14.1.7 IPSec monitoring serversThe IPSec monitoring server is an active and discoverable PVSR module. The measurement server takes into account both the timeout and retries values set for the equipment, and uses these to perform the SNMP query of the equipment. Beside the basic parameters, the equipment has the following additional parameters (the code of the parameter is given in parenthesis; see Subsection 7.5.6 on Parameters of non-SNMP data collectors):
For IPSec monitoring servers, the measurement definitions can use only a predefined set of variables. Based on these, there are 48 default measurement definitions in the system, but naturally these can be modified freely. The variable names are the following:
cikeGlobalInDropPkts / cikeGlobalOutDropPkts, cikeGlobalInP2SaDelRequests / cikeGlobalOutP2SaDelRequests, cikeGlobalInP2Exchgs / cikeGlobalOutP2Exchgs, cikeGlobalInP2ExchgInvalids / cikeGlobalOutP2ExchgInvalids, cikeGlobalInP2ExchgRejects / cikeGlobalOutP2ExchgRejects, cikeGlobalAuthFails, cikeGlobalSysCapFails, cikeGlobalDecryptFails, cikeGlobalInitTunnelFails, cikeGlobalRespTunnelFails, cikeGlobalNoSaFails, cikeGlobalHashValidFails, cikeGlobalInitTunnels, cikeGlobalInNotifys / cikeGlobalOutNotifys, cikeGlobalInOctets / cikeGlobalOutOctets, cikeGlobalInPkts / cikeGlobalOutPkts, cikeGlobalActiveTunnels, cipSecGlobalInAuths / cipSecGlobalOutAuths, cipSecGlobalInAuthFails / cipSecGlobalOutAuthFails, cipSecGlobalInDrops / cipSecGlobalOutDrops, cipSecGlobalInDecrypts / cipSecGlobalOutEncrypts, cipSecGlobalInDecryptFails / cipSecGlobalOutEncryptFails, cipSecGlobalInDecompOctets / cipSecGlobalOutUncompOctets, cipSecGlobalInReplayDrops, cipSecGlobalSysCapFails, cipSecGlobalProtocolUseFails, cipSecGlobalNoSaFails, cipSecGlobalInOctets / cipSecGlobalOutOctets, cipSecGlobalInPkts / cipSecGlobalOutPkts, cipSecGlobalActiveTunnels
alActiveSessionCount, alGeneralGaugeActiveSessions, alGeneralGaugeCpuUtil, alHardwareCpuTemp, alHardwareCageTemp, alActiveLanToLanSessionCount, alMaxSessionCount, alActiveManagementSessionCount, alActiveRemoteAccessSessionCount, alGeneralGaugeThroughput
For session level variables the measurement server aggregates the individual, possibly simultaneous sessions that belong to the same user. The sessions are grouped according to the user name stored in the alActiveSessionUserName variable, with the exception that the names are first converted to lower case letters, and for measurement discovery also small case indices are created. For example: if a user is logged in with both the DOMAIN\\USER and domain\\User names, then the first name (in the session order) will be offered as the user name (e.g. DOMAIN\\USER), but the index of the measurements will be predictably domain\\user. Accordingly, if measurements are created manually and not with discovery, then all small case letters should be used if we wish the measurement to be monitored with discovery after an incidental manual modification, or to avoid the same measurement to be entered again accidentally with all small case letters by someone else that found it through discovery. Even though this would not be a problem for the measurement server, and the same value would appear in both cases, it could be confusing for the users. The measurement server by default registers the known measurements during installation. Most of these correspond to the available list of variables, combining the in and out variables into a single measurement where possible: Active IKE tunnel, Active IPSec tunnel, Active session, Active session usage, CPU usage, IKE authentication errors, IKE packets, IKE decrypting errors, IKE dropped packets, IKE notices, IKE exchanges, IKE traffic, IKE hash validation errors, IKE invalid exchanges, IKE locally initialized tunnel, IKE unsuccessful locally initialized tunnel, IKE nonexistent Security Association errors, IKE system capacity errors, IKE unsuccessful remotely initialized tunnel, IKE deletion requests, IKE refused exchanges, IPSec Anti-Replay dropped packets, IPSec authentications, IPSec packets, IPSec decompressed traffic, IPSec decrypting, IPSec dropped packets, IPSec traffic, IPSec nonexistent Security Association errors, IPSec protocol usage errors, IPSec system capacity errors, IPSec unsuccessful authentications, IPSec unsuccessful decryption, Lan2Lan session, Management session, Maximum session, Remote session, Throughput usage, Uptime Only the positive values are stored for temperature variables: Cage and CPU temperature. Two types of measurements are installed for session level variables. Both of them contain the traffic, connection time and session count variables. They differ only in the type of discovery:
As can be seen above, the IPSec monitoring server provides UPTIME data, and displays them too as a measurement. During installation the measurement server also creates a “Default IPSec” equipment template, which can be used to create global variables and LanToLan session variables. Moreover, several chart templates are creates as well:
The collector specific pages mentioned in section 14.1.2 SNMP measurement servers can be also used for these equipments, except the Processes and the Disks pages. |