.9.9.171.1.2.3.1.3.    cikeTunLocalValue
[346]    1.3.6.1.4.1.9.9.171.1.2.3.1.4.    cikeTunLocalAddr
[347]    1.3.6.1.4.1.9.9.171.1.2.3.1.5.    cikeTunLocalName
[348]    1.3.6.1.4.1.9.9.171.1.2.3.1.6.    cikeTunRemoteType
[349]    1.3.6.1.4.1.9.9.171.1.2.3.1.7.    cikeTunRemoteValue
[350]    1.3.6.1.4.1.9.9.171.1.2.3.1.8.    cikeTunRemoteAddr
[351]    1.3.6.1.4.1.9.9.171.1.2.3.1.9.    cikeTunRemoteName
[352]    1.3.6.1.4.1.9.9.171.1.2.3.1.10.    cikeTunNegoMode
[353]    1.3.6.1.4.1.9.9.171.1.2.3.1.11.    cikeTunDiffHellmanGrp
[354]    1.3.6.1.4.1.9.9.171.1.2.3.1.12.    cikeTunEncryptAlgo
[355]    1.3.6.1.4.1.9.9.171.1.2.3.1.13.    cikeTunHashAlgo
[356]    1.3.6.1.4.1.9.9.171.1.2.3.1.14.    cikeTunAuthMethod
[357]    1.3.6.1.4.1.9.9.171.1.2.3.1.15.    cikeTunLifeTime
[358]    1.3.6.1.4.1.9.9.171.1.2.3.1.16.    cikeTunActiveTime
[359]   1.3.6.1.4.1.9.9.171.1.2.3.1.17.    cikeTunSaRefreshThreshold
[360]    1.3.6.1.4.1.9.9.171.1.2.3.1.18.    cikeTunTotalRefreshes
[361]    1.3.6.1.4.1.9.9.171.1.2.3.1.19.    cikeTunInOctets
[362]    1.3.6.1.4.1.9.9.171.1.2.3.1.20.    cikeTunInPkts
[363]    1.3.6.1.4.1.9.9.171.1.2.3.1.21.    cikeTunInDropPkts
[364]    1.3.6.1.4.1.9.9.171.1.2.3.1.22.    cikeTunInNotifys
[365]    1.3.6.1.4.1.9.9.171.1.2.3.1.23.    cikeTunInP2Exchgs
[366]    1.3.6.1.4.1.9.9.171.1.2.3.1.24.    cikeTunInP2ExchgInvalids
[367]    1.3.6.1.4.1.9.9.171.1.2.3.1.25.    cikeTunInP2ExchgRejects
[368]    1.3.6.1.4.1.9.9.171.1.2.3.1.26.    cikeTunInP2SaDelRequests
[369]    1.3.6.1.4.1.9.9.171.1.2.3.1.27.    cikeTunOutOctets
[370]    1.3.6.1.4.1.9.9.171.1.2.3.1.28.    cikeTunOutPkts
[371]    1.3.6.1.4.1.9.9.171.1.2.3.1.29.    cikeTunOutDropPkts
[372]    1.3.6.1.4.1.9.9.171.1.2.3.1.30.    cikeTunOutNotifys
[373]    1.3.6.1.4.1.9.9.171.1.2.3.1.31.    cikeTunOutP2Exchgs
[374]    1.3.6.1.4.1.9.9.171.1.2.3.1.32. cikeTunOutP2ExchgInvalids
[375]    1.3.6.1.4.1.9.9.171.1.2.3.1.33.    cikeTunOutP2ExchgRejects
[376]    1.3.6.1.4.1.9.9.171.1.2.3.1.34. cikeTunOutP2SaDelRequests
[377]    1.3.6.1.4.1.9.9.171.1.2.3.1.35.    cikeTunStatus

Re: [Observium] snmpwalk observations Cisco ASA 5505

Warren Daly (OPUS)