CISCO-IPSEC-SIGNALING-MIB: View SNMP OID List / Download MIB

This MIB Module models status, performance and failures of a protocol with the generic characteristics of signalling protocols used with IPsec and FC-SP protocols. Examples of such protocols include IKE, KINK, etc. This MIB views the common attributes of such protocols. Signaling protocols are also referred in this document as 'Control Protocols', since they perform session control. This MIB is an attempt to capture the generic aspects of the signaling activity. The protocol-specific aspects of a signaling protocol still need to be captured in a protocol-specific MIB (e.g., CISCO-IKE-FLOW-MIB, etc.). Acronyms The following acronyms are used in this document: IPsec: Secure IP Protocol VPN: Virtual Private Network ISAKMP: Internet Security Association and Key Exchange Protocol IKE: Internet Key Exchange Protocol SA: Security Association (ref: rfc2408). Phase 1 Tunnel: An ISAKMP SA can be regarded as representing a flow of ISAKMP/IKE traffic. Hence an ISAKMP is referred to as a 'Phase 1 Tunnel' in this document. Control Tunnel: Another term for a Phase 1 Tunnel. Phase 2 Tunnel: An instance of a non-ISAKMP SA bundle in which all the SA share the same proxy identifiers (IDii,IDir) protect the same stream of application traffic. Such an SA bundle is termed a 'Phase 2 Tunnel'. Note that a Phase 2 tunnel may comprise different SA bundles and different number of SA bundles at different times (due to key refresh). History of the MIB A precursor to this MIB was the IPsec Flow Monitor MIB, which combined the objects pertaining to IKE and IPsec (Phase-2) into a single MIB module. Furthermore, the MIB supported only one signaling protocol, IKEv1, in addition to manual keying. The MIB was written by Tivoli and implemented in IBM Nways routers in 1999. During late 1999, Cisco adopted the MIB and together with Tivoli publised the IPsec Flow Monitor MIB in IETF IPsec WG in draft-ietf-ipsec-flow-monitoring-mib-00.txt. In 2000, the MIB was Cisco-ized and implemented as CISCO-IPSEC-FLOW-MONITOR-MIB in IOS and VPN3000 platforms. With the evolution of IKEv2, the MIB was modified and presented to the IPsec WG again in May 2003 in draft-ietf-ipsec-flow-monitoring-mib-02.txt. With the emergence to multiple signaling protocols, it has further evolved to define separate set of MIB modules to instrument IPsec signaling alone. Thus, this MIB module is now the generic IPsec signaling MIB. Overview of MIB The MIB contains major groups of objects which are used to manage the generic aspects of IPsec signaling. These groups include a global statistics, control tunnel table, Peer association group, control tunnel history group, signaling failure group and notification group. The global statistics, tunnel table and peer association groups aid in the real-time monitoring of IPsec signaling activity. The History group is to aid applications that do trending analysis. The Failure group is to enable an operator to do troubleshooting and debugging. Further, counters are supported to aid detection of potential security violations. The notifications are modeled as generic IPsec control notifications and are parameterized by the identity of the specific signaling protocol which caused the notification to be issued.

This notification is generated when an control tunnel becomes active.

This notification is generated when an control tunnel becomes inactive.

This notification is generated when the processing for an control Tunnel experiences an system capacity error.

This notification is generated when the processing for an control Tunnel experiences a Certificate or a Certificate validation (CRL or OCSP) related error.

This Signaling Protocol global statistics table. There is one row in the following table for each signaling protocol implemented by the managed entity. There is no row corresponding to the instance 'cpNone'. If the managed entity implements more than one signaling protocol, the aggregate statistics across all the supported signaling protocols must be computed by the network management station manually; in other words, there is no conceptual row in this table corresponding to 'all signaling protocols'.

Each entry contains the global statistics pertaining to a specific signaling protocol.

The identity of the signaling protocol used by the control tunnel corresponding to this conceptual row.

The number of currently active Phase-1 control tunnels.

High capacity counter to accumulate the total number of Phase-1 control tunnels that are no longer active.

The total number of octets received by all currently and previously active Phase-1 Control Tunnels.

The total number of packets received by all currently and previously active Phase-1 Control Tunnels.

The total number of packets which were dropped during receive processing by all currently and previously active Phase-1 Control Tunnels.

The total number of notification payloads received by all currently and previously active Phase-1 Control Tunnels.

The total number of Phase-2 security association delete requests received by all currently and previously active and Phase-1 Control Tunnels.

The total number of octets sent by all currently and previously active and Phase-1 Control Tunnels.

The total number of packets sent by all currently and previously active and Phase-1 Control Tunnels.

The total number of packets which were dropped during send processing by all currently and previously active Phase-1 Control Tunnels.

The total number of notification payloads sent by all currently and previously active Phase-1 Control Tunnels.

The total number of Phase-2 tunnel delete requests sent by all currently and previously active Phase-1 Control Tunnels.

The total number of Phase-1 currently and previously active Control Tunnels which were locally initiated.

The total number of Phase-1 currently and previously active Control Tunnels which were locally initiated and failed to activate.

The total number of Phase-1 currently and previously active Control Tunnels which were remotely initiated.

The total number of Phase-1 currently and previously active Control Tunnels which were remotely initiated and failed to activate.

The total number of system capacity failures which occurred during processing of all current and previously active Phase-1 Control Tunnels.

The total number of authentications which ended in failure by all current and previous Phase-1 Control Tunnels.

The total number of decryption operations in all current and previous Phase-1 Control Tunnels which failed to yield the original payload.

The total number of hash validation operations in all current and previous Phase-1 Control Tunnels which resulted in failure.

The total number of incoming packets that refer to non-existent Phase-1 control tunnels which occurred during processing of all current and previous Phase-1 Control Tunnels.

The total number of Phase-1 security association delete requests received by all currently and previously active and Phase-1 Control Tunnels.

The total number of Phase-1 security association delete requests sent by all currently and previously active and Phase-1 Control Tunnels.

This table lists active Phase-1 control tunnels. There is one entry in this table for each active Control Tunnel.

Each entry contains the attributes associated with an active Phase-1 control Tunnel.

The index of the Phase-1 Tunnel Table. The value of the index is a number which begins at 1 and is incremented with each tunnel that is created. The value of this object will wrap at 4,294,967,296.

The type of the identity used by the managed entity authenticating itself to the peer in the setup of the tunnel corresponding to this conceptual row.

The value of the local peer identity.

The type of the address of the local endpoint of the Phase-1 Tunnel.

The address of the local endpoint for the Phase-1 Tunnel.

The DNS name of the local IP address for the Phase-1 Tunnel. If the DNS name associated with the local tunnel endpoint is not known, then the value of this object will be a zero-length string.

The type of the identity used by the remote peer in authenticating itself to the local peer in the setup of the tunnel corresponding to this conceptual row.

The value of the remote peer identity.

The type of the address of the remote endpoint for the Phase-1 Tunnel.

The address of the remote endpoint of the Phase-1 Tunnel.

The DNS name of the remote address of Phase-1 Tunnel. If the DNS name associated with the remote tunnel endpoint is not known, then the value of this object will be a zero-length string.

The encryption algorithm used in Phase-1 negotiations on the control tunnel corresponding to this conceptual row.

The size in bits of the key used for encrypting payloads by the tunnel corresponding to this conceptual row.

The hash algorithm used in Phase-1 negotiations on the control tunnel corresponding to this conceptual row.

The authentication method used in Phase-1 negotiations on the control tunnel corresponding to this conceptual row.

The negotiated LifeTime of the Phase-1 Tunnel in seconds.

The length of time the Phase-1 tunnel has been active in hundredths of seconds.

The total number of octets received by this Phase-1 Tunnel.

The total number of packets received by this Phase-1 Tunnel.

The total number of packets dropped by this Phase-1 Tunnel during receive processing.

The total number of notification payloads received by this Phase-1 Tunnel.

The total number of octets sent by this Phase-1 Tunnel.

The total number of packets sent by this Phase-1 Tunnel.

The total number of packets dropped by this Phase-1 Tunnel during send processing.

The total number of notification payloads sent by this Phase-1 Tunnel.

The total number of Phase-2 security association delete requests sent by this Phase-1 Tunnel.

The status of the MIB table row.

The action to be taken on this tunnel. If 'clear', then this tunnel is cleared. If 'rekey', then rekeying is forced on this tunnel. The value 'none' would be returned on doing read of this object. Enumeration: 'none': 1, 'clear': 2, 'rekey': 3.

The window size of the control tunnel History Tables. The control tunnel history table is implemented as a sliding window in which at most the last 'cisgIpsSgHistTableSize' entries are maintained. This object is, hence, used to control the size of the tunnel history table. An implementation may choose suitable values for this element based on the available resources. If an SNMP SET request specifies a value outside this window for this element, in appropriate SNMP error code should be returned. Setting this value to zero is equivalent to deleting all conceptual rows in the archiving table ('cisgIpsSgTunnelHistTable') and disabling the archiving of entries in the tables.

The control tunnel History Table. This table lists all instances of control tunnels that were successfully established but which are no longer in operation. An entry transitions to this table from the active tunnel table ('cisgIpsSgTunnelTable') into this table after it expires, is aborted or terminated. This table is conceptually a sliding window in which only the last 'N' entries are maintained, where 'N' is the value of the object 'cisgIpsSgHistTableSize'. If the value of 'cisgIpsSgHistTableSize' is 0, archiving of entries in this table is disabled.

Each entry contains the attributes associated with a previously active control Tunnel.

The index of the Phase-1 Control Tunnel History Table. This object has no relationship to the cisgIpsSgTunIndex of the tunnel when it was active. The value of the index is a number which begins at one and is incremented with each tunnel that ends. The value of this object will wrap at 4,294,967,296.

The reason the Phase-1 Control Tunnel was terminated. Possible reasons include: 1 = other 2 = normal termination 3 = operator request 4 = peer delete request was received 5 = contact with peer was lost 6 = applicationInitiated (eg: L2TP requesting the termination) 7 = failure of extended user authentication 8 = local failure occurred. Enumeration: 'applicationInitiated': 6, 'normal': 2, 'operRequest': 3, 'peerLost': 5, 'other': 1, 'peerDelRequest': 4, 'localFailure': 8, 'userAuthFailure': 7.

The index of the previously active Control Tunnel. This object must correspond to an expired IKE tunnel.

The type of local peer identity.

The value of the local peer identity.

The arbitrary index to keep local-remote peer association. This index is used to uniquely identify multiple associations between the local and remote peer.

The type of remote peer identity.

The value of the remote peer identity.

The type of the address of the local endpoint for the control tunnel.

The address of the local endpoint for the control tunnel.

The DNS name of the local address for the control Tunnel. If the DNS name associated with the local tunnel endpoint is not known, then the value of this object will be a zero-length string.

The type of the address of the remote endpoint for the control Tunnel.

The address of the remote endpoint for the control Tunnel.

The DNS name of the remote address of control Tunnel. If the DNS name associated with the remote tunnel endpoint is not known, then the value of this object will be a zero-length string.

The encryption algorithm used in control tunnel.

The size in bits of the key which was negotiated for the control tunnel to be used with the algorithm denoted by the column 'cisgIpsSgTunEncryptAlgo'. For DES and 3DES the key size is respectively 56 and 168. For AES, this will denote the negotiated key size.

The hash algorithm used in control tunnel negotiations.

The authentication method used in control tunnel negotiations.

The negotiated LifeTime of the control tunnel in seconds.

The value of sysUpTime in hundredths of seconds when the control tunnel was started.

The length of time the control tunnel has been active in hundredths of seconds.

The total number of octets received by this control tunnel.

The total number of packets received by this Phase-1 control tunnel.

The total number of packets dropped by this control Tunnel during receive processing.

The total number of notification payloads received by this control tunnel.

The total number of Phase-2 tunnel delete requests received by this control tunnel.

The total number of octets sent by this control Tunnel.

The total number of packets sent by this control Tunnel.

The total number of packets dropped by this control Tunnel during send processing.

The total number of notification payloads sent by this control Tunnel.

The total number of Phase-2 tunnel delete requests sent by this control tunnel.

The window size of the Internet Key Exchange Failure Tables. The Failure Table is implemented as a sliding window in which only the last 'cisgIpsSgFailTableSize' entries are maintained. This object is used specify the number of entries which will be maintained in the control tunnel Failure Table. An implementation may choose suitable minimum and maximum values for this element based on the local policy and available resources. If an SNMP SET request specifies a value outside this window for this element, an appropriate SNMP error code must be returned. Setting this value to zero is equivalent to deleting all conceptual rows in the archiving tables ('cisgIpsSgFailTable') and disabling the archiving of entries in this table.

This is the control tunnel Table and is implemented as a sliding window in which only the last 'N' entries are maintained. The maximum number of entries is specified by the object 'cisgIpsSgFailTableSize'. The failure records are catalogued under each signaling protocol type; that is, the first index of this table is the signaling protocol identifier ('cisgIpsSgProtocol'). The second index ('cisgIpsSgFailIndex') identifies the failure record uniquely in the subcategory. Should a failure be identified before the signaling protocol itself has been identified by the managed entity, the failure record will be classified under 'cpUnknown'.

Each entry contains the attributes associated with an Phase-1 failure.

The Phase-1 Failure Table index. This object has no relationship to the cisgIpsSgTunIndex of the tunnel when it was active. The value of the index is a number which begins at one and is incremented with each Phase-1 failure. The value of this object will wrap at 4,294,967,296.

The reason for the failure. Possible reasons include: 1 = other 2 = peer delete request was received 3 = contact with peer was lost 4 = local failure occurred 5 = authentication failure 6 = hash validation failure 7 = encryption failure 8 = internal error occurred 9 = system capacity failure 10 = proposal failure 11 = peer's certificate is unavailable 12 = peer's certificate was found invalid 13 = local certificate expired 14 = certificate revoke list (crl) failure 15 = peer encoding error 16 = Reference to a non-existent control tunnel 17 = Extended User authentication failed 18 = operator requested termination. 19 = An attempt to establish a tunnel was aborted by the admission control policy (this could include a simple policy that limits the maximum active tunnels) 20 = A protocol specific reason (look in the protocol-specific MIB for more info). Enumeration: 'sysCapExceeded': 9, 'encryptFailure': 7, 'peerCertNotValid': 12, 'authFailure': 5, 'deniedByAdmissionControl': 19, 'internalError': 8, 'proposalFailure': 10, 'operRequest': 18, 'peerLost': 3, 'crlFailure': 14, 'other': 1, 'peerDelRequest': 2, 'localFailure': 4, 'peerEncodingError': 15, 'nonExistentSa': 16, 'protocolSpecific': 20, 'peerCertUnavailable': 11, 'userAuthFailure': 17, 'localCertExpired': 13, 'hashValidation': 6.

The value of sysUpTime in hundredths of seconds at the time of the failure.

The type of local peer identity.

The value of the local peer identity.

The type of remote peer identity.

The value of the remote peer identity.

The address of the local peer. The value of cisgIpsSgFailLocalType identifies the type of the address contained in this object.

The address of the remote peer. The value of cisgIpsSgFailLocalType identifies the type of the address contained in this object.

This object acts as the knob that controls the the administrative state of sending any notification defined in this MIB module. That is, a particular notification 'foo' defined in this MIB module is enabled if and only if the expression cisgIpsSgNotifCntlAllNotifs && cisgIpsSgNotifCntl evaluates to 'true'.

This object defines the administrative state of sending the Control Tunnel Start notification. If the value of this object is 'true', the issuing of the notification 'cisgIpsSgTunnelStart' is enabled.

This object defines the administrative state of sending the Control Tunnel Stop notification. If the value of this object is 'true', the issuing of the notification 'cisgIpsSgTunnelStop' is enabled.

This object defines the administrative state of sending the System Failure notification. If the value of this object is 'true', the issuing of the notification 'ciscoIpsSgSysFailure' is enabled.

This object defines the administrative state of sending the Certificate/CRL Failure notification. If the value of this object is 'true', the issuing of the notification 'ciscoIpsSgCertCrlFailure' is enabled.

The compliance statement for SNMP entities the IPsec Signaling MIB.

This group consists of: 1) Signaling Global Objects 2) control Tunnel table.

This group consists of the core (mandatory) objects pertaining to maintaining history of signaling activity.

This group consists of objects that pertain to maintenance of history of signaling activity.

This group consists of the core (mandatory) objects pertaining to maintaining history of failure signaling activity.

This group consists of objects that pertain to maintenance of history of failures associated with Ipsec signaling activity.

This group of objects controls the sending of notifications pertaining to signaling operations.

This group contains the notifications pertaining to Ipsec signaling operations.