Hi,
We're currently having a big mess and lots of troubles with Cisco TAC in regards to read our Site-to-Site VPN tunnels through SNMP. Our SNMP interface on the ASR-1001s running version 16.06.04 - suddenly SNMP stops responding on the below OIDs.
1.3.6.1.4.1.9.9.171.1.3.2.1.5 does not work -> Tunnelid, WanIP
1.3.6.1.4.1.9.9.171.1.3.3.1.10 works -> Subnet IP
1.3.6.1.4.1.9.9.171.1.3.3.1.11 works -> Subnet mask
1.3.6.1.4.1.9.9.171.1.3.2.1.26 does not work TraficInCnt
1.3.6.1.4.1.9.9.171.1.3.2.1.39 does not work TraficInCnt
1.3.6.1.4.1.9.9.172.1.2.1.1.3 does not work Cryptomap Id
Cisco TAC forced us to execute a few commands, which one of them software crashed our primary production environment ASR (yes... fantastic)
sh cry mib ipsec flowmib spi - CAREFUL
However we have kinda given up on Cisco TAC - we're currently just going in a loop, Cisco admitted one bug with one of the OIDs, but they keep requesting same information and new engineers being assigned every now and then. And we noticed after a real reboot, SNMP is up and running, but the VPN tunnels is decreasing each time they re-establishes but SNMP does not put them back into the SNMP output, if the tunnel comes back up.
Therefor I don't have any hopes that SNMP will be fixed, and I want to check other possibilities. We have a deplicated system using SSH login each time, but this shouldn't be our primary way going forward. I have been investigating if I could pull this by RESTCONF / API, but no success.
I have been going through docs like a crazy, but I haven't been able to pull any crypto data yet. I tried restconf/data/Cisco-IOS-XE-crypto - which should be able to return some kind of crypto, but I am just getting not found.
Anybody using RESTCONF / API for VPN pulling? If so, would you mind giving some advice?
FYI - No VRF being used, and approx. 500 site-to-site VPN tunnels being used, IKEv1 and IKEv2.
Also I am testing this on LAB environment using Cisco 4331 running same version.
No comments:
Post a Comment