Description | This article explains why OID .1.3.6.1.2.1.2.2.1.8.X (ifOperStatus) should not be used to check the VPN interface status. |
Scope | FortiGate, SNMP, VPN. |
Solution |
1.3.6.1.2.1.2.2.1.8 (ifOperStatus) is the OID used to check the status of the interface and to monitor a specific interface, use the OID 1.3.6.1.2.1.2.2.1.8.x, where the 'x' is the SNMP-index number for that specific interface.
However, it should not be used to monitor the VPN interface status, because even when the VPN tunnel is down, its VPN interface is also down but its SNMP value still remains 1 (means UP, like the other VPN tunnel which is up). Its SNMP value will only change to 2 (which means DOWN) when the VPN interface is manually disabled.
For example: There are 3 tunnels: (1) To_kvm85, (2) To_other and (3) tunnel3. Their SNMP-index is 17, 18, and 19, respectively.
Tunnel (1) is UP, both tunnel (2) and (3) is DOWN but the interface (3) is disabled manually.
In the snmpwalk results, the value of tunnel (1-UP) and (2-DOWN) is still 1. Only tunnel (3-disable manually its interface) can change its OID value to 2 (means down).
Related links: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.