Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

• Only the following tunnel setup failure logs are supported with the IPsec--SNMP Support feature:
  • NOTIFY_MIB_IPSEC_PROPOSAL_INVALID
  • "A tunnel could not be established because the peer did not supply an acceptable proposal."
  • NOTIFY_MIB_IPSEC_ENCRYPT_FAILURE
  • "A tunnel could not be established because it failed to encrypt a packet to be sent to a peer."
  • NOTIFY_MIB_IPSEC_SYSCAP_FAILURE
  • "A tunnel could not be established because the system ran out of resources."
  • NOTIFY_MIB_IPSEC_LOCAL_FAILURE
  • "A tunnel could not be established because of an internal error."

Note that these failure notices are recorded in the failure tables, but are not available as SNMP notifications (traps).

• The following functions are not supported with the IPsec MIB feature:
  • Checkpointing
  • The Dynamic Cryptomap table of the CISCO-IPSEC-MIB
• The CISCO-IPSEC-POLICY-MAP-MIB (ciscoIpSecPolMap) defines no notifications (the "IPSec Policy Map Notifications Group" is empty).

The IP Security (IPsec) SNMP Support feature introduces support for industry-standard IPsec MIBs and Cisco IOS XE-software specific IPsec MIBs.

The IPsec MIBs allow IPsec configuration monitoring and IPsec status monitoring using SNMP, and can be integrated in a variety of Virtual Private Network (VPN) management solutions.

For example, this feature allows you to specify the desired size of a tunnel history table or a tunnel failure table using the Cisco IOS XE CLI. The history table archives attribute and statistic information about the tunnel; the failure table archives tunnel failure reasons along with the time failure occurred. A failure history table can be used as a simple method to distinguish between a normal and an abnormal tunnel termination. That is, if a tunnel entry in the tunnel history table has no associated failure record, the tunnel must have terminated normally. However, a tunnel history table does not accompany every failure table because every failure does not correspond to a tunnel. Thus, supported setup failures are recorded in the failure table, but an associated history table is not recorded because a tunnel was never set up.

This feature also provides IPsec Simple Network Management Protocol (SNMP) notifications for use with network management systems.

• Related Features and Technologies
  

• Enabling IPsec SNMP Notifications
  
• Configuring IPsec Failure History Table Size
  
• Configuring IPsec Tunnel History Table Size
  
• Verifying IPsec MIB Configuration
  
• Monitoring and Maintaining IPsec MIB
  

• Enabling IPsec Notifications Examples
  
• Specifying History Table Size Examples
  

CA --certificate authority. A certificate authority (CA) is an entity in a network that issues and manages security credentials and public keys (in the form of X509v3 certificates) for message encryption. As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then issue a certificate. Certificates generally include the owner's public key, the expiration date of the certificate, the owner's name, and other information about the public key owner.

IP Security--See IPsec.

IPsec--Internet Protocol Security. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPsec provides these security services at the IP layer. IPsec uses Internet Key Exchange (IKE) to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPsec. IPsec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.

Management Information Base--See MIB.

MIB--Management Information Base. Database of network management information that is used and maintained by a network management protocol such as Simple Network Management Protocol (SNMP) or Common Management Information Protocol (MIP). The value of a MIB object can be changed or retrieved using SNMP or CMIP commands, usually through a graphical user interface (GUI) network management system (NMS). MIB objects are organized in a tree structure that includes public (standard) and private (proprietary) branches.

Simple Network Management Protocol--See SNMP.

SNMP--Simple Network Management Protocol. An application-layer protocol that provides a message format for communication between SNMP managers and agents.

trap--Message sent by an SNMP agent to a network management system, console, or terminal to indicate the occurrence of a significant event, such as a specifically defined condition or a threshold that was reached.