Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changing SNMP ID' s of vpn tunnels
Hello,
we are running a Fortigate cluster (A-P) with FortiOS 4.2.10. For monitoring purposes we are trying to check our vpn tunnels via snmp (OID = fortinet.101.12.2.2.1.20.ID ). Everything works fine, except every time we add, delete or modify a vpn tunnel the ID' s change, so we have to adjust our monitoring script.
How can we solve this problem?
Is it possible to set " static" ID' s for vpn tunnels?
Sincerely
Harald
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What you need is some type of persistence across the ifIndex. Have you look at some type persistence over the interfaces. Not sure if that is a command hidden in the FortiOS.
What are you doing that causing the tunnel ifIndex to change? and what kinda of tunnels are these? ( route-base, policy, dynamic )
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I' m using a pair of FGT-310B' s, so first there are 10 hardware ports (using ifIndex = 1-10), then we have SSLVPN, about 40 VLAN' s, about 30 IPSec tunnel in Policy mode and about 10 IPSec tunnel in Interface mode.
If a add a new IPSec tunnel _ALL_ ID' s for tunnel change (it does not matter if they are in Policy or Interface mode), so we have to correct our Nagios script to continue monitoring the tunnel state (using fgVpnTunEntStatus = 1.3.6.1.4.1.12356.101.12.2.2.1.20.ID ). That happens about once per month.
Monitoring traffic with MRTG (also using SNMP) is much more easier, because there I can specify interface names, but this is not possible in our Nagios plugin.
Sincerely
Harald
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So what' s the purpose of the tunnel monitor? I' m monitoring active SSLVPN client connections.
oid = 1.3.6.1.4.1.12356.101.12.2.3.1.7.1
Are you looking for tunnel stats ( byes, traffic ) or something else. If the tunnels are dynamic then the ifIndex will always change based on what/who is using it. I' m only monitoring active and max sslvpn tunnels usages in my case.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello emnoc,
I' m not talking about SSLVPN tunnels, but IPSec tunnels (site-to-site VPN) with static IP addresses at the remote site. These tunnels are used by our customers. We are monitoring the tunnel state (Up or Down) with Nagios.
Sincerely
Harald
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah I figured that out from your original post, so are you referring that when the tunnel goes up and down it changes ifIndex or only when you add more tunnels?
I don' t think a the tunnels have a means or methods for static snmp persistence but you can contact TAC and see what they will say. Have you looked at trying to use the interface aliases name or descr? Since that would most likely always be static ?
And what are you trying to graph or monitors bytes or octets across the tunnel?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
