What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

I get the error PE123 when using the SNMP Cisco ASA VPN Traffic sensor. What can I do?

Votes:

0

When I use the SNMP Cisco ASA VPN Traffic sensor and the tunnel is established with IKEv2 (shown type: User to LAN), I get the error message:

There is no active connection for this remote IP address. The reason might be an issue with Cisco's SNMP component. The data that PRTG receives from the device is incorrect. To resolve this issue, see https://kb.paessler.com/en/topic/59643. (code: PE123)

If the same VPN tunnel is established with IKEv1 (shown type: LAN to LAN), there is no problem.

asa cisco cisco-asa-vpn error error-messages pe123 prtg sensor snmp vpn

Created on Dec 17, 2013 7:40:09 AM

Last change on Jan 4, 2023 11:48:10 AM by  Brandy Greger [Paessler Support]



Best Answer

Accepted Answer

Votes:

2

This article applies as of PRTG 22

How to use the SNMP Cisco ASA VPN Traffic sensor with IKEv2

Error code PE123: Workaround

When using the SNMP Cisco ASA VPN Traffic sensor, you may see that establishing the VPN tunnel with IKEv1 works fine whereas IKEv2 gives this error message:

There is no active connection for this remote IP address. The reason might be an issue with Cisco's SNMP component. The data that PRTG receives from the device is incorrect. To resolve this issue, see https://kb.paessler.com/en/topic/59643. (code: PE123)

This seems to be a bug in Cisco’s SNMP component: the data that PRTG receives from the device via SNMP is incorrect. For example, when adding a new sensor, you see that the Remote IP Address is actually your local IP address and that the Sensor Name is the remote IP address. This is also the reason why PRTG sees this as a User to LAN connection. On LAN to LAN, the remote IP address and the sensor name are identical. So far, there is no way to automatically detect this.

To address this issue, Paessler created a device template that you can use to manually add the sensor. Follow the steps below:

  1. Download the device template here and unzip it to the \devicetemplates subfolder of your PRTG installation.
  2. Open the file with a text editor. Find the three instances of [RemoteIP]. Replace [RemoteIP] (including the brackets) with the actual remote IP address of the VPN connection that you want to monitor.
  3. In the PRTG web interface, open the device settings and set the Auto-Discovery Level to Auto-discovery with specific device templates.
  4. A list of device templates appears. Select CiscoASAVPNTunnel [RemoteIP].
  5. Start the auto-discovery for the device and it adds a sensor for the connection.

If you want to add multiple sensors, you can

  • either copy the <create> element and use one per sensor that you want to add,
  • or you can add the sensors one after the other, edit the template, and run auto-discovery each time.

In both cases, make sure that you change the id attribute in the <create> element, since there can only be one sensor per device with a specific create-id.

Example: Editing the device template

See the following screenshot for an example of how to edit the template to create multiple (in this case, two) sensors. The sections that you must change in comparison to the original template are highlighted. You must insert the same remote IP address into each <create> element twice. You must also edit the ID.

Device template example
Click to enlarge.

Created on Dec 19, 2013 12:49:43 PM by  Johannes Herrmann [Paessler Support] (1,360) 2 2

Last change on Jan 4, 2023 11:48:31 AM by  Brandy Greger [Paessler Support]



33 Replies

Votes:

0

Please run 2 "Walk" tests against the device in case via our SNMP Tester.

Please use the following base OIDs for the tests:

1.3.6.1.4.1.9.9.171

1.3.6.1.4.1.9.9.392

Please forward us the results to [email protected], with reference to this thread.

Created on Dec 18, 2013 2:10:10 PM by  Patrick Hutter [Paessler Support] (7,225) 3 3



Accepted Answer

Votes:

2

This article applies as of PRTG 22

How to use the SNMP Cisco ASA VPN Traffic sensor with IKEv2

Error code PE123: Workaround

When using the SNMP Cisco ASA VPN Traffic sensor, you may see that establishing the VPN tunnel with IKEv1 works fine whereas IKEv2 gives this error message:

There is no active connection for this remote IP address. The reason might be an issue with Cisco's SNMP component. The data that PRTG receives from the device is incorrect. To resolve this issue, see https://kb.paessler.com/en/topic/59643. (code: PE123)

This seems to be a bug in Cisco’s SNMP component: the data that PRTG receives from the device via SNMP is incorrect. For example, when adding a new sensor, you see that the Remote IP Address is actually your local IP address and that the Sensor Name is the remote IP address. This is also the reason why PRTG sees this as a User to LAN connection. On LAN to LAN, the remote IP address and the sensor name are identical. So far, there is no way to automatically detect this.

To address this issue, Paessler created a device template that you can use to manually add the sensor. Follow the steps below:

  1. Download the device template here and unzip it to the \devicetemplates subfolder of your PRTG installation.
  2. Open the file with a text editor. Find the three instances of [RemoteIP]. Replace [RemoteIP] (including the brackets) with the actual remote IP address of the VPN connection that you want to monitor.
  3. In the PRTG web interface, open the device settings and set the Auto-Discovery Level to Auto-discovery with specific device templates.
  4. A list of device templates appears. Select CiscoASAVPNTunnel [RemoteIP].
  5. Start the auto-discovery for the device and it adds a sensor for the connection.

If you want to add multiple sensors, you can

  • either copy the <create> element and use one per sensor that you want to add,
  • or you can add the sensors one after the other, edit the template, and run auto-discovery each time.

In both cases, make sure that you change the id attribute in the <create> element, since there can only be one sensor per device with a specific create-id.

Example: Editing the device template

See the following screenshot for an example of how to edit the template to create multiple (in this case, two) sensors. The sections that you must change in comparison to the original template are highlighted. You must insert the same remote IP address into each <create> element twice. You must also edit the ID.

Device template example
Click to enlarge.

Created on Dec 19, 2013 12:49:43 PM by  Johannes Herrmann [Paessler Support] (1,360) 2 2

Last change on Jan 4, 2023 11:48:31 AM by  Brandy Greger [Paessler Support]



Votes:

0

The template doesn't changed any thing. The sensor was created with the local IP as remote IP again. I found following workaound: - stop PRTG Service - open Configuration file - change Remote-IP to the right value and save file - restart PRTG Service

Could this change to the configuration file cause problems in the future?

Created on Dec 19, 2013 3:38:06 PM



Votes:

0

Sorry my fault, took wrong template (I already had one with a similar name). The template works, the workaroung too.

Created on Dec 19, 2013 3:41:17 PM



Votes:

0

We highly recommend to use the devicetemplate and not to edit the configuration manually.

If you changed the configuration file already and your sensor works now (and all other sensors do also still work) it is not too likely that it will cause anything really bad to happen. If you encounter any new bugs within the next days, please be honest and let the support team know, that you did manual changes, though.

Created on Dec 20, 2013 12:18:19 PM by  Johannes Herrmann [Paessler Support] (1,360) 2 2



Votes:

0

Hi I have aded the template and have auto-discovered the ASA device. However I am unable to the IKEv2 tunnels. When I click on add sensor I am still not able to add the IKEv2 tunnels , IKEv1 are working fine. I have rasied a cal with support but after 3 days they refuse to talk to me via phone. we have a support contract and have paid for maintenance.

Created on Feb 2, 2015 12:44:18 PM



Votes:

0

Did you use the template to run the Auto-Discovery with? If so, you shouldn't be adding the sensor manually. Our support policy is to only do remote sessions or phone calls when PRTG is completely broken and there is no other way to solve the issue.

Created on Feb 2, 2015 12:59:14 PM by  Greg Campion [Paessler Support]



Votes:

0

confirmed this resolved my error as well

Created on Apr 14, 2015 7:59:39 PM



Votes:

0

I followed the instructions but still receive the same error. Any other suggestions?

Created on Aug 26, 2015 2:05:53 PM



Votes:

0

Dear Ceriel Roland

Which PRTG version (including the four-digit build number) are you currently using?

Created on Aug 28, 2015 1:39:57 PM by  Arne Seifert [Paessler Support]



Votes:

0

I have over 25 different site-2-site (Lan-2-Lan) tunnels on a single firewall. Am I going to have to make 25 copies of this device template to get these to be monitored again? They were working for many months, but after a recent update to 15.3.17.2996 or so, I see its broken.

please advise.

Created on Sep 14, 2015 3:41:43 PM



Votes:

0

@dclick: It would be possible to create one template with 35 create tags (just duplicate the create tags with all contents).
However, you would have to replace the id's and IPs accordingly within the one template. Afterwards the template should create all your sensors.
Best regards

Created on Sep 17, 2015 2:23:14 PM by  Konstantin Wolff [Paessler Support]



Votes:

0

Im also getting There is no active connection for this remote IP address. (code: PE123) error while my connections are all IKEv1

mx00nr001/pri/act# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : x.x.x.x Index : 131 IP Addr : x.x.x.x Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 1867268940 Bytes Rx : 2361103366 Login Time : 05:00:24 UTC Thu Oct 8 2015 Duration : 5d 7h:53m:55s

Connection : x.x.x.x Index : 150 IP Addr : x.x.x.x Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)3DES Hashing : IKEv1: (1)SHA1 IPsec: (1)MD5 Bytes Tx : 32878980 Bytes Rx : 4176673 Login Time : 00:05:10 UTC Mon Oct 12 2015 Duration : 1d 12h:49m:09s

Connection : x.x.x.x Index : 174 IP Addr : x.x.x.x Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (2)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (2)SHA1 Bytes Tx : 2655399 Bytes Rx : 300480 Login Time : 12:24:49 UTC Tue Oct 13 2015 Duration : 0h:29m:30s

Created on Oct 13, 2015 11:56:49 AM



Votes:

0

Hi mverboom,

Could you please use the SNMP Tester Tool and perform a walk over the OID

1.3.6.1.4.1.9.9.392

followed by a walk over the OID

1.3.6.1.4.1.9.9.171

and forward the results to [email protected]? Please refer to this knowledge base article.

Best regards, Felix

Created on Oct 14, 2015 4:25:49 AM by  Felix Saure [Paessler Support]



Votes:

0

The fix no longer works for me in version 16.3.25.5767. I have just opened a support case.

Created on Sep 12, 2016 2:56:36 PM



Votes:

0

I also get this error while using IKEv1. The tunnel was even up in a case, but the sensor was "stuck" with that error. Adding the sensor again worked, meaning it wasnt red anymore, but is a bad ideea if I have to add them all again manually when this happens. Losing traffic history and alot of work. Any ideea to circumvent this? Also, is it posible for the cisco asa vpn sensor to go to warning when no connection is active for like 24 hours and to red only after that ?

Created on Apr 10, 2017 2:09:06 PM



Votes:

0

Dear Silavric,

The SNMP Cisco ASA sensor will use the RemoteIP as the identification key for the connection. If this IP address changes for any reason, PRTG will consider the connection as down and show an error message. The only way to keep the historic data is to pause the old sensor. This will also allow you to create reports with the historic data.

I'm afraid that it's not possible to set the sensor into a warning status if the connection is not available, the sensor will directly get into an alarm status.

Best regards, Felix

Created on Apr 11, 2017 6:57:02 AM by  Felix Saure [Paessler Support]



Votes:

0

Is there a new fix for this? The one from here doesn't work, the sensor still appears down even though vpn is up.

Created on Aug 23, 2018 9:35:03 AM



Votes:

0

Hi BM,

I'm not aware that this got fixed by Cisco to return the correct values for IKEv2 tunnels which are up via SNMP. Could you please provide your adjusted template to [email protected] and mention the IP address of the VPN's tunnel for further investigation?

Best regards, Felix

Created on Aug 24, 2018 7:57:48 AM by  Felix Saure [Paessler Support]



Votes:

0

I have been using the standard sensor for 7x IKEv2 VPN's which was working perfectly fine. I recently added 2 more VPN's on the ASA, using the same IPsec profile as the others. Before I added them to PRTG to monitoring, all the old sensors stopped working, showing the error PE123. If I try to re-add them, they appear as discovered, but when I add them it gives error PE123 straight away. I tried the template in this thread, but an autodiscover isn't finding anything. Any ideas?

Created on Sep 28, 2018 7:12:46 AM



Votes:

0

Dear Jarrad,

As no sensors are discovered via the template, it means that the Ping from the PRTG probe to the ASA does not succeed - this is the requirement for the template. Could you please write an email to [email protected] by referring to this case, I'll then be able to create a personal template for you. Please include the IP address of the IKEv2 tunnel which you want to monitor.


Kind regards,
Felix Saure, Tech Support Team

Created on Sep 28, 2018 7:40:08 AM by  Felix Saure [Paessler Support]



Votes:

0

Hi Felix, I am monitoring the ASA for ping and system health etc via SNMP (which is working). So the ping and snmp check should pass. I will open a support ticket now. Thanks.

Created on Oct 2, 2018 12:24:28 AM



Votes:

0

Have there been any issues with the manual method of adding a sensor for the ikev2 VPNs?

Create a SNMP CISCO ASA Traffic sensor and edit the remote IP, rename and save.

Created on Jun 5, 2019 5:48:11 PM



Votes:

0

Hi JoeLoveTB,

Not to our knowledge. Did you also change the <create-id<?

If so, kindly forward the created template to [email protected] for further investigation.


Kind regards,
Felix Saure, Tech Support Team

Created on Jun 6, 2019 6:17:26 AM by  Felix Saure [Paessler Support]



Votes:

0

.* bump *

Any news for a real solution instead of a workaround?

Created on Mar 2, 2020 10:14:29 AM



Votes:

0

Unfortunately, no changes so far. The workaround is still the only option.

Created on Mar 2, 2020 12:57:54 PM by  Sasa Ignjatovic [Paessler Support]



Votes:

0

Any news on this issue? We manage the PRTG installations of many customers, and this issue is very tiresome for our technicians, who routinely have to help with this issue.

Created on Jul 3, 2020 6:16:22 AM



Votes:

0

I'm afraid there are no changes so far. The workaround is still the only option.

Created on Jul 3, 2020 6:50:00 AM by  Felix Wiesneth [Paessler Support]



Votes:

0

hello

i try to apply the Workaround but it does not work. i cannot find this section "Automatic sensor creation using specific device template(s)"

3.In the PRTG web interface, open the device settings and set the Sensor Management to Automatic sensor creation using specific device template(s).

i go to Settings in the ASA Device and the only Setting i find is "Auto-discovery with specific device templates" anyway does this Workaround applies in my actual (20.3.61.1649 x64) Version ?

thanks in Advance

Karl-Heinz

Created on Sep 17, 2020 7:46:59 AM

Last change on Sep 17, 2020 10:44:44 AM by  Felix Wiesneth [Paessler Support]



Votes:

0

Hello Karl-Heinz,

The setting Auto-discovery with specific device templates is the option it is meant to be.


Kind regards

Felix Wiesneth - Team Tech Support

Created on Sep 17, 2020 10:47:25 AM by  Felix Wiesneth [Paessler Support]



Votes:

0

Hi i did like described but there is no change same Error Message like before

"There is no active connection for this remote IP address. The reason might be an issue with Cisco's SNMP component. The data that PRTG receives from the device is incorrect. To resolve this issue, see https://kb.paessler.com/en/topic/59643. (code: PE123)"

What did i wrong ? Any ideas?

Version 20.3.61.1649+

Created on Jan 15, 2021 10:14:46 AM

Last change on Jan 18, 2021 6:06:59 AM by  Felix Wiesneth [Paessler Support]



Votes:

0

Hi Kevin,

I would ask you to reach out to [email protected] with PAE2062708 in the subject. This way troubleshooting is easier. For further troubleshooting please add more detailed information(screenshots,...) to your mail. Thank you in advance.


Kind regards

Felix Wiesneth - Team Tech Support

Created on Jan 20, 2021 8:09:26 AM by  Felix Wiesneth [Paessler Support]



Votes:

0

Hi All,

I'm a bit late to the party with this one but I had this same error when trying to monitor an IKEv2 VPN.

In point 2 of the Best Answer solution above, it says to keep the brackets when adding the remote IP. However, I had to remove the brackets from the connection setting (line 34 in the template). Once I done that and changed the sensor settings to IKEv1 and IKEv2, and ran auto-discovery, the monitoring came up.

Hopefully this is helpful to some of you who still had the error after trying the steps.

Created on May 3, 2023 1:35:29 PM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.