Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
snthl
Explorer

Monitoring VPN tunnels through SNMP Mibs

I am  trying to monitor VPN Site-to-site tunnel via SNMP mibs.  In this regard, I have few questions and I could not conclusively get information from the documents.  

  1. The tunnelTable (.1.3.6.1.4.1.2620.500.9002.1)  has the VPN tunnel entries .  I currently have access and the snmpwalks from only one side the VPN Gateway.  Will the Gateway at both end of Tunnel report the same tunnel , reporting each other as VPN Peer ?
  2. The MIB oid tunnelInterface (.1.3.6.1.4.1.2620.500.9002.1.6) doesn't have any value in snmpwalk file I got. I assume this  is interface name of the interface on which this VPN tunnel is operating. Do I expect to see valid value for this MIB always or Are there reason why I may not see any value for this mib oid ?
  3. Related to the above question, I have the same doubt related to tunnelSourceIpaddress. Do I expect to see valid value for this MIB oid as well always  for a vpn tunnel ?
  4. Are the MIB Oids tunnelInterface and tunnelSourceIPAddress are interface and IP address of the VPN gateway reporting the VPN tunnel in the tunnel Table MIB ?
  5. What does the MIB Oid tunnelPeerObjName (.1.3.6.1.4.1.2620.500.9002.1.2) give ? Is it VPN Gateway's host name ? or any configured  name for vpn ?
  6. There are two MIB  tables that give vpn tunnel information : tunnelTable (.1.3.6.1.4.1.2620.500.9002) and permanentTunnelTable(.1.3.6.1.4.1.2620.500.9003). It appears the tunnelTable has both regular and Permanent VPN tunnel information , So that I can get all vpn tunnels of a gateway from just tunnelTable entries alone. Is that correct?

 

Thanks in advance for any help in getting answers or pointing to any doc/material that can provide answers.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

1. My understanding is yes.
2-4, I believe they may only be relevant if you are using route-based VPNs, but aren't sure and recommend consulting with the TAC: https://help.checkpoint.com
5. Believe it's the object name as defined in SmartConsole.
6. The documentation says to monitor tunnelTable: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Chassis_AdminGuide/Content/T...

0 Kudos
snthl
Explorer

Thanks a lot for your response.  

0 Kudos
David_C1
Advisor

I've been fighting with snmp for tunnel monitoring for a few months now...and I can tell you that the data in .1.3.6.1.4.1.2620.500.9002.1 cannot be trusted. The snmp data shows tunnel status as "down", this is obviously contradicted by my logs, which shows encrypted/decrypted traffic going through this tunnel.  It is also contradicted by the output of 'vpn tu tlist' which shows tunnels as established. I assume the tunnel status shown in SmartView Monitor is based on snmp - this is inaccurate as well. This is a problem as I'm trying to configure alerts for tunnel up/down status, and I don't have an accurate way to get this information.

Frustrating to say the least - it's the year 2024, we should not have to be dealing with bugs in snmp.

Dave

(1)
the_rock
Legend
Legend

My experience is sadly the same...

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events