When I use the SNMP Cisco ASA VPN Traffic sensor and the tunnel is established with IKEv2 (shown type: User to LAN), I get the error There is no active connection for this remote IP address. (code: PE123). If the same VPN tunnel is established with IKEv1 (shown type: LAN to LAN), there is no problem.
Created on Dec 17, 2013 7:40:09 AM by
Last change on Sep 17, 2019 7:25:36 AM by
This article applies to PRTG Network Monitor 19 or later
When using the SNMP Cisco ASA VPN Traffic sensor, you may observe that establishing the VPN tunnel with IKEv1 works fine whereas IKEv2 throws the error message There is no active connection for this remote IP address. (code: PE123).
This seems to be a bug in Cisco’s SNMP component. The data that PRTG receives from the device via SNMP is simply incorrect. For example, when adding a new sensor, you will see that the Remote IP is actually your local IP address and the Sensor Name is the remote IP. This is also the reason why PRTG sees this as a "User to LAN" connection. On "LAN to LAN", the remote IP and the sensor name are identical. We have done some testing, but it is impossible for us to automatically detect this.
However, there is also some good news. We created a device template that you can use to "manually" add the sensor. Follow the steps below:
If you want to add multiple sensors, you can
In both cases, you need to make sure that you change the id attribute in the <create> element because there can only be one sensor per device with a specific create-id.
See the following screenshot for an example of how to edit the template to create multiple (in this case, two) sensors. We highlighted the sections that you have to change in comparison to the "original" template. You have to insert the same remote IP into each <create> element twice. Also, you have to edit the ID.
Created on Dec 19, 2013 12:49:43 PM by
Last change on Jul 29, 2019 5:40:04 AM by
Please run 2 "Walk" tests against the device in case via our SNMP Tester.
Please use the following base OIDs for the tests:
1.3.6.1.4.1.9.9.171
1.3.6.1.4.1.9.9.392
Please forward us the results to [email protected], with reference to this thread.
Created on Dec 18, 2013 2:10:10 PM by
This article applies to PRTG Network Monitor 19 or later
When using the SNMP Cisco ASA VPN Traffic sensor, you may observe that establishing the VPN tunnel with IKEv1 works fine whereas IKEv2 throws the error message There is no active connection for this remote IP address. (code: PE123).
This seems to be a bug in Cisco’s SNMP component. The data that PRTG receives from the device via SNMP is simply incorrect. For example, when adding a new sensor, you will see that the Remote IP is actually your local IP address and the Sensor Name is the remote IP. This is also the reason why PRTG sees this as a "User to LAN" connection. On "LAN to LAN", the remote IP and the sensor name are identical. We have done some testing, but it is impossible for us to automatically detect this.
However, there is also some good news. We created a device template that you can use to "manually" add the sensor. Follow the steps below:
If you want to add multiple sensors, you can
In both cases, you need to make sure that you change the id attribute in the <create> element because there can only be one sensor per device with a specific create-id.
See the following screenshot for an example of how to edit the template to create multiple (in this case, two) sensors. We highlighted the sections that you have to change in comparison to the "original" template. You have to insert the same remote IP into each <create> element twice. Also, you have to edit the ID.
Created on Dec 19, 2013 12:49:43 PM by
Last change on Jul 29, 2019 5:40:04 AM by
The template doesn't changed any thing. The sensor was created with the local IP as remote IP again. I found following workaound: - stop PRTG Service - open Configuration file - change Remote-IP to the right value and save file - restart PRTG Service
Could this change to the configuration file cause problems in the future?
Created on Dec 19, 2013 3:38:06 PM by
Sorry my fault, took wrong template (I already had one with a similar name). The template works, the workaroung too.
Created on Dec 19, 2013 3:41:17 PM by
We highly recommend to use the devicetemplate and not to edit the configuration manually.
If you changed the configuration file already and your sensor works now (and all other sensors do also still work) it is not too likely that it will cause anything really bad to happen. If you encounter any new bugs within the next days, please be honest and let the support team know, that you did manual changes, though.
Created on Dec 20, 2013 12:18:19 PM by
Hi I have aded the template and have auto-discovered the ASA device. However I am unable to the IKEv2 tunnels. When I click on add sensor I am still not able to add the IKEv2 tunnels , IKEv1 are working fine. I have rasied a cal with support but after 3 days they refuse to talk to me via phone. we have a support contract and have paid for maintenance.
Created on Feb 2, 2015 12:44:18 PM by
Did you use the template to run the Auto-Discovery with? If so, you shouldn't be adding the sensor manually. Our support policy is to only do remote sessions or phone calls when PRTG is completely broken and there is no other way to solve the issue.
Created on Feb 2, 2015 12:59:14 PM by
confirmed this resolved my error as well
I followed the instructions but still receive the same error. Any other suggestions?
Created on Aug 26, 2015 2:05:53 PM by
Dear Ceriel Roland
Which PRTG version (including the four-digit build number) are you currently using?
Created on Aug 28, 2015 1:39:57 PM by
I have over 25 different site-2-site (Lan-2-Lan) tunnels on a single firewall. Am I going to have to make 25 copies of this device template to get these to be monitored again? They were working for many months, but after a recent update to 15.3.17.2996 or so, I see its broken.
please advise.
Created on Sep 14, 2015 3:41:43 PM by
@dclick: It would be possible to create one template with 35 create tags (just duplicate the create tags with all contents).
However, you would have to replace the id's and IPs accordingly within the one template. Afterwards the template should create all your sensors.
Best regards
Created on Sep 17, 2015 2:23:14 PM by
Im also getting There is no active connection for this remote IP address. (code: PE123) error while my connections are all IKEv1
mx00nr001/pri/act# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : x.x.x.x Index : 131 IP Addr : x.x.x.x Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 1867268940 Bytes Rx : 2361103366 Login Time : 05:00:24 UTC Thu Oct 8 2015 Duration : 5d 7h:53m:55s
Connection : x.x.x.x Index : 150 IP Addr : x.x.x.x Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)3DES Hashing : IKEv1: (1)SHA1 IPsec: (1)MD5 Bytes Tx : 32878980 Bytes Rx : 4176673 Login Time : 00:05:10 UTC Mon Oct 12 2015 Duration : 1d 12h:49m:09s
Connection : x.x.x.x Index : 174 IP Addr : x.x.x.x Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (2)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (2)SHA1 Bytes Tx : 2655399 Bytes Rx : 300480 Login Time : 12:24:49 UTC Tue Oct 13 2015 Duration : 0h:29m:30s
Created on Oct 13, 2015 11:56:49 AM by
Hi mverboom,
Could you please use the SNMP Tester Tool and perform a walk over the OID
1.3.6.1.4.1.9.9.392
followed by a walk over the OID
1.3.6.1.4.1.9.9.171
and forward the results to [email protected]? Please refer to this knowledge base article.
Best regards, Felix
Created on Oct 14, 2015 4:25:49 AM by
The fix no longer works for me in version 16.3.25.5767. I have just opened a support case.
Created on Sep 12, 2016 2:56:36 PM by
I also get this error while using IKEv1. The tunnel was even up in a case, but the sensor was "stuck" with that error. Adding the sensor again worked, meaning it wasnt red anymore, but is a bad ideea if I have to add them all again manually when this happens. Losing traffic history and alot of work. Any ideea to circumvent this? Also, is it posible for the cisco asa vpn sensor to go to warning when no connection is active for like 24 hours and to red only after that ?
Dear Silavric,
The SNMP Cisco ASA sensor will use the RemoteIP as the identification key for the connection. If this IP address changes for any reason, PRTG will consider the connection as down and show an error message. The only way to keep the historic data is to pause the old sensor. This will also allow you to create reports with the historic data.
I'm afraid that it's not possible to set the sensor into a warning status if the connection is not available, the sensor will directly get into an alarm status.
Best regards, Felix
Created on Apr 11, 2017 6:57:02 AM by
Is there a new fix for this? The one from here doesn't work, the sensor still appears down even though vpn is up.
Created on Aug 23, 2018 9:35:03 AM by
Hi BM,
I'm not aware that this got fixed by Cisco to return the correct values for IKEv2 tunnels which are up via SNMP. Could you please provide your adjusted template to [email protected] and mention the IP address of the VPN's tunnel for further investigation?
Best regards, Felix
Created on Aug 24, 2018 7:57:48 AM by
I have been using the standard sensor for 7x IKEv2 VPN's which was working perfectly fine. I recently added 2 more VPN's on the ASA, using the same IPsec profile as the others. Before I added them to PRTG to monitoring, all the old sensors stopped working, showing the error PE123. If I try to re-add them, they appear as discovered, but when I add them it gives error PE123 straight away. I tried the template in this thread, but an autodiscover isn't finding anything. Any ideas?
Created on Sep 28, 2018 7:12:46 AM by
Dear Jarrad,
As no sensors are discovered via the template, it means that the Ping from the PRTG probe to the ASA does not succeed - this is the requirement for the template. Could you please write an email to [email protected] by referring to this case, I'll then be able to create a personal template for you. Please include the IP address of the IKEv2 tunnel which you want to monitor.
Kind regards,
Felix Saure, Tech Support Team
Created on Sep 28, 2018 7:40:08 AM by
Hi Felix, I am monitoring the ASA for ping and system health etc via SNMP (which is working). So the ping and snmp check should pass. I will open a support ticket now. Thanks.
Created on Oct 2, 2018 12:24:28 AM by
Have there been any issues with the manual method of adding a sensor for the ikev2 VPNs?
Create a SNMP CISCO ASA Traffic sensor and edit the remote IP, rename and save.
Hi JoeLoveTB,
Not to our knowledge. Did you also change the <create-id<?
If so, kindly forward the created template to [email protected] for further investigation.
Kind regards,
Felix Saure, Tech Support Team
Created on Jun 6, 2019 6:17:26 AM by
Please log in or register to enter your reply.
Add comment