| Scalar Object |
| cifIkeGlobalStatsEntry | .1.3.6.1.4.1.9.9.429.1.1.1.1 |
Each entry contains the global statistics pertaining
to the specific IKE protocol.
|
| cifIkeTunnelEntry | .1.3.6.1.4.1.9.9.429.1.1.3.1 |
Each entry contains the attributes associated with
an active Phase-1 IKE Tunnel.
The rows in this table correspond 1-to-1 with a subset of
the rows in cisgIpsSgTunnelTable, specifically the subset
which represent Phase-1 IKE Tunnels.
Hence, the value of the index 'cisgIpsSgProtocol'
in this table is always 'cpIkev1' or 'cpIkev2'.
For all the counter objects in the table below, initially when
the Phase-1 IKE Tunnel becomes active and appears in this
table, they would contain a value of zero.
|
| cifIkeTunnelHistEntry | .1.3.6.1.4.1.9.9.429.1.2.1.1 |
Each entry contains the attributes associated with
a previously active Phase-1 IKE Tunnel.
This table has a sparse table relationship with the
generic Phase-1 Tunnel history table
'cisgIpsSgTunnelHistTable' defined in
CISCO-IPSEC-SIGNALING-MIB. However, the value of the
index column in this table will always be either
'cpIkev1' or 'cpIkev2'.
|
| cifIkeNotifCntlInNewGrpRejected | .1.3.6.1.4.1.9.9.429.1.3.1 |
The generation of the 'ciscoIkeFlowInNewGrpRejected'
notification is enabled if and only if this object has the
value 'true'.
|
| cifIkeNotifCntlOutNewGrpRejected | .1.3.6.1.4.1.9.9.429.1.3.2 |
The generation of the 'ciscoIkeFlowOutNewGrpRejected'
notification is enabled if and only if this object has the
value 'true'.
|
| Tabular Object |
| cifIkeGlobalInP2Exchgs | .1.3.6.1.4.1.9.9.429.1.1.1.1.1 |
The total number of Phase-2 exchanges
received by all currently and previously
active Phase-1 Tunnels.
|
| cifIkeGlobalInP2ExchgInvalids | .1.3.6.1.4.1.9.9.429.1.1.1.1.2 |
The total number of Phase-2 exchanges which were
received and found to be invalid by all currently and
previously active Phase-1 Tunnels.
|
| cifIkeGlobalInP2ExchgRejects | .1.3.6.1.4.1.9.9.429.1.1.1.1.3 |
The total number of Phase-2 exchanges
which were received and rejected by all
currently and previously active Phase-1 Tunnels.
|
| cifIkeGlobalOutP2Exchgs | .1.3.6.1.4.1.9.9.429.1.1.1.1.4 |
The total number of Phase-2 exchanges which were
sent by all currently and previously active IPsec
Phase-1 Tunnels.
|
| cifIkeGlobalOutP2ExchgInvalids | .1.3.6.1.4.1.9.9.429.1.1.1.1.5 |
The total number of Phase-2 exchanges which were
sent and found to be invalid by all currently and
previously active Phase-1 Tunnels.
|
| cifIkeGlobalOutP2ExchgRejects | .1.3.6.1.4.1.9.9.429.1.1.1.1.6 |
The total number of Phase-2 exchanges
which were sent and rejected by all currently and
previously active Phase-1 IKE Tunnels.
|
| cifIkeGlobalInXauths | .1.3.6.1.4.1.9.9.429.1.1.1.1.7 |
The number of times the extended authentication
requests was received by the managed entity
from a peer.
|
| cifIkeGlobalInXauthFailures | .1.3.6.1.4.1.9.9.429.1.1.1.1.8 |
The number of times the extended authentication
information supplied by an IKE peer was found
to be invalid by the local entity.
|
| cifIkeGlobalOutXauthFailures | .1.3.6.1.4.1.9.9.429.1.1.1.1.9 |
The number of times the extended authentication
information supplied by the managed entity to an
IKE peer was found to be invalid by the remote peer.
|
| cifIkeGlobalInNewGrpReqs | .1.3.6.1.4.1.9.9.429.1.1.1.1.10 |
The total number of New Group exchanges initiated
remotely.
|
| cifIkeGlobalOutNewGrpReqs | .1.3.6.1.4.1.9.9.429.1.1.1.1.11 |
The total number of New Group exchanges initiated
locally.
|
| cifIkeGlobalInNewGrpRejectReqs | .1.3.6.1.4.1.9.9.429.1.1.1.1.12 |
The total number of New Group exchanges initiated
remotely that ended in reject.
|
| cifIkeGlobalOutNewGrpRejectReqs | .1.3.6.1.4.1.9.9.429.1.1.1.1.13 |
The total number of New Group exchanges initiated
locally that ended in reject.
|
| cifIkeTunNegoMode | .1.3.6.1.4.1.9.9.429.1.1.3.1.1 |
The negotiation mode of the Phase-1 IKE Tunnel.
|
| cifIkeTunDHGrp | .1.3.6.1.4.1.9.9.429.1.1.3.1.2 |
The Diffie Hellman Group used in Phase-1 IKE
negotiations.
|
| cifIkeTunSaRefreshThreshold | .1.3.6.1.4.1.9.9.429.1.1.3.1.3 |
The security association refresh threshold in seconds.
If the tunnel does not refresh its security associations,
the value of this MIB object is zero.
|
| cifIkeTunTotalRefreshes | .1.3.6.1.4.1.9.9.429.1.1.3.1.4 |
The total number of security associations refreshes
performed. If the tunnel does not refresh its security
associations, the value of this MIB object is never
incremented.
|
| cifIkeTunInP2Exchgs | .1.3.6.1.4.1.9.9.429.1.1.3.1.5 |
The total number of Phase-2 exchanges received by
this Phase-1 IKE Tunnel.
|
| cifIkeTunInP2ExchgInvalids | .1.3.6.1.4.1.9.9.429.1.1.3.1.6 |
The total number of Phase-2 exchanges received and
found to be invalid by this Phase-1 IKE Tunnel.
|
| cifIkeTunInP2ExchgRejects | .1.3.6.1.4.1.9.9.429.1.1.3.1.7 |
The total number of Phase-2 exchanges received and
rejected by this Phase-1 Tunnel.
|
| cifIkeTunInP2SaDelRequests | .1.3.6.1.4.1.9.9.429.1.1.3.1.8 |
The total number of Phase-2 security association
delete requests received by this Phase-1 IKE Tunnel.
|
| cifIkeTunOutP2Exchgs | .1.3.6.1.4.1.9.9.429.1.1.3.1.9 |
The total number of Phase-2 exchanges sent by
this Phase-1 IKE Tunnel.
|
| cifIkeTunOutP2ExchgInvalids | .1.3.6.1.4.1.9.9.429.1.1.3.1.10 |
The total number of Phase-2 exchanges sent and
found to be invalid by this Phase-1 IKE Tunnel.
|
| cifIkeTunOutP2ExchgRejects | .1.3.6.1.4.1.9.9.429.1.1.3.1.11 |
The total number of Phase-2 exchanges sent and
rejected by this Phase-1 IKE Tunnel.
|
| cifIkeTunInNewGrpReqs | .1.3.6.1.4.1.9.9.429.1.1.3.1.12 |
The total number of New Group exchanges initiated
remotely using this IKE tunnel.
|
| cifIkeTunOutNewGrpReqs | .1.3.6.1.4.1.9.9.429.1.1.3.1.13 |
The total number of New Group exchanges initiated
locally using this IKE tunnel.
|
| cifIkeTunInNewGrpRejectedReqs | .1.3.6.1.4.1.9.9.429.1.1.3.1.14 |
The total number of New Group exchanges initiated
remotely using this IKE tunnel that ended in reject.
|
| cifIkeTunOutNewGrpRejectedReqs | .1.3.6.1.4.1.9.9.429.1.1.3.1.15 |
The total number of New Group exchanges initiated
locally using this IKE tunnel that ended in reject.
|
| cifIkeTunInConfigs | .1.3.6.1.4.1.9.9.429.1.1.3.1.16 |
The total number of Mode Configuration settings
received (either CFG_REPLY or CFG_SET payloads)
by the local entity on the ISAKMP SA represented by
this IKE tunnel.
|
| cifIkeTunOutConfigs | .1.3.6.1.4.1.9.9.429.1.1.3.1.17 |
The total number of Mode Configuration settings
dispatched (either CFG_REPLY or CFG_SET payloads)
by the local entity on the ISAKMP SA represented by
this IKE tunnel.
|
| cifIkeTunInConfigRejects | .1.3.6.1.4.1.9.9.429.1.1.3.1.18 |
The total number of Mode Configuration settings
which were received (either CFG_REPLY or CFG_SET
payloads) and rejected by this entity using the ISAKMP
SA represented by this IKE tunnel.
|
| cifIkeTunOutConfigRejects | .1.3.6.1.4.1.9.9.429.1.1.3.1.19 |
The total number of Mode Configuration settings
which were dispatched (either CFG_REPLY or CFG_SET
payloads) by this entity and were rejected by the
peer (client) using the ISAKMP SA represented by
this IKE tunnel.
|
| cifIkeTunHistNegoMode | .1.3.6.1.4.1.9.9.429.1.2.1.1.1 |
The negotiation mode of the Phase-1 IKE Tunnel.
|
| cifIkeTunHistDHGrp | .1.3.6.1.4.1.9.9.429.1.2.1.1.2 |
The Diffie Hellman Group used in Phase-1 IKE
negotiations.
|
| cifIkeTunHistTotalRefreshes | .1.3.6.1.4.1.9.9.429.1.2.1.1.3 |
The total number of security associations
refreshes performed.
|
| cifIkeTunHistTotalSas | .1.3.6.1.4.1.9.9.429.1.2.1.1.4 |
The total number of security associations used
during the life of the Phase-1 IKE Tunnel.
|
| cifIkeTunHistInP2Exchgs | .1.3.6.1.4.1.9.9.429.1.2.1.1.5 |
The total number of Phase-2 exchanges received
by this Phase-1 IKE Tunnel.
|
| cifIkeTunHistInP2ExchgInvalids | .1.3.6.1.4.1.9.9.429.1.2.1.1.6 |
The total number of Phase-2 exchanges
received on this tunnel that were found to
contain references to unrecognized security
parameters.
|
| cifIkeTunHistInP2ExchgRejects | .1.3.6.1.4.1.9.9.429.1.2.1.1.7 |
The total number of Phase-2 exchanges
received on this tunnel that were validated but were
rejected by the local policy.
|
| cifIkeTunHistOutP2Exchgs | .1.3.6.1.4.1.9.9.429.1.2.1.1.8 |
The total number of Phase-2 security association
delete requests received by this Phase-1 IKE Tunnel.
|
| cifIkeTunHistOutP2ExchgInvalids | .1.3.6.1.4.1.9.9.429.1.2.1.1.9 |
The total number of Phase-2 exchanges sent by
this Phase-1 IKE Tunnel.
|
| cifIkeTunHistOutP2ExchgRejects | .1.3.6.1.4.1.9.9.429.1.2.1.1.10 |
The total number of Phase-2 exchanges
sent on this tunnel that were rejected by the
peer, because it contained references to security
parameters not recognized by the peer.
|
| cifIkeTunHistInNewGrpReqs | .1.3.6.1.4.1.9.9.429.1.2.1.1.11 |
The total number of New Group exchanges initiated
remotely using this IKE tunnel during its lifetime.
|
| cifIkeTunHistOutNewGrpReqs | .1.3.6.1.4.1.9.9.429.1.2.1.1.12 |
The total number of New Group exchanges initiated
locally using this IKE tunnel during its lifetime.
|
| cifIkeTunHistInNewGrpRejectReqs | .1.3.6.1.4.1.9.9.429.1.2.1.1.13 |
The total number of New Group exchanges initiated
remotely using this IKE tunnel during its lifetime
that ended in reject.
|
| cifIkeTunHistOutNewGrpRejectReqs | .1.3.6.1.4.1.9.9.429.1.2.1.1.14 |
The total number of New Group exchanges initiated
locally using this IKE tunnel during its lifetime
that ended in reject.
|
| cifIkeTunHistInConfigs | .1.3.6.1.4.1.9.9.429.1.2.1.1.15 |
The total number of Mode Configuration settings
received (either CFG_REPLY or CFG_SET payloads)
by the local entity on the ISAKMP SA represented by this
IKE tunnel.
|
| cifIkeTunHistOutConfigs | .1.3.6.1.4.1.9.9.429.1.2.1.1.16 |
The total number of Mode Configuration settings
dispatched (either CFG_REPLY or CFG_SET payloads)
by the local entity on the ISAKMP SA represented by this
IKE tunnel.
|
| cifIkeTunHistInConfigsRejects | .1.3.6.1.4.1.9.9.429.1.2.1.1.17 |
The total number of Mode Configuration settings
which were received (either CFG_REPLY or CFG_SET
payloads) and rejected by this entity using the ISAKMP
SA represented by this IKE tunnel.
|
| cifIkeTunHistOutConfigsRejects | .1.3.6.1.4.1.9.9.429.1.2.1.1.18 |
The total number of Mode Configuration settings
which were dispatched (either CFG_REPLY or CFG_SET
payloads) by this entity and were rejected by the
peer (client) using the ISAKMP SA represented by this
IKE tunnel.
|
| Table |
| cifIkeGlobalStatsTable | .1.3.6.1.4.1.9.9.429.1.1.1 |
The Phase-1 IKE Global Statistics Table.
There is one entry in this table for each Phase-1 IKE,
protocol('cpIkev1' and 'cpIkev2') implemented by the
managed entity.
For all the counter objects in the table below, initially when
the IKE Tunnel becomes active and appears in this
table, they would contain a value of zero.
|
| cifIkeTunnelTable | .1.3.6.1.4.1.9.9.429.1.1.3 |
The Phase-1 Internet Key Exchange Tunnel Table.
There is one entry in this table for each active IPsec
Phase-1 IKE Tunnel.
|
| cifIkeTunnelHistTable | .1.3.6.1.4.1.9.9.429.1.2.1 |
The Phase-1 Internet Key Exchange Tunnel
history table.
This table is conceptually a sliding window in
which only the last 'N' entries are maintained,
where 'N' is the value of the object
'cisgIpsSgHistTableSize' (defined in
defined in CISCO-IPSEC-SIGNALING-MIB).
If the value of 'cisgIpsSgHistTableSize' is 0,
then this table will be empty.
For all the counter objects in the table below, initially
when the Tunnel entry appears in this table, they would
contain a value of zero.
|
| Trap |
| ciscoIkeFlowInNewGrpRejected | .1.3.6.1.4.1.9.9.429.0.1 |
This notification is generated when the managed
entity receives and rejects an incoming new group
proposal from an IKE peer identified by
'cisgIpsSgFailRemoteAddress'.
'cisgIpsSgFailLocalAddress' identifies the address of
the local peer.
The ISAKMP context of the exchange can be obtained
from the IKE tunnel index which is contained in the
index of the varbind objects of this trap.
|
| ciscoIkeFlowOutNewGrpRejected | .1.3.6.1.4.1.9.9.429.0.2 |
This notification is generated when the managed entity
issues a new group proposal to the remote peer identified
by 'cisgIpsSgFailRemoteAddress' and the peer rejects the
proposal. 'cisgIpsSgFailLocalAddress' identifies the
address of the local peer.
The ISAKMP context of the exchange can be
obtained from the IKE tunnel index which is contained
in the index of the varbind objects of this trap.
|
| Object Identifier |
| ciscoIkeFlowMIB | .1.3.6.1.4.1.9.9.429 |
This is a MIB module for monitoring the structures
and status of IPsec control flows based on Internet
Key Exchange protocol. The MIB models standard
aspects of the IKE protocol.
Synopsis
This MIB module models status, performance and
failures of the IKEv1- and IKEv2-based signaling in
IPsec, FC-SP(and similar) protocols. In practice,
the security protocols such as IPsec, FC-SP and
CTS use a signaling protocol such as IKE, KINK,
or some such. A number of characteristics of these
signaling protocols are generic.
The generic attributes and status of signaling
activity has been modeled in
CISCO-IPSEC-SIGNALING-MIB. This MIB module augments
CISCO-IPSEC-SIGNALING-MIB with IKE-specific
MIB objects.
(Signaling protocols are also referred to this
document as 'Control Protocols', since they perform
session control.)
History of the MIB
A precursor to this MIB was written by Tivoli and
implemented in IBM Nways routers in 1999. That
MIB instrumented both IKE(v1) and IPsec in a
single module. During late 1999, Cisco adopted
the MIB and together with Tivoli published the
IPsec Flow Monitor MIB in IETF IPsec WG in
draft-ietf-ipsec-flow-monitoring-mib-00.txt.
In 2000, the MIB was Cisco-ized and implemented
this draft as CISCO-IPSEC-FLOW-MONITOR-MIB in
IOS and VPN3000 platforms.
With the evolution of IKEv2, the MIB was modified
and presented to the IPsec WG again in May 2003
in draft-ietf-ipsec-flow-monitoring-mib-02.txt.
This version of the draft is a Cisco-ized version
that culls out the IKE-specific aspects of the
IPsec Flow Monitor MIB.
Overview of MIB
The MIB contains five major groups of objects which
are used to manage the IKE protocol activity. These
groups include the global statistics, IKE tunnel
table, IKE History Group and a notification Group.
The tunnel table and the history table have a
sparse-table relationship with the corresponding
tables in the CISCO-IPSEC-SIGNALING-MIB
(details in the DESCRIPTION of the respective
tables).
Acronyms
The following acronyms are used in this document:
Flow, Tunnel:
An ISAKMP SA can be regarded as representing
a flow of ISAKMP/IKE traffic. Hence an ISAKMP
is referred to as a 'Phase 1 Tunnel' in this
document.
IPsec:
Secure IP Protocol
ISAKMP:
Internet Security Association and Key
Management Protocol
IKE:
Internet Key Exchange Protocol
MM:
Main Mode - the process of setting up
a Phase 1 SA to secure the exchanges
required to setup Phase 2 SAs
Phase 2 Tunnel:
AN instance of a non-ISAKMP SA bundle in
which all the SA share the same proxy
identifiers (IDii,IDir) protect the same
stream of application traffic.
Such an SA bundle is termed a 'Phase 2 Tunnel'.
Note that a Phase 2 tunnel may comprise
different SA bundles and different number of
SA bundles at different
times (due to key refresh).
QM:
Quick Mode - the process of setting up
Phase 2 Security Associations using a
Phase 1 SA.
SA:
Security Association (ref: rfc2408).
VPN:
Virtual Private Network. |
| ciscoIkeFlowMIBNotifs | .1.3.6.1.4.1.9.9.429.0 |
| ciscoIkeFlowMIBObjects | .1.3.6.1.4.1.9.9.429.1 |
| ciscoIkeFlowMIBConform | .1.3.6.1.4.1.9.9.429.2 |
| cifIkeCurrentActivity | .1.3.6.1.4.1.9.9.429.1.1 |
| cifIkeHistory | .1.3.6.1.4.1.9.9.429.1.2 |
| cifIkeNotifControl | .1.3.6.1.4.1.9.9.429.1.3 |
| ciscoIkeFlowMIBCompliances | .1.3.6.1.4.1.9.9.429.2.1 |
| ciscoIkeFlowMIBGroups | .1.3.6.1.4.1.9.9.429.2.2 |
| Group |
| ciscoIkeFlowActivityGroup | .1.3.6.1.4.1.9.9.429.2.2.1 |
This group consists of objects that track the
current IKE protocol activity:
1) IKE Global Objects
2) IKE Tunnel table.
|
| cifIkeFlowNewGroupGroup | .1.3.6.1.4.1.9.9.429.2.2.2 |
This group consists of:
1) Global metrics about new group negotiations
2) IKE Tunnel-wise new group metrics
|
| cifIkeFlowXauthGroup | .1.3.6.1.4.1.9.9.429.2.2.3 |
This group consists of metrics pertaining to
IKE extended authentication. Devices that do
not support Xauth need not implement this group.
|
| cifIkeFlowModeConfigGroup | .1.3.6.1.4.1.9.9.429.2.2.4 |
This group consists of metrics pertaining to
IKE extended authentication. Devices that do
not support Xauth need not implement this group.
|
| cifIkeFlowHistoryGroup | .1.3.6.1.4.1.9.9.429.2.2.5 |
This group consists of the core (mandatory)
objects pertaining to maintaining history of
Internet Key Exchange protocol activity.
|
| cifIkeFlowNewGroupHistoryGroup | .1.3.6.1.4.1.9.9.429.2.2.6 |
This group consists of archive of new group
activity pertaining to expired IKE Phase-1
tunnels.
|
| cifIkeFlowModeConfigHistoryGroup | .1.3.6.1.4.1.9.9.429.2.2.7 |
This group consists of archive of mode
config activity pertaining to expired IKE
Phase-1 Tunnels.
|
| cifIkeFlowNotificationGroup | .1.3.6.1.4.1.9.9.429.2.2.9 |
This group contains the notifications pertaining
to Phase-1 IKE operations.
|
| cifIkeFlowNotifCntlGroup | .1.3.6.1.4.1.9.9.429.2.2.8 |
This group of objects controls the sending
of notifications pertaining to Phase-1 IKE
operations.
|