Previous 14.1 Specifics of measurement server types Next

14.1.7 IPSec monitoring servers

The IPSec monitoring server is an active and discoverable PVSR module. The measurement server takes into account both the timeout and retries values set for the equipment, and uses these to perform the SNMP query of the equipment. Beside the basic parameters, the equipment has the following additional parameters (the code of the parameter is given in parenthesis; see Subsection 7.5.6 on Parameters of non-SNMP data collectors):

  • IP address (IPSEC EQ 1 IP): Single line text field, which cannot be seen by non-administrators. It contains the IP address of the equipment, similarly to normal SNMP equipment
  • Community (IPSEC EQ 2 COMM): Single line text field, which cannot be seen by non-administrators. The field contains the password of the equipment community, similarly to SNMP equipment, if it is not specified, then it is interpreted as public
  • SNMP version (IPSEC EQ 3 SNMP): A drop down field, which cannot be seen by non-administrators. The field contains the version of the SNMP used for the query, similarly to normal SNMP equipment

 

For IPSec monitoring servers, the measurement definitions can use only a predefined set of variables. Based on these, there are 48 default measurement definitions in the system, but naturally these can be modified freely. The variable names are the following:

  • Basic Cisco IPSec variables: Several general Cisco IPSec variables are included in the measurement server, each of which is a non-table variable. The names of these variables coincide with the Cisco MIB variable names. The meanings of the returned values are defined in the MIB, with the exception of the octet traffics which are returned in bit/sec unit. The handled variables:

cikeGlobalInDropPkts / cikeGlobalOutDropPkts, cikeGlobalInP2SaDelRequests / cikeGlobalOutP2SaDelRequests, cikeGlobalInP2Exchgs / cikeGlobalOutP2Exchgs, cikeGlobalInP2ExchgInvalids / cikeGlobalOutP2ExchgInvalids, cikeGlobalInP2ExchgRejects / cikeGlobalOutP2ExchgRejects, cikeGlobalAuthFails, cikeGlobalSysCapFails, cikeGlobalDecryptFails, cikeGlobalInitTunnelFails, cikeGlobalRespTunnelFails, cikeGlobalNoSaFails, cikeGlobalHashValidFails, cikeGlobalInitTunnels, cikeGlobalInNotifys / cikeGlobalOutNotifys, cikeGlobalInOctets / cikeGlobalOutOctets, cikeGlobalInPkts / cikeGlobalOutPkts, cikeGlobalActiveTunnels, cipSecGlobalInAuths / cipSecGlobalOutAuths, cipSecGlobalInAuthFails / cipSecGlobalOutAuthFails, cipSecGlobalInDrops / cipSecGlobalOutDrops, cipSecGlobalInDecrypts / cipSecGlobalOutEncrypts, cipSecGlobalInDecryptFails / cipSecGlobalOutEncryptFails, cipSecGlobalInDecompOctets / cipSecGlobalOutUncompOctets, cipSecGlobalInReplayDrops, cipSecGlobalSysCapFails, cipSecGlobalProtocolUseFails, cipSecGlobalNoSaFails, cipSecGlobalInOctets / cipSecGlobalOutOctets, cipSecGlobalInPkts / cipSecGlobalOutPkts, cipSecGlobalActiveTunnels

  • sysUptime: returns the sysUptime value of the system divided by 100, that is the uptime in seconds
  • Basic VPN3000 variables: Several general VPN3000 variables are supported by the measurement server, each of which is a non-table variable. The names of the variables and the meanings of the returned values are defined in the MIB. The variables are:

alActiveSessionCount, alGeneralGaugeActiveSessions, alGeneralGaugeCpuUtil, alHardwareCpuTemp, alHardwareCageTemp, alActiveLanToLanSessionCount, alMaxSessionCount, alActiveManagementSessionCount, alActiveRemoteAccessSessionCount, alGeneralGaugeThroughput

  • Table variables: In measurement definitions they are referenced typically as #VARIABLE.PORT# or #VARIABLE.IDENTIFIER#, but naturally their .PRE form can be also used. The value of each of these variables is calculated with respect to all actual sessions for the given user name, or for the IP address in case of Lan2Lan:
    • sessionCount: The actual number of sessions with the given user name
    • alActiveSessionOctetsSent: The sent traffic in bit/sec
    • alActiveSessionOctetsRcvd: The received traffic in bit/sec
    • alActiveSessionConnectTime: The elapsed time of the connection in milliseconds. It is defined only if currently the user has a single connection.
    • alActiveSessionProtocol: The value of the session protocol MIB variable, a defined measurements use this to distinguish Lan2Lan measurements
  • String variables: The previous variables can not only be used in expressions, but also in precondition, multiplier or description OID fields. On the other hand, the following variables are strings, therefore they can be used only in a condition or description OID:
    • alActiveSessionUserName: The name or the IP address of the connecting user

 

For session level variables the measurement server aggregates the individual, possibly simultaneous sessions that belong to the same user. The sessions are grouped according to the user name stored in the alActiveSessionUserName variable, with the exception that the names are first converted to lower case letters, and for measurement discovery also small case indices are created. For example: if a user is logged in with both the DOMAIN\\USER and domain\\User names, then the first name (in the session order) will be offered as the user name (e.g. DOMAIN\\USER), but the index of the measurements will be predictably domain\\user. Accordingly, if measurements are created manually and not with discovery, then all small case letters should be used if we wish the measurement to be monitored with discovery after an incidental manual modification, or to avoid the same measurement to be entered again accidentally with all small case letters by someone else that found it through discovery. Even though this would not be a problem for the measurement server, and the same value would appear in both cases, it could be confusing for the users.

 

The measurement server by default registers the known measurements during installation. Most of these correspond to the available list of variables, combining the in and out variables into a single measurement where possible: Active IKE tunnel, Active IPSec tunnel, Active session, Active session usage, CPU usage, IKE authentication errors, IKE packets, IKE decrypting errors, IKE dropped packets, IKE notices, IKE exchanges, IKE traffic, IKE hash validation errors, IKE invalid exchanges, IKE locally initialized tunnel, IKE unsuccessful locally initialized tunnel, IKE nonexistent Security Association errors, IKE system capacity errors, IKE unsuccessful remotely initialized tunnel, IKE deletion requests, IKE refused exchanges, IPSec Anti-Replay dropped packets, IPSec authentications, IPSec packets, IPSec decompressed traffic, IPSec decrypting, IPSec dropped packets, IPSec traffic, IPSec nonexistent Security Association errors, IPSec protocol usage errors, IPSec system capacity errors, IPSec unsuccessful authentications, IPSec unsuccessful decryption, Lan2Lan session, Management session, Maximum session, Remote session, Throughput usage, Uptime

 

Only the positive values are stored for temperature variables: Cage and CPU temperature.

 

Two types of measurements are installed for session level variables. Both of them contain the traffic, connection time and session count variables. They differ only in the type of discovery:

  • LanToLan Session elapsed time, LanToLan Session traffic, LanToLan Session count: It is displayed only for LanToLan type connections during discovery. Since the system periodically performs the discovery, this measurement server stores the previously encountered user names and IP addresses in a local file, thus the measurements are not deleted when the equipment is modified or the discover is performed again. Since this list is stored in a file located in the tmp directory, this server can only be used if it is the only one in its measurement group
  • Non-LanToLan Session elapsed time, Non-LanToLan Session traffic, Non-LanToLan Session count: agrees with the previous case, with the exception that it is displayed only in the non-LanToLan case

 

As can be seen above, the IPSec monitoring server provides UPTIME data, and displays them too as a measurement.

 

During installation the measurement server also creates a “Default IPSec” equipment template, which can be used to create global variables and LanToLan session variables. Moreover, several chart templates are creates as well:

  • IPSec LanToLan traffic IN: the input traffic of the LanToLan type sessions drawn superposed in column
  • IPSec LanToLan traffic OUT: the output traffic of the LanToLan type sessions drawn superposed in column

 

The collector specific pages mentioned in section 14.1.2 SNMP measurement servers can be also used for these equipments, except the Processes and the Disks pages.