The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The IP Security (IPsec) SNMP Support feature introduces support for industry-standard IPsec MIBs and Cisco IOS XE-software specific IPsec MIBs.
The commands in this feature allow you to examine the version of the IPsec MIB feature, to enable and disable SNMP traps, and to monitor and control the size of the buffers used by this feature.
Note |
This document focuses on Cisco IOS XE CLI support for the Cisco IPsec MIBs. This document also lists which elements of the MIBs are currently supported. This document does not describe SNMP configuration (from a Network Management Station) of the Cisco IPsec MIBs. |
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note that these failure notices are recorded in the failure tables, but are not available as SNMP notifications (traps).
The IP Security (IPsec) SNMP Support feature introduces support for industry-standard IPsec MIBs and Cisco IOS XE-software specific IPsec MIBs.
The IPsec MIBs allow IPsec configuration monitoring and IPsec status monitoring using SNMP, and can be integrated in a variety of Virtual Private Network (VPN) management solutions.
For example, this feature allows you to specify the desired size of a tunnel history table or a tunnel failure table using the Cisco IOS XE CLI. The history table archives attribute and statistic information about the tunnel; the failure table archives tunnel failure reasons along with the time failure occurred. A failure history table can be used as a simple method to distinguish between a normal and an abnormal tunnel termination. That is, if a tunnel entry in the tunnel history table has no associated failure record, the tunnel must have terminated normally. However, a tunnel history table does not accompany every failure table because every failure does not correspond to a tunnel. Thus, supported setup failures are recorded in the failure table, but an associated history table is not recorded because a tunnel was never set up.
This feature also provides IPsec Simple Network Management Protocol (SNMP) notifications for use with network management systems.
The IPsec--SNMP Support feature was designed to support the VPN Device Manager (VDM). VDM enables network administrators to manage and configure site-to-site VPNs on a single device from a web browser and to see the effects of changes in real time. VDM implements a wizard-based graphical user interface (GUI) to simplify the process of configuring site-to-site VPNs using the IPsec protocol. VDM software is installed directly on Cisco VPN routers, and is designed for use and compatibility with future Device Manager products.
To enable IPsec SNMP notifications, perform the following steps.
For more information on configuring SNMP, refer to the chapter "Configuring SNMP Support" in the Cisco IOS XE Configuration Fundamentals Configuration Guide .
The default failure history table size is 200. To change the size of the failure history table, perform the following steps.
The default tunnel history table size is 200. To change the size of the tunnel history table, perform the following steps.
To verify that the IPsec MIB feature is configured properly, perform the following tasks:
Router# show crypto mib ipsec flowmib history failure size
IPSec Failure Window Size: 140
Router# show crypto mib ipsec flowmib history tunnel size
IPSec History Window Size: 130
Router# show crypto mib ipsec flowmib version
IPSec Flow MIB version: 1
Router# debug crypto mib
Crypto IPSec Mgmt Entity debugging is on
To monitor the status of IPsec MIB information, use any of the following commands.
In the following example, IPsec notifications are enabled:
snmp-server enable traps ipsec isakmp
In the following example, the router is configured to send IPsec notifications to the host nms1.example.com:
snmp-server host nms1.example.com public ipsec isakmp Translating "nms1.example.com"...domain server (172.00.0.01) [OK]
In the following example, the specified failure history table size is 140:
crypto mib ipsec flowmib history failure size 140
In the following example, the specified tunnel history table size is 130:
crypto mib ipsec flowmib history tunnel size 130
The following sections provide references related to the IPsec--SNMP Support feature.
Related Topic |
Document Title |
---|---|
IPsec and related security information |
" Configuring Security for VPNs with IPsec " module in the Cisco IOS XE Security Configuration Guide: Secure Connectivity |
Security commands |
Cisco IOS Security Command Reference |
SNMP configuration information |
" Configuring SNMP Support " module in the Cisco IOS XE Network Management Configuration Guide |
IOS command index, including SNMP commands |
Cisco IOS Master Command List , All Releases |
Standard |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
RFC |
Title |
---|---|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. |
-- |
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for IPsec SNMP Support |
Feature Name |
Releases |
Feature Information |
---|---|---|
IPsec SNMP Support |
Cisco IOS XE Release 2.1 |
The IP Security (IPsec) SNMP Support feature introduces support for industry-standard IPsec MIBs and Cisco IOS XE-software specific IPsec MIBs. The following commands were introduced or modified: crypto mib ipsec flowmib history failure size, crypto mib ipsec flowmib history tunnel size, debug crypto mib, show crypto mib ipsec flowmib history failure size, show crypto mib ipsec flowmib history tunnel size, show crypto mib ipsec flowmib version, snmp-server enable traps ipsec, snmp-server enable traps isakmp, snmp-server host. |
CA --certificate authority. A certificate authority (CA) is an entity in a network that issues and manages security credentials and public keys (in the form of X509v3 certificates) for message encryption. As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then issue a certificate. Certificates generally include the owner's public key, the expiration date of the certificate, the owner's name, and other information about the public key owner.
IP Security--See IPsec.
IPsec--Internet Protocol Security. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPsec provides these security services at the IP layer. IPsec uses Internet Key Exchange (IKE) to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPsec. IPsec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
Management Information Base--See MIB.
MIB--Management Information Base. Database of network management information that is used and maintained by a network management protocol such as Simple Network Management Protocol (SNMP) or Common Management Information Protocol (MIP). The value of a MIB object can be changed or retrieved using SNMP or CMIP commands, usually through a graphical user interface (GUI) network management system (NMS). MIB objects are organized in a tree structure that includes public (standard) and private (proprietary) branches.
Simple Network Management Protocol--See SNMP.
SNMP--Simple Network Management Protocol. An application-layer protocol that provides a message format for communication between SNMP managers and agents.
trap--Message sent by an SNMP agent to a network management system, console, or terminal to indicate the occurrence of a significant event, such as a specifically defined condition or a threshold that was reached.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.