SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 4
Registered: ‎02-08-2016
0 Kudos

VPN tunnels monitoring

Dears,

 

We have an SRX5800 that is running junos 12.1X46-D35.1. 

we have implemented VPN tunnels and we want to monitor it (number of active tunnels, number of down tunnels, ) using MIBs.

I want to know if there is an OID that monitors the number of ipsec tunnels and the subinterfaces of st0.

 

Best regards.

Distinguished Expert
Posts: 4,770
Registered: ‎03-30-2009
0 Kudos

Re: VPN tunnels monitoring

Check out the Junos MIB Exporer search.

 

https://contentapps.juniper.net/mib-explorer/search.jsp

 

I think the OID for active tunnels you want is:  

Name jnxVpnActiveVpns
OID 1.3.6.1.4.1.2636.3.26.1.1.2.0
SyntaxGauge 32
Access read-only
Status current
Description
Number of active VPNs.

I don't see a count for down tunnels but there is a trap for the tunnel going down

Name jnxVpnIfDown
OID 1.3.6.1.4.1.2636.3.26.0.2
Syntax TRAP
Status current
Description
A jnxVpnIfDown notification is generated when the interface with index jnxVpnIfIndex belonging to the VPN named jnxVpnIfVpnName of type jnxVpnIfVpnType transitions to the 'down' state.

I don't see what you are looking for on the interface for VPN.  But you might be able to use the jnxVpnIfEntry tree to monitor what you are looking for.

 

jnxVpnIfTable

  •  
    jnxVpnIfEntry
    •  
      jnxVpnIfVpnType
    •  
      jnxVpnIfVpnName
    •  
      jnxVpnIfIndex
    •  
      jnxVpnIfRowStatus
    •  
      jnxVpnIfStorageType
    •  
      jnxVpnIfAssociatedPw
    •  
      jnxVpnIfProtocol
    •  
      jnxVpnIfInBandwidth
    •  
      jnxVpnIfOutBandwidth
    •  
      jnxVpnIfStatus

 

 

 

 

 

 

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Visitor
Posts: 4
Registered: ‎02-08-2016
0 Kudos

Re: VPN tunnels monitoring

Dears,

I have tried all the mentioned OIDs but nothing was working for our case.
all the "show snmp mib walk < OIDs>" output are empty .


It may be software version dependent or is there any special treatment that enables the VPN monitoring using MIBs.


Best regards.
Bassem
Visitor
Posts: 4
Registered: ‎02-08-2016
0 Kudos

Re: VPN tunnels monitoring

Dears,

I have tried all the mentioned OIDs but nothing was working for our case.
all the "show snmp mib walk < OIDs>" output are empty .


It may be software version dependent or is there any special treatment that enables the VPN monitoring using MIBs.


Best regards.
Bassem
Visitor
Posts: 4
Registered: ‎02-08-2016
0 Kudos

Re: VPN tunnels monitoring

Dears,

 

We still need the mentionned OIDs.

Please is there anyone who faced this issue ans succeeded to find out the solution.

 

I am looking forward to reading your notes, please.

 

Best regards.

Bassem

Highlighted
Distinguished Expert
Posts: 4,770
Registered: ‎03-30-2009
0 Kudos

Re: VPN tunnels monitoring

I've setup some active VPN tunnels and run the snmp mib tests on the Junos command line.  I get the same results you mention, no results, and I can see the active SA on the box at the time.  So these don't work even on an SRX running 12.3

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 16
Registered: ‎05-01-2014
0 Kudos

Re: VPN tunnels monitoring

Hi Gents, 

 

The MIB OID you are looking into is for MPLS VPNs not IPSEC. 

 

Regards

Abdellah HAMDAD
Senior Network Consultant
JNCIE-SP/ENT/SEC
JNCIP-DC
JNCSP-SP/ENT/SEC
JNCDS-WAN/DC/SEC
Distinguished Expert
Posts: 4,770
Registered: ‎03-30-2009
0 Kudos

Re: VPN tunnels monitoring

Thanks Abdellah,

 

Looks like this is the correct tree section on the MIB and there are a number of phase 1 and phase 2 specific options to consider for monitoring down from here.

 

jnxIpSecMonitorMIB

 

https://apps.juniper.net/mib-explorer/search.jsp#object=jnxIpSecMonitorMIB&product=Junos%20OS&releas...

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home