CisgIpsSgGlobalStatsEntry |
|
SEQUENCE |
|
|
|
|
cisgIpsSgProtocol |
CIPsecControlProtocol |
|
|
cisgIpsSgGlobalActiveTunnels |
Gauge32 |
|
|
cisgIpsSgGlobalPreviousTunnels |
Counter64 |
|
|
cisgIpsSgGlobalInOctets |
Counter64 |
|
|
cisgIpsSgGlobalInPkts |
Counter64 |
|
|
cisgIpsSgGlobalInDropPkts |
Counter64 |
|
|
cisgIpsSgGlobalInNotifys |
Counter64 |
|
|
cisgIpsSgGlobalInP2SaDelReqs |
Counter64 |
|
|
cisgIpsSgGlobalOutOctets |
Counter64 |
|
|
cisgIpsSgGlobalOutPkts |
Counter64 |
|
|
cisgIpsSgGlobalOutDropPkts |
Counter64 |
|
|
cisgIpsSgGlobalOutNotifys |
Counter64 |
|
|
cisgIpsSgGlobalOutP2SaDelReqs |
Counter64 |
|
|
cisgIpsSgGlobalInitTunnels |
Counter64 |
|
|
cisgIpsSgGlobalInitTunnelFails |
Counter64 |
|
|
cisgIpsSgGlobalRespTunnels |
Counter64 |
|
|
cisgIpsSgGlobalRespTunnelFails |
Counter64 |
|
|
cisgIpsSgGlobalSysCapFails |
Counter64 |
|
|
cisgIpsSgGlobalAuthFails |
Counter64 |
|
|
cisgIpsSgGlobalDecryptFails |
Counter64 |
|
|
cisgIpsSgGlobalHashValidFails |
Counter64 |
|
|
cisgIpsSgGlobalBadTunnelRefs |
Counter64 |
|
|
cisgIpsSgGlobalInP1SaDelReqs |
Counter64 |
|
|
cisgIpsSgGlobalOutP1SaDelReqs |
Counter64 |
|
CisgIpsSgTunnelEntry |
|
SEQUENCE |
|
|
|
|
cisgIpsSgTunIndex |
CIPsecPhase1TunnelIndex |
|
|
cisgIpsSgTunLocalType |
CIPsecPhase1PeerIdentityType |
|
|
cisgIpsSgTunLocalValue |
SnmpAdminString |
|
|
cisgIpsSgTunLocalAddressType |
CIPsecPhase1PeerIdentityType |
|
|
cisgIpsSgTunLocalAddress |
SnmpAdminString |
|
|
cisgIpsSgTunLocalName |
SnmpAdminString |
|
|
cisgIpsSgTunRemoteType |
CIPsecPhase1PeerIdentityType |
|
|
cisgIpsSgTunRemoteValue |
SnmpAdminString |
|
|
cisgIpsSgTunRemoteAddressType |
CIPsecPhase1PeerIdentityType |
|
|
cisgIpsSgTunRemoteAddress |
SnmpAdminString |
|
|
cisgIpsSgTunRemoteName |
SnmpAdminString |
|
|
cisgIpsSgTunEncryptAlgo |
CIPsecEncryptAlgorithm |
|
|
cisgIpsSgTunEncryptKeySize |
CIPsecEncryptionKeySize |
|
|
cisgIpsSgTunHashAlgo |
CIPsecIkeHashAlgorithm |
|
|
cisgIpsSgTunAuthMethod |
CIPsecIkeAuthMethod |
|
|
cisgIpsSgTunLifeTime |
Unsigned32 |
|
|
cisgIpsSgTunActiveTime |
TimeInterval |
|
|
cisgIpsSgTunInOctets |
Counter32 |
|
|
cisgIpsSgTunInPkts |
Counter32 |
|
|
cisgIpsSgTunInDropPkts |
Counter32 |
|
|
cisgIpsSgTunInNotifys |
Counter32 |
|
|
cisgIpsSgTunOutOctets |
Counter32 |
|
|
cisgIpsSgTunOutPkts |
Counter32 |
|
|
cisgIpsSgTunOutDropPkts |
Counter32 |
|
|
cisgIpsSgTunOutNotifys |
Counter32 |
|
|
cisgIpsSgTunOutP2SaDelReqs |
Counter32 |
|
|
cisgIpsSgTunStatus |
CIPsecTunnelStatus |
|
|
cisgIpsSgTunAction |
INTEGER |
|
CisgIpsSgTunnelHistEntry |
|
SEQUENCE |
|
|
|
|
cisgIpsSgTunHistIndex |
Unsigned32 |
|
|
cisgIpsSgTunHistTermReason |
INTEGER |
|
|
cisgIpsSgTunHistActiveIndex |
CIPsecPhase1TunnelIndex |
|
|
cisgIpsSgTunHistPeerLocalType |
CIPsecPhase1PeerIdentityType |
|
|
cisgIpsSgTunHistPeerLocalValue |
SnmpAdminString |
|
|
cisgIpsSgTunHistPeerIntIndex |
Unsigned32 |
|
|
cisgIpsSgTunHistPeerRemoteType |
CIPsecPhase1PeerIdentityType |
|
|
cisgIpsSgTunHistPeerRemoteValue |
SnmpAdminString |
|
|
cisgIpsSgTunHistLocalAddrType |
CIPsecPhase1PeerIdentityType |
|
|
cisgIpsSgTunHistLocalAddr |
SnmpAdminString |
|
|
cisgIpsSgTunHistLocalName |
SnmpAdminString |
|
|
cisgIpsSgTunHistRemoteAddrType |
CIPsecPhase1PeerIdentityType |
|
|
cisgIpsSgTunHistRemoteAddr |
SnmpAdminString |
|
|
cisgIpsSgTunHistRemoteName |
SnmpAdminString |
|
|
cisgIpsSgTunHistEncryptAlgo |
CIPsecEncryptAlgorithm |
|
|
cisgIpsSgTunHistEncryptKeySize |
CIPsecEncryptionKeySize |
|
|
cisgIpsSgTunHistHashAlgo |
CIPsecIkeHashAlgorithm |
|
|
cisgIpsSgTunHistAuthMethod |
CIPsecIkeAuthMethod |
|
|
cisgIpsSgTunHistLifeTime |
Unsigned32 |
|
|
cisgIpsSgTunHistStartTime |
TimeStamp |
|
|
cisgIpsSgTunHistActiveTime |
TimeInterval |
|
|
cisgIpsSgTunHistInOctets |
Counter64 |
|
|
cisgIpsSgTunHistInPkts |
Counter64 |
|
|
cisgIpsSgTunHistInDropPkts |
Counter64 |
|
|
cisgIpsSgTunHistInNotifys |
Counter64 |
|
|
cisgIpsSgTunHistInP2SaDelReqs |
Counter64 |
|
|
cisgIpsSgTunHistOutOctets |
Counter64 |
|
|
cisgIpsSgTunHistOutPkts |
Counter64 |
|
|
cisgIpsSgTunHistOutDropPkts |
Counter64 |
|
|
cisgIpsSgTunHistOutNotifys |
Counter64 |
|
|
cisgIpsSgTunHistOutP2SaDelReqs |
Counter64 |
|
CisgIpsSgFailEntry |
|
SEQUENCE |
|
|
|
|
cisgIpsSgFailIndex |
Unsigned32 |
|
|
cisgIpsSgFailReason |
INTEGER |
|
|
cisgIpsSgFailTime |
TimeStamp |
|
|
cisgIpsSgFailLocalType |
CIPsecPhase1PeerIdentityType |
|
|
cisgIpsSgFailLocalValue |
SnmpAdminString |
|
|
cisgIpsSgFailRemoteType |
CIPsecPhase1PeerIdentityType |
|
|
cisgIpsSgFailRemoteValue |
SnmpAdminString |
|
|
cisgIpsSgFailLocalAddress |
SnmpAdminString |
|
|
cisgIpsSgFailRemoteAddress |
SnmpAdminString |
|
ciscoIPsecSignalingMIB |
1.3.6.1.4.1.9.9.438 |
This MIB Module models status, performance and failures
of a protocol with the generic characteristics of signalling
protocols used with IPsec and FC-SP protocols. Examples
of such protocols include IKE, KINK, etc. This MIB views the
common attributes of such protocols. Signaling protocols are
also referred in this document as 'Control Protocols', since
they perform session control.
This MIB is an attempt to capture the generic aspects
of the signaling activity. The protocol-specific aspects
of a signaling protocol still need to be captured
in a protocol-specific MIB (e.g., CISCO-IKE-FLOW-MIB, etc.).
Acronyms
The following acronyms are used in this document:
IPsec: Secure IP Protocol
VPN: Virtual Private Network
ISAKMP: Internet Security Association and Key Exchange
Protocol
IKE: Internet Key Exchange Protocol
SA: Security Association
(ref: rfc2408).
Phase 1 Tunnel:
An ISAKMP SA can be regarded as representing
a flow of ISAKMP/IKE traffic. Hence an ISAKMP
is referred to as a 'Phase 1 Tunnel' in this
document.
Control Tunnel:
Another term for a Phase 1 Tunnel.
Phase 2 Tunnel:
An instance of a non-ISAKMP SA bundle in which all
the SA share the same proxy identifiers (IDii,IDir)
protect the same stream of application traffic.
Such an SA bundle is termed a 'Phase 2 Tunnel'.
Note that a Phase 2 tunnel may comprise different
SA bundles and different number of SA bundles at
different times (due to key refresh).
History of the MIB
A precursor to this MIB was the IPsec Flow Monitor MIB, which
combined the objects pertaining to IKE and IPsec (Phase-2)
into a single MIB module. Furthermore, the MIB supported only
one signaling protocol, IKEv1, in addition to manual keying.
The MIB was written by Tivoli and implemented in IBM Nways
routers in 1999. During late 1999, Cisco adopted the MIB and
together with Tivoli publised the IPsec Flow Monitor MIB in
IETF IPsec WG in draft-ietf-ipsec-flow-monitoring-mib-00.txt.
In 2000, the MIB was Cisco-ized and implemented as
CISCO-IPSEC-FLOW-MONITOR-MIB in IOS and VPN3000 platforms.
With the evolution of IKEv2, the MIB was modified and
presented to the IPsec WG again in May 2003 in
draft-ietf-ipsec-flow-monitoring-mib-02.txt.
With the emergence to multiple signaling protocols, it has
further evolved to define separate set of MIB modules to
instrument IPsec signaling alone. Thus, this MIB module
is now the generic IPsec signaling MIB.
Overview of MIB
The MIB contains major groups of objects which are
used to manage the generic aspects of IPsec signaling.
These groups include a global statistics, control tunnel table,
Peer association group, control tunnel history group,
signaling failure group and notification group.
The global statistics, tunnel table and peer association
groups aid in the real-time monitoring of IPsec signaling
activity.
The History group is to aid applications that do
trending analysis.
The Failure group is to enable an operator to
do troubleshooting and debugging.
Further, counters are supported to aid detection
of potential security violations.
The notifications are modeled as generic IPsec control
notifications and are parameterized by the identity of the
specific signaling protocol which caused the notification
to be issued.
|
MODULE-IDENTITY |
|
|
|
cisgIpsSgGlobalStatsEntry |
1.3.6.1.4.1.9.9.438.1.1.1.1 |
Each entry contains the global statistics pertaining
to a specific signaling protocol.
|
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CisgIpsSgGlobalStatsEntry |
|
|
cisgIpsSgTunnelEntry |
1.3.6.1.4.1.9.9.438.1.1.2.1 |
Each entry contains the attributes associated with
an active Phase-1 control Tunnel.
|
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CisgIpsSgTunnelEntry |
|
|
cisgIpsSgTunnelHistEntry |
1.3.6.1.4.1.9.9.438.1.3.2.1 |
Each entry contains the attributes associated with
a previously active control Tunnel.
|
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CisgIpsSgTunnelHistEntry |
|
|
cisgIpsSgFailEntry |
1.3.6.1.4.1.9.9.438.1.4.2.1 |
Each entry contains the attributes associated
with an Phase-1 failure.
|
Status: current |
Access: not-accessible |
OBJECT-TYPE |
|
|
|
|
CisgIpsSgFailEntry |
|
|
cisgIpsSgFailReason |
1.3.6.1.4.1.9.9.438.1.4.2.1.2 |
The reason for the failure. Possible reasons
include:
1 = other
2 = peer delete request was received
3 = contact with peer was lost
4 = local failure occurred
5 = authentication failure
6 = hash validation failure
7 = encryption failure
8 = internal error occurred
9 = system capacity failure
10 = proposal failure
11 = peer's certificate is unavailable
12 = peer's certificate was found invalid
13 = local certificate expired
14 = certificate revoke list (crl) failure
15 = peer encoding error
16 = Reference to a non-existent control tunnel
17 = Extended User authentication failed
18 = operator requested termination.
19 = An attempt to establish a tunnel was aborted
by the admission control policy (this could
include a simple policy that limits the maximum
active tunnels)
20 = A protocol specific reason (look in the
protocol-specific MIB for more info).
|
Status: current |
Access: read-only |
OBJECT-TYPE |
|
|
|
|
INTEGER |
other(1), peerDelRequest(2), peerLost(3), localFailure(4), authFailure(5), hashValidation(6), encryptFailure(7), internalError(8), sysCapExceeded(9), proposalFailure(10), peerCertUnavailable(11), peerCertNotValid(12), localCertExpired(13), crlFailure(14), peerEncodingError(15), nonExistentSa(16), userAuthFailure(17), operRequest(18), deniedByAdmissionControl(19), protocolSpecific(20) |
|
ciscoIpsSgCoreHistoryGroup |
1.3.6.1.4.1.9.9.438.2.2.2 |
This group consists of the core (mandatory)
objects pertaining to maintaining history of
signaling activity.
|
Status: current |
Access: read-only |
OBJECT-GROUP |
|
|
|
ciscoIpsSgHistoryGroup |
1.3.6.1.4.1.9.9.438.2.2.3 |
This group consists of objects that pertain
to maintenance of history of
signaling activity.
|
Status: current |
Access: read-only |
OBJECT-GROUP |
|
|
|