New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


I get the error PE123 when using the SNMP Cisco ASA VPN Traffic sensor. What can I do?

Votes:

0

Your Vote:

Up

Down

When I use the SNMP Cisco ASA VPN Traffic sensor and the tunnel is established with IKEv2 (shown type: User to LAN), I get the error There is no active connection for this remote IP address. (code: PE123). If the same VPN tunnel is established with IKEv1 (shown type: LAN to LAN), there is no problem.

asa cisco cisco-asa-vpn error error-messages pe123 prtg sensor snmp vpn

Created on Dec 17, 2013 7:40:09 AM by  christian klier (0) 1

Last change on Sep 17, 2019 7:25:36 AM by  Maike Behnsen [Paessler Support]



Best Answer

Accepted Answer

Votes:

2

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 19 or later

How to Use the SNMP Cisco ASA VPN Traffic Sensor with IKEv2

Error Code PE123: Workaround

When using the SNMP Cisco ASA VPN Traffic sensor, you may observe that establishing the VPN tunnel with IKEv1 works fine whereas IKEv2 throws the error message There is no active connection for this remote IP address. (code: PE123).

This seems to be a bug in Cisco’s SNMP component. The data that PRTG receives from the device via SNMP is simply incorrect. For example, when adding a new sensor, you will see that the Remote IP is actually your local IP address and the Sensor Name is the remote IP. This is also the reason why PRTG sees this as a "User to LAN" connection. On "LAN to LAN", the remote IP and the sensor name are identical. We have done some testing, but it is impossible for us to automatically detect this.

However, there is also some good news. We created a device template that you can use to "manually" add the sensor. Follow the steps below:

  1. Download the device template and unzip it to the \devicetemplates subfolder of your PRTG installation.
  2. Open the file with a text editor. You will find three places where we put [RemoteIP]. Replace [RemoteIP] (including the brackets) with the actual remote IP of the VPN connection you want to monitor.
  3. In the PRTG web interface, open the device settings and set the Sensor Management to Automatic sensor creation using specific device template(s).
  4. A list of device templates appears. You can only check CiscoASAVPNTunnel [RemoteIP].
  5. Now, just start the auto-discovery for this device and it will add a sensor for this connection.

If you want to add multiple sensors, you can

  • either copy the <create> element and use one per sensor you want to add,
  • or you can add the sensors one after the other, edit the template, and run the auto-discovery each time.

In both cases, you need to make sure that you change the id attribute in the <create> element because there can only be one sensor per device with a specific create-id.

Example: Editing the Device Template

See the following screenshot for an example of how to edit the template to create multiple (in this case, two) sensors. We highlighted the sections that you have to change in comparison to the "original" template. You have to insert the same remote IP into each <create> element twice. Also, you have to edit the ID.

Cisco VPN Device Template Example
Click to enlarge.

Created on Dec 19, 2013 12:49:43 PM by  Johannes Herrmann [Paessler Support] (1,320) 2 2

Last change on Jul 29, 2019 5:40:04 AM by  Maike Behnsen [Paessler Support]



24 Replies

Votes:

0

Your Vote:

Up

Down

Please run 2 "Walk" tests against the device in case via our SNMP Tester.

Please use the following base OIDs for the tests:

1.3.6.1.4.1.9.9.171

1.3.6.1.4.1.9.9.392

Please forward us the results to [email protected], with reference to this thread.

Created on Dec 18, 2013 2:10:10 PM by  Patrick Hutter [Paessler Support] (7,164) 3 3



Accepted Answer

Votes:

2

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 19 or later

How to Use the SNMP Cisco ASA VPN Traffic Sensor with IKEv2

Error Code PE123: Workaround

When using the SNMP Cisco ASA VPN Traffic sensor, you may observe that establishing the VPN tunnel with IKEv1 works fine whereas IKEv2 throws the error message There is no active connection for this remote IP address. (code: PE123).

This seems to be a bug in Cisco’s SNMP component. The data that PRTG receives from the device via SNMP is simply incorrect. For example, when adding a new sensor, you will see that the Remote IP is actually your local IP address and the Sensor Name is the remote IP. This is also the reason why PRTG sees this as a "User to LAN" connection. On "LAN to LAN", the remote IP and the sensor name are identical. We have done some testing, but it is impossible for us to automatically detect this.

However, there is also some good news. We created a device template that you can use to "manually" add the sensor. Follow the steps below:

  1. Download the device template and unzip it to the \devicetemplates subfolder of your PRTG installation.
  2. Open the file with a text editor. You will find three places where we put [RemoteIP]. Replace [RemoteIP] (including the brackets) with the actual remote IP of the VPN connection you want to monitor.
  3. In the PRTG web interface, open the device settings and set the Sensor Management to Automatic sensor creation using specific device template(s).
  4. A list of device templates appears. You can only check CiscoASAVPNTunnel [RemoteIP].
  5. Now, just start the auto-discovery for this device and it will add a sensor for this connection.

If you want to add multiple sensors, you can

  • either copy the <create> element and use one per sensor you want to add,
  • or you can add the sensors one after the other, edit the template, and run the auto-discovery each time.

In both cases, you need to make sure that you change the id attribute in the <create> element because there can only be one sensor per device with a specific create-id.

Example: Editing the Device Template

See the following screenshot for an example of how to edit the template to create multiple (in this case, two) sensors. We highlighted the sections that you have to change in comparison to the "original" template. You have to insert the same remote IP into each <create> element twice. Also, you have to edit the ID.

Cisco VPN Device Template Example
Click to enlarge.

Created on Dec 19, 2013 12:49:43 PM by  Johannes Herrmann [Paessler Support] (1,320) 2 2

Last change on Jul 29, 2019 5:40:04 AM by  Maike Behnsen [Paessler Support]



Votes:

0

Your Vote:

Up

Down

The template doesn't changed any thing. The sensor was created with the local IP as remote IP again. I found following workaound: - stop PRTG Service - open Configuration file - change Remote-IP to the right value and save file - restart PRTG Service

Could this change to the configuration file cause problems in the future?

Created on Dec 19, 2013 3:38:06 PM by  christian klier (0) 1



Votes:

0

Your Vote:

Up

Down

Sorry my fault, took wrong template (I already had one with a similar name). The template works, the workaroung too.

Created on Dec 19, 2013 3:41:17 PM by  christian klier (0) 1



Votes:

0

Your Vote:

Up

Down

We highly recommend to use the devicetemplate and not to edit the configuration manually.

If you changed the configuration file already and your sensor works now (and all other sensors do also still work) it is not too likely that it will cause anything really bad to happen. If you encounter any new bugs within the next days, please be honest and let the support team know, that you did manual changes, though.

Created on Dec 20, 2013 12:18:19 PM by  Johannes Herrmann [Paessler Support] (1,320) 2 2



Votes:

0

Your Vote:

Up

Down

Hi I have aded the template and have auto-discovered the ASA device. However I am unable to the IKEv2 tunnels. When I click on add sensor I am still not able to add the IKEv2 tunnels , IKEv1 are working fine. I have rasied a cal with support but after 3 days they refuse to talk to me via phone. we have a support contract and have paid for maintenance.

Created on Feb 2, 2015 12:44:18 PM by  Paypoint (0)



Votes:

0

Your Vote:

Up

Down

Did you use the template to run the Auto-Discovery with? If so, you shouldn't be adding the sensor manually. Our support policy is to only do remote sessions or phone calls when PRTG is completely broken and there is no other way to solve the issue.

Created on Feb 2, 2015 12:59:14 PM by  Greg Campion [Paessler Support]



Votes:

0

Your Vote:

Up

Down

confirmed this resolved my error as well

Created on Apr 14, 2015 7:59:39 PM by  kube1984 (550) 3 1



Votes:

0

Your Vote:

Up

Down

I followed the instructions but still receive the same error. Any other suggestions?

Created on Aug 26, 2015 2:05:53 PM by  Ceriel Roland (0)



Votes:

0

Your Vote:

Up

Down

Dear Ceriel Roland

Which PRTG version (including the four-digit build number) are you currently using?

Created on Aug 28, 2015 1:39:57 PM by  Arne Seifert [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I have over 25 different site-2-site (Lan-2-Lan) tunnels on a single firewall. Am I going to have to make 25 copies of this device template to get these to be monitored again? They were working for many months, but after a recent update to 15.3.17.2996 or so, I see its broken.

please advise.

Created on Sep 14, 2015 3:41:43 PM by  dclick (0)



Votes:

0

Your Vote:

Up

Down

@dclick: It would be possible to create one template with 35 create tags (just duplicate the create tags with all contents).
However, you would have to replace the id's and IPs accordingly within the one template. Afterwards the template should create all your sensors.
Best regards

Created on Sep 17, 2015 2:23:14 PM by  Konstantin Wolff [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Im also getting There is no active connection for this remote IP address. (code: PE123) error while my connections are all IKEv1

mx00nr001/pri/act# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : x.x.x.x Index : 131 IP Addr : x.x.x.x Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 1867268940 Bytes Rx : 2361103366 Login Time : 05:00:24 UTC Thu Oct 8 2015 Duration : 5d 7h:53m:55s

Connection : x.x.x.x Index : 150 IP Addr : x.x.x.x Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)3DES Hashing : IKEv1: (1)SHA1 IPsec: (1)MD5 Bytes Tx : 32878980 Bytes Rx : 4176673 Login Time : 00:05:10 UTC Mon Oct 12 2015 Duration : 1d 12h:49m:09s

Connection : x.x.x.x Index : 174 IP Addr : x.x.x.x Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (2)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (2)SHA1 Bytes Tx : 2655399 Bytes Rx : 300480 Login Time : 12:24:49 UTC Tue Oct 13 2015 Duration : 0h:29m:30s

Created on Oct 13, 2015 11:56:49 AM by  mverboom (0)



Votes:

0

Your Vote:

Up

Down

Hi mverboom,

Could you please use the SNMP Tester Tool and perform a walk over the OID

1.3.6.1.4.1.9.9.392

followed by a walk over the OID

1.3.6.1.4.1.9.9.171

and forward the results to [email protected]? Please refer to this knowledge base article.

Best regards, Felix

Created on Oct 14, 2015 4:25:49 AM by  Felix Saure [Paessler Support]



Votes:

0

Your Vote:

Up

Down

The fix no longer works for me in version 16.3.25.5767. I have just opened a support case.

Created on Sep 12, 2016 2:56:36 PM by  SelDS (0)



Votes:

0

Your Vote:

Up

Down

I also get this error while using IKEv1. The tunnel was even up in a case, but the sensor was "stuck" with that error. Adding the sensor again worked, meaning it wasnt red anymore, but is a bad ideea if I have to add them all again manually when this happens. Losing traffic history and alot of work. Any ideea to circumvent this? Also, is it posible for the cisco asa vpn sensor to go to warning when no connection is active for like 24 hours and to red only after that ?

Created on Apr 10, 2017 2:09:06 PM by  silavric (0) 1



Votes:

0

Your Vote:

Up

Down

Dear Silavric,

The SNMP Cisco ASA sensor will use the RemoteIP as the identification key for the connection. If this IP address changes for any reason, PRTG will consider the connection as down and show an error message. The only way to keep the historic data is to pause the old sensor. This will also allow you to create reports with the historic data.

I'm afraid that it's not possible to set the sensor into a warning status if the connection is not available, the sensor will directly get into an alarm status.

Best regards, Felix

Created on Apr 11, 2017 6:57:02 AM by  Felix Saure [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Is there a new fix for this? The one from here doesn't work, the sensor still appears down even though vpn is up.

Created on Aug 23, 2018 9:35:03 AM by  BM (0)



Votes:

0

Your Vote:

Up

Down

Hi BM,

I'm not aware that this got fixed by Cisco to return the correct values for IKEv2 tunnels which are up via SNMP. Could you please provide your adjusted template to [email protected] and mention the IP address of the VPN's tunnel for further investigation?

Best regards, Felix

Created on Aug 24, 2018 7:57:48 AM by  Felix Saure [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I have been using the standard sensor for 7x IKEv2 VPN's which was working perfectly fine. I recently added 2 more VPN's on the ASA, using the same IPsec profile as the others. Before I added them to PRTG to monitoring, all the old sensors stopped working, showing the error PE123. If I try to re-add them, they appear as discovered, but when I add them it gives error PE123 straight away. I tried the template in this thread, but an autodiscover isn't finding anything. Any ideas?

Created on Sep 28, 2018 7:12:46 AM by  Jarrad Thomas (0) 1



Votes:

0

Your Vote:

Up

Down

Dear Jarrad,

As no sensors are discovered via the template, it means that the Ping from the PRTG probe to the ASA does not succeed - this is the requirement for the template. Could you please write an email to [email protected] by referring to this case, I'll then be able to create a personal template for you. Please include the IP address of the IKEv2 tunnel which you want to monitor.


Kind regards,
Felix Saure, Tech Support Team

Created on Sep 28, 2018 7:40:08 AM by  Felix Saure [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Hi Felix, I am monitoring the ASA for ping and system health etc via SNMP (which is working). So the ping and snmp check should pass. I will open a support ticket now. Thanks.

Created on Oct 2, 2018 12:24:28 AM by  Jarrad Thomas (0) 1



Votes:

0

Your Vote:

Up

Down

Have there been any issues with the manual method of adding a sensor for the ikev2 VPNs?

Create a SNMP CISCO ASA Traffic sensor and edit the remote IP, rename and save.

Created on Jun 5, 2019 5:48:11 PM by  JoeLoveTB (0) 1



Votes:

0

Your Vote:

Up

Down

Hi JoeLoveTB,

Not to our knowledge. Did you also change the <create-id<?

If so, kindly forward the created template to [email protected] for further investigation.


Kind regards,
Felix Saure, Tech Support Team

Created on Jun 6, 2019 6:17:26 AM by  Felix Saure [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.