You are here:

MonitorTools.com > Technical documentation > SNMP > MIB > Cisco > CISCO-IKE-FLOW-MIB
ActiveXperts Network Monitor 2019##AdminFavorites

CISCO-IKE-FLOW-MIB by vendor Cisco

CISCO-IKE-FLOW-MIB file content

The SNMP protocol is used to for conveying information and commands between agents and managing entities. SNMP uses the User Datagram Protocol (UDP) as the transport protocol for passing data between managers and agents. The reasons for using UDP for SNMP are, firstly it has low overheads in comparison to TCP, which uses a 3-way hand shake for connection. Secondly, in congested networks, SNMP over TCP is a bad idea because TCP in order to maintain reliability will flood the network with retransmissions.

Management information (MIB) is represented as a collection of managed objects. These objects together form a virtual information base called MIB. An agent may implement many MIBs, but all agents must implement a particular MIB called MIB-II [16]. This standard defines variables for things such as interface statistics (interface speeds, MTU, octets sent, octets received, etc.) as well as various other things pertaining to the system itself (system location, system contact, etc.). The main goal of MIB-II is to provide general TCP/IP management information.

Use ActiveXperts Network Monitor 2019 to import vendor-specific MIB files, inclusing CISCO-IKE-FLOW-MIB.


Vendor: Cisco
Mib: CISCO-IKE-FLOW-MIB  [download]  [view objects]
Tool: ActiveXperts Network Monitor 2019 [download]    (ships with advanced SNMP/MIB tools)
-- *------------------------------------------------------------------
-- * CISCO-IKE-FLOW-MIB.my:
-- *                   IKE Flow Monitoring MIB
-- *
-- * July 2004, S Ramakrishnan
-- *
-- * Copyright (c) 2004 by Cisco Systems, Inc.
-- * All rights reserved.
-- *------------------------------------------------------------------

  CISCO-IKE-FLOW-MIB DEFINITIONS ::= BEGIN

    IMPORTS
      MODULE-IDENTITY, 
      OBJECT-TYPE, 
      NOTIFICATION-TYPE,
      Counter32, 
      Counter64, 
      Unsigned32                        FROM SNMPv2-SMI
      TruthValue                        FROM SNMPv2-TC
      MODULE-COMPLIANCE, 
      OBJECT-GROUP,
      NOTIFICATION-GROUP                FROM SNMPv2-CONF
      cisgIpsSgProtocol,
      cisgIpsSgTunIndex,
      cisgIpsSgTunHistIndex,
      cisgIpsSgFailLocalAddress,
      cisgIpsSgFailRemoteAddress        FROM CISCO-IPSEC-SIGNALING-MIB
      CIPsecIkeNegoMode,
      CIPsecDiffHellmanGrp              FROM CISCO-IPSEC-TC
      ciscoMgmt                         FROM CISCO-SMI;

    ciscoIkeFlowMIB MODULE-IDENTITY
         LAST-UPDATED "200409140000Z"
         ORGANIZATION "Cisco Systems"
         CONTACT-INFO
                 "       Cisco Systems
                         Customer Service

                 Postal: 170 W Tasman Drive
                         San Jose, CA  95134
                         USA

                    Tel: +1 800 553-NETS
                 E-mail: cs-ipsecmib@external.cisco.com"

         DESCRIPTION
                 "This is a MIB module for monitoring the structures
                  and status of IPsec control flows based on Internet
                  Key Exchange protocol. The MIB models standard 
                  aspects of the IKE protocol.
          
                  Synopsis

                  This MIB module models status, performance and 
                  failures of the IKEv1- and IKEv2-based signaling in
                  IPsec, FC-SP(and similar) protocols. In practice, 
                  the security protocols such as IPsec, FC-SP and 
                  CTS use a signaling protocol such as IKE, KINK, 
                  or some such. A number of characteristics of these
                  signaling protocols are generic.
                  The generic attributes and status of signaling 
                  activity has been modeled in 
                  CISCO-IPSEC-SIGNALING-MIB. This MIB module augments
                  CISCO-IPSEC-SIGNALING-MIB with IKE-specific
                  MIB objects.
                  (Signaling protocols are also referred to this 
                  document as 'Control Protocols', since they perform
                  session control.)

                  History of the MIB
                  A precursor to this MIB was written by Tivoli and
                  implemented in IBM Nways routers in 1999. That 
                  MIB instrumented both IKE(v1) and IPsec in a 
                  single module. During late 1999, Cisco adopted 
                  the MIB and together with Tivoli published the 
                  IPsec Flow Monitor MIB in IETF IPsec WG in 
                  draft-ietf-ipsec-flow-monitoring-mib-00.txt. 
                  In 2000, the MIB was Cisco-ized and implemented
                  this draft as CISCO-IPSEC-FLOW-MONITOR-MIB in 
                  IOS and VPN3000 platforms.

                  With the evolution of IKEv2, the MIB was modified
                  and presented to the IPsec WG again in May 2003 
                  in draft-ietf-ipsec-flow-monitoring-mib-02.txt.

                  This version of the draft is a Cisco-ized version
                  that culls out the IKE-specific aspects of the
                  IPsec Flow Monitor MIB. 

                  Overview of MIB
                  The MIB contains five major groups of objects which 
                  are used to manage the IKE protocol activity. These 
                  groups include the global statistics, IKE tunnel 
                  table, IKE History Group and a notification Group.

                  The tunnel table and the history table have a 
                  sparse-table relationship with the corresponding
                  tables in the CISCO-IPSEC-SIGNALING-MIB 
                  (details in the DESCRIPTION of the respective 
                  tables). 
     
                  Acronyms
                  The following acronyms are used in this document:     
              
                  Flow, Tunnel:
                      An ISAKMP SA can be regarded as representing
                      a flow of ISAKMP/IKE traffic. Hence an ISAKMP
                      is referred to as a 'Phase 1 Tunnel' in this
                      document. 
                   
                  IPsec: 
                      Secure IP Protocol 
       
                  ISAKMP:
                      Internet Security Association and Key
                      Management Protocol

                  IKE:
                      Internet Key Exchange Protocol
       
                  MM:
                      Main Mode - the process of setting up
                      a Phase 1 SA to secure the exchanges
                      required to setup Phase 2 SAs

                  Phase 2 Tunnel:
                      AN instance of a non-ISAKMP SA  bundle in 
                      which all the SA share the same proxy 
                      identifiers (IDii,IDir) protect the same 
                      stream of application traffic.
                      Such an SA bundle is termed a 'Phase 2 Tunnel'.
                      Note that a Phase 2 tunnel may comprise 
                      different SA bundles and different number of 
                      SA bundles at different 
                      times (due to key refresh).

                  QM:         
                      Quick Mode - the process of setting up
                      Phase 2 Security Associations using a 
                      Phase 1 SA.
       
                  SA: 
                      Security Association (ref: rfc2408).

                  VPN:
                      Virtual Private Network. "

         REVISION    "200409140000Z"
         DESCRIPTION
                 "Initial version."
         ::= { ciscoMgmt 429 }

   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
   -- IKE MIB Object Groups
   --
   -- This MIB module contains the following groups:
   -- 1) IKE Globals group
   -- 2) IKE Tunnel table
   -- 3) IKE History group
   -- 4) IKE Failure group
   -- 5) IKE Notifications group
   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
   ciscoIkeFlowMIBNotifs  OBJECT IDENTIFIER
              ::= { ciscoIkeFlowMIB 0 }

   ciscoIkeFlowMIBObjects OBJECT IDENTIFIER
              ::= { ciscoIkeFlowMIB 1 }

   ciscoIkeFlowMIBConform OBJECT IDENTIFIER
              ::= { ciscoIkeFlowMIB 2 }

   cifIkeCurrentActivity OBJECT IDENTIFIER
                  ::= { ciscoIkeFlowMIBObjects 1 }

   cifIkeHistory         OBJECT IDENTIFIER
                  ::= { ciscoIkeFlowMIBObjects 2 }

   cifIkeNotifControl       OBJECT IDENTIFIER
                  ::= { ciscoIkeFlowMIBObjects 3 }

   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
   -- The IKE Global Statistics Table
   -- This table has a sparse table relationship with the generic 
   -- IPsec Phase-1 Global Statistics table defined in 
   -- CISCO-IPSEC-SIGNALING-MIB.
   -- For those rows in the generic Phase-1 Global Statistics table
   -- that corresponds to IKE protocol, there is one row in 
   -- the following table.
   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
   cifIkeGlobalStatsTable  OBJECT-TYPE
      SYNTAX SEQUENCE OF CifIkeGlobalStatsEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
       "
       The Phase-1 IKE Global Statistics Table.
       There is one entry in this table for each Phase-1 IKE,
       protocol('cpIkev1' and 'cpIkev2') implemented by the 
       managed entity.
       
       For all the counter objects in the table below, initially when
       the IKE Tunnel becomes active and appears in this 
       table, they would contain a value of zero.
       "
      ::= { cifIkeCurrentActivity 1 }
      
   cifIkeGlobalStatsEntry OBJECT-TYPE
      SYNTAX     CifIkeGlobalStatsEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
      "
      Each entry contains the global statistics pertaining
      to the specific IKE protocol.
      "
      INDEX { cisgIpsSgProtocol }
      ::= { cifIkeGlobalStatsTable 1 }

   CifIkeGlobalStatsEntry ::= SEQUENCE {
      cifIkeGlobalInP2Exchgs            Counter64,
      cifIkeGlobalInP2ExchgInvalids     Counter64,
      cifIkeGlobalInP2ExchgRejects      Counter64,
      cifIkeGlobalOutP2Exchgs           Counter64,
      cifIkeGlobalOutP2ExchgInvalids    Counter64,
      cifIkeGlobalOutP2ExchgRejects     Counter64,
      cifIkeGlobalInXauths              Counter64,
      cifIkeGlobalInXauthFailures       Counter64,
      cifIkeGlobalOutXauthFailures      Counter64,
      cifIkeGlobalInNewGrpReqs          Counter64,
      cifIkeGlobalOutNewGrpReqs         Counter64,
      cifIkeGlobalInNewGrpRejectReqs    Counter64,
      cifIkeGlobalOutNewGrpRejectReqs   Counter64
   }
    
   cifIkeGlobalInP2Exchgs OBJECT-TYPE
      SYNTAX     Counter64
      UNITS      "SA Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Phase-2 exchanges 
       received by all currently and previously 
       active Phase-1 Tunnels.
       "
      ::= { cifIkeGlobalStatsEntry 1 }

   cifIkeGlobalInP2ExchgInvalids OBJECT-TYPE
      SYNTAX     Counter64
      UNITS      "SA Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Phase-2 exchanges which were
       received and found to be invalid by all currently and
       previously active Phase-1 Tunnels.
       "
      ::= { cifIkeGlobalStatsEntry 2 }

   cifIkeGlobalInP2ExchgRejects OBJECT-TYPE
      SYNTAX     Counter64
      UNITS      "SA Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Phase-2 exchanges 
       which were received and rejected by all 
       currently and previously active Phase-1 Tunnels.
       "
      ::= { cifIkeGlobalStatsEntry 3 }

   cifIkeGlobalOutP2Exchgs OBJECT-TYPE
      SYNTAX     Counter64
      UNITS      "SA Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Phase-2 exchanges which were
       sent by all currently and previously active IPsec 
       Phase-1 Tunnels.
       "
      ::= { cifIkeGlobalStatsEntry 4 }

   cifIkeGlobalOutP2ExchgInvalids OBJECT-TYPE
      SYNTAX     Counter64
      UNITS      "SA Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Phase-2 exchanges which were
       sent and found to be invalid by all currently and 
       previously active Phase-1 Tunnels.
       "
      ::= { cifIkeGlobalStatsEntry 5 }

   cifIkeGlobalOutP2ExchgRejects OBJECT-TYPE
      SYNTAX     Counter64
      UNITS      "SA Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Phase-2 exchanges 
       which were sent and rejected by all currently and
       previously active Phase-1 IKE Tunnels.
       "
      ::= { cifIkeGlobalStatsEntry 6 }

   cifIkeGlobalInXauths OBJECT-TYPE
      SYNTAX     Counter64
      UNITS      "Failures"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The number of times the extended authentication
       requests was received by the managed entity
       from a peer.
       "
      ::= { cifIkeGlobalStatsEntry 7 }

   cifIkeGlobalInXauthFailures OBJECT-TYPE
      SYNTAX     Counter64
      UNITS      "Failures"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The number of times the extended authentication
       information supplied by an IKE peer was found
       to be invalid by the local entity.
       "
      ::= { cifIkeGlobalStatsEntry 8 }

   cifIkeGlobalOutXauthFailures OBJECT-TYPE
      SYNTAX     Counter64
      UNITS      "Failures"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The number of times the extended authentication
       information supplied by the managed entity to an
       IKE peer was found to be invalid by the remote peer.
       "
      ::= { cifIkeGlobalStatsEntry 9 }

   cifIkeGlobalInNewGrpReqs OBJECT-TYPE
      SYNTAX     Counter64
      UNITS      "Negotiations"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of New Group exchanges initiated
       remotely.
       "
      ::= { cifIkeGlobalStatsEntry 10 }

   cifIkeGlobalOutNewGrpReqs OBJECT-TYPE
      SYNTAX     Counter64
      UNITS      "Negotiations"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of New Group exchanges initiated
       locally.
       "
      ::= { cifIkeGlobalStatsEntry 11 }

   cifIkeGlobalInNewGrpRejectReqs OBJECT-TYPE
      SYNTAX     Counter64
      UNITS      "Negotiations"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of New Group exchanges initiated
       remotely that ended in reject.
       "
      ::= { cifIkeGlobalStatsEntry 12 }

   cifIkeGlobalOutNewGrpRejectReqs OBJECT-TYPE
      SYNTAX     Counter64
      UNITS      "Negotiations"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of New Group exchanges initiated
       locally that ended in reject.
       "
      ::= { cifIkeGlobalStatsEntry 13 }

-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
-- The Internet Key Exchange Tunnel Table
-- This table has a sparse table relationship with the generic 
-- IPsec Phase-1 Tunnel table defined in 
-- CISCO-IPSEC-SIGNALING-MIB.
-- For those rows in the generic Phase-1 Tunnel table
-- that corresponds to IKE protocol, there is one row in 
-- the following table.
-- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
   cifIkeTunnelTable OBJECT-TYPE
      SYNTAX SEQUENCE OF CifIkeTunnelEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
       "
       The Phase-1 Internet Key Exchange Tunnel Table.
       There is one entry in this table for each active IPsec
       Phase-1 IKE Tunnel.
       "
     ::= { cifIkeCurrentActivity 3 }

   cifIkeTunnelEntry OBJECT-TYPE
      SYNTAX     CifIkeTunnelEntry
      MAX-ACCESS not-accessible
      STATUS     current
      DESCRIPTION
       "
       Each entry contains the attributes associated with
       an active Phase-1 IKE Tunnel.

       The rows in this table correspond 1-to-1 with a subset of
       the rows in cisgIpsSgTunnelTable, specifically the subset 
       which represent Phase-1 IKE Tunnels.
        
       Hence, the value of the index 'cisgIpsSgProtocol'
       in this table is always 'cpIkev1' or 'cpIkev2'.
        
       For all the counter objects in the table below, initially when
       the Phase-1 IKE Tunnel becomes active and appears in this 
       table, they would contain a value of zero. 
       "
      INDEX { cisgIpsSgProtocol, cisgIpsSgTunIndex }
      ::= { cifIkeTunnelTable 1}

   CifIkeTunnelEntry ::= SEQUENCE {
      cifIkeTunNegoMode               CIPsecIkeNegoMode,
      cifIkeTunDHGrp                  CIPsecDiffHellmanGrp,
      cifIkeTunSaRefreshThreshold     Unsigned32,
      cifIkeTunTotalRefreshes         Counter32,
      cifIkeTunInP2Exchgs             Counter32,
      cifIkeTunInP2ExchgInvalids      Counter32,
      cifIkeTunInP2ExchgRejects       Counter32,
      cifIkeTunInP2SaDelRequests      Counter32,
      cifIkeTunOutP2Exchgs            Counter32,
      cifIkeTunOutP2ExchgInvalids     Counter32,
      cifIkeTunOutP2ExchgRejects      Counter32,
      cifIkeTunInNewGrpReqs           Counter32,
      cifIkeTunOutNewGrpReqs          Counter32,
      cifIkeTunInNewGrpRejectedReqs   Counter32,
      cifIkeTunOutNewGrpRejectedReqs  Counter32,
      cifIkeTunInConfigs              Counter32,
      cifIkeTunOutConfigs             Counter32,
      cifIkeTunInConfigRejects        Counter32,
      cifIkeTunOutConfigRejects       Counter32
   }

   cifIkeTunNegoMode OBJECT-TYPE
      SYNTAX     CIPsecIkeNegoMode
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The negotiation mode of the Phase-1 IKE Tunnel.
       "
      ::= { cifIkeTunnelEntry 1 }

   cifIkeTunDHGrp OBJECT-TYPE
      SYNTAX     CIPsecDiffHellmanGrp
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The Diffie Hellman Group used in Phase-1 IKE
       negotiations.
       "
      ::= { cifIkeTunnelEntry 2 }

   cifIkeTunSaRefreshThreshold OBJECT-TYPE
      SYNTAX     Unsigned32 (0..2147483647)
      UNITS      "seconds"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The security association refresh threshold in seconds.
       If the tunnel does not refresh its security associations,
       the value of this MIB object is zero.
       "
      ::= { cifIkeTunnelEntry 3 }

   cifIkeTunTotalRefreshes OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "QM Exchanges"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of security associations refreshes 
       performed. If the tunnel does not refresh its security 
       associations, the value of this MIB object is never 
       incremented.
       "
      ::= { cifIkeTunnelEntry 4 }
      
   cifIkeTunInP2Exchgs OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "SA Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Phase-2 exchanges received by
       this Phase-1 IKE Tunnel.
       "
      ::= { cifIkeTunnelEntry 5 }

   cifIkeTunInP2ExchgInvalids OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "SA Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Phase-2 exchanges received and
       found to be invalid by this Phase-1 IKE Tunnel.
       "
      ::= { cifIkeTunnelEntry 6 }

   cifIkeTunInP2ExchgRejects OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "SA Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Phase-2 exchanges received and
       rejected by this Phase-1 Tunnel.
       "
      ::= { cifIkeTunnelEntry 7 }

   cifIkeTunInP2SaDelRequests OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "Notification Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Phase-2 security association
       delete requests received by this Phase-1 IKE Tunnel.
       "
      ::= { cifIkeTunnelEntry 8 }

   cifIkeTunOutP2Exchgs OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "SA Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Phase-2 exchanges sent by
       this Phase-1 IKE Tunnel.
       "
      ::= { cifIkeTunnelEntry 9 }

   cifIkeTunOutP2ExchgInvalids OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "SA Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Phase-2 exchanges sent and
       found to be invalid by this Phase-1 IKE Tunnel.
       "
      ::= { cifIkeTunnelEntry 10 }

   cifIkeTunOutP2ExchgRejects OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "SA Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Phase-2 exchanges sent and
       rejected by this Phase-1 IKE Tunnel.
       "
      ::= { cifIkeTunnelEntry 11 }

   cifIkeTunInNewGrpReqs OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "Negotiations"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of New Group exchanges initiated
       remotely using this IKE tunnel.
       "
      ::= { cifIkeTunnelEntry 12 }

   cifIkeTunOutNewGrpReqs OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "Negotiations"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of New Group exchanges initiated
       locally using this IKE tunnel.
       "
      ::= { cifIkeTunnelEntry 13 }

   cifIkeTunInNewGrpRejectedReqs OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "Negotiations"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of New Group exchanges initiated
       remotely using this IKE tunnel that ended in reject. 
       "
      ::= { cifIkeTunnelEntry 14 }

   cifIkeTunOutNewGrpRejectedReqs OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "Negotiations"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of New Group exchanges initiated
       locally using this IKE tunnel that ended in reject.
       "
      ::= { cifIkeTunnelEntry 15 }

   cifIkeTunInConfigs OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "Mode Configuration Setting Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Mode Configuration settings
       received (either CFG_REPLY or CFG_SET payloads)
       by the local entity on the ISAKMP SA represented by
       this IKE tunnel.
       "
      ::= { cifIkeTunnelEntry 16 }

   cifIkeTunOutConfigs OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "Mode Configuration Setting Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Mode Configuration settings
       dispatched (either CFG_REPLY or CFG_SET payloads)
       by the local entity on the ISAKMP SA represented by
       this IKE tunnel.
       "
      ::= { cifIkeTunnelEntry 17 }

   cifIkeTunInConfigRejects OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "Mode Configuration Setting Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Mode Configuration settings
       which were received (either CFG_REPLY or CFG_SET
       payloads) and rejected by this entity using the ISAKMP
       SA represented by this IKE tunnel.
       "
      ::= { cifIkeTunnelEntry 18 }

   cifIkeTunOutConfigRejects OBJECT-TYPE
      SYNTAX     Counter32
      UNITS      "Mode Configuration Setting Payloads"
      MAX-ACCESS read-only
      STATUS     current
      DESCRIPTION
       "
       The total number of Mode Configuration settings
       which were dispatched (either CFG_REPLY or CFG_SET
       payloads) by this entity and were rejected by the
       peer (client) using the ISAKMP SA represented by
       this IKE tunnel.
       "
      ::= { cifIkeTunnelEntry 19 }

   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
   -- The IKE History Group:
   --   The IKE Tunnel History Table
   --   This table has a sparse table relationship with the
   --   generic Phase-1 Tunnel history table 
   --   'cisgIpsSgTunnelHistTable' defined in 
   --   CISCO-IPSEC-SIGNALING-MIB.
   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
      cifIkeTunnelHistTable OBJECT-TYPE
         SYNTAX SEQUENCE OF CifIkeTunnelHistEntry
         MAX-ACCESS not-accessible
         STATUS     current
         DESCRIPTION
          "
          The Phase-1 Internet Key Exchange Tunnel
          history table.  

          This table is conceptually a sliding window in 
          which only the last 'N' entries are maintained,
          where 'N' is the value of the object 
          'cisgIpsSgHistTableSize' (defined in
          defined in CISCO-IPSEC-SIGNALING-MIB).

          If the value of 'cisgIpsSgHistTableSize' is 0,
          then this table will be empty.
          
          For all the counter objects in the table below, initially
          when the Tunnel entry appears in this table, they would 
          contain a value of zero. 
          "
        ::= { cifIkeHistory 1 }

      cifIkeTunnelHistEntry OBJECT-TYPE
         SYNTAX     CifIkeTunnelHistEntry
         MAX-ACCESS not-accessible
         STATUS     current
         DESCRIPTION
          "
          Each entry contains the attributes associated with 
          a previously active Phase-1 IKE Tunnel.

          This table has a sparse table relationship with the
          generic Phase-1 Tunnel history table
          'cisgIpsSgTunnelHistTable' defined in
          CISCO-IPSEC-SIGNALING-MIB. However, the value of the
          index column in this table will always be either
          'cpIkev1' or 'cpIkev2'.
          "
         INDEX {
                cisgIpsSgProtocol,
                cisgIpsSgTunHistIndex
               }
         ::= { cifIkeTunnelHistTable 1 }

      CifIkeTunnelHistEntry ::= SEQUENCE {
         cifIkeTunHistNegoMode           CIPsecIkeNegoMode,
         cifIkeTunHistDHGrp              CIPsecDiffHellmanGrp,
         cifIkeTunHistTotalRefreshes     Counter32,
         cifIkeTunHistTotalSas           Counter32,
         cifIkeTunHistInP2Exchgs         Counter32,
         cifIkeTunHistInP2ExchgInvalids  Counter32,
         cifIkeTunHistInP2ExchgRejects   Counter32,
         cifIkeTunHistOutP2Exchgs        Counter32,
         cifIkeTunHistOutP2ExchgInvalids Counter32,
         cifIkeTunHistOutP2ExchgRejects  Counter32,
         cifIkeTunHistInNewGrpReqs       Counter32,
         cifIkeTunHistOutNewGrpReqs      Counter32,
         cifIkeTunHistInNewGrpRejectReqs Counter32,
         cifIkeTunHistOutNewGrpRejectReqs Counter32,
         cifIkeTunHistInConfigs          Counter32,
         cifIkeTunHistOutConfigs         Counter32,
         cifIkeTunHistInConfigsRejects   Counter32,
         cifIkeTunHistOutConfigsRejects  Counter32
      }

      cifIkeTunHistNegoMode OBJECT-TYPE
         SYNTAX     CIPsecIkeNegoMode
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The negotiation mode of the Phase-1 IKE Tunnel.
          "
         ::= { cifIkeTunnelHistEntry 1 }

      cifIkeTunHistDHGrp OBJECT-TYPE
         SYNTAX     CIPsecDiffHellmanGrp
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The Diffie Hellman Group used in Phase-1 IKE
          negotiations.
          "
         ::= { cifIkeTunnelHistEntry 2 }

      cifIkeTunHistTotalRefreshes OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "QM Exchanges"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of security associations
          refreshes performed.
          "
         ::= { cifIkeTunnelHistEntry 3 }

      cifIkeTunHistTotalSas       OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "SAs"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of security associations used 
          during the life of the Phase-1 IKE Tunnel.
          "
         ::= { cifIkeTunnelHistEntry 4 }

      cifIkeTunHistInP2Exchgs OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "SA Payloads"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of Phase-2 exchanges received
          by this Phase-1 IKE Tunnel.
          "
         ::= { cifIkeTunnelHistEntry 5 }

      cifIkeTunHistInP2ExchgInvalids OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "SA Payloads"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of Phase-2 exchanges
          received on this tunnel that were found to
          contain references to unrecognized security
          parameters.
          "
         ::= { cifIkeTunnelHistEntry 6 }

      cifIkeTunHistInP2ExchgRejects OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "SA Payloads"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of Phase-2 exchanges
          received on this tunnel that were validated but were
          rejected by the local policy.
          "
         ::= { cifIkeTunnelHistEntry 7 }

      cifIkeTunHistOutP2Exchgs OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "Notification Payloads"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of Phase-2 security association
          delete requests received by this Phase-1 IKE Tunnel.
          "
         ::= { cifIkeTunnelHistEntry 8 }

      cifIkeTunHistOutP2ExchgInvalids OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "SA Payloads"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of Phase-2 exchanges sent by
          this Phase-1 IKE Tunnel.
          "
         ::= { cifIkeTunnelHistEntry 9 }

      cifIkeTunHistOutP2ExchgRejects OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "SA Payloads"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of Phase-2 exchanges
          sent on this tunnel that were rejected by the 
          peer, because it contained references to security
          parameters not recognized by the peer.
          "
         ::= { cifIkeTunnelHistEntry 10 }

      cifIkeTunHistInNewGrpReqs OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "Negotiations"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of New Group exchanges initiated
          remotely using this IKE tunnel during its lifetime.
          "
         ::= { cifIkeTunnelHistEntry 11 }

      cifIkeTunHistOutNewGrpReqs OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "Negotiations"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of New Group exchanges initiated
          locally using this IKE tunnel during its lifetime.
          "
         ::= { cifIkeTunnelHistEntry 12 }


      cifIkeTunHistInNewGrpRejectReqs OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "Negotiations"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of New Group exchanges initiated
          remotely using this IKE tunnel during its lifetime
          that ended in reject.
          "
         ::= { cifIkeTunnelHistEntry 13 }

      cifIkeTunHistOutNewGrpRejectReqs OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "Negotiations"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of New Group exchanges initiated
          locally using this IKE tunnel during its lifetime
          that ended in reject.
          "
         ::= { cifIkeTunnelHistEntry 14 }

      cifIkeTunHistInConfigs OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "Mode Configuration Setting Payloads"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of Mode Configuration settings
          received (either CFG_REPLY or CFG_SET payloads)
          by the local entity on the ISAKMP SA represented by this
          IKE tunnel.
          "
         ::= { cifIkeTunnelHistEntry 15 }

      cifIkeTunHistOutConfigs OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "Mode Configuration Setting Payloads"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of Mode Configuration settings
          dispatched (either CFG_REPLY or CFG_SET payloads)
          by the local entity on the ISAKMP SA represented by this
          IKE tunnel.
          "
         ::= { cifIkeTunnelHistEntry 16 }

      cifIkeTunHistInConfigsRejects OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "Mode Configuration Setting Payloads"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of Mode Configuration settings
          which were received (either CFG_REPLY or CFG_SET
          payloads) and rejected by this entity using the ISAKMP
          SA represented by this IKE tunnel.
          "
         ::= { cifIkeTunnelHistEntry 17 }

      cifIkeTunHistOutConfigsRejects OBJECT-TYPE
         SYNTAX     Counter32
         UNITS      "Mode Configuration Setting Payloads"
         MAX-ACCESS read-only
         STATUS     current
         DESCRIPTION
          "
          The total number of Mode Configuration settings
          which were dispatched (either CFG_REPLY or CFG_SET
          payloads) by this entity and were rejected by the
          peer (client) using the ISAKMP SA represented by this
          IKE tunnel.
          "
         ::= { cifIkeTunnelHistEntry 18 }

   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
   -- The IKE Control Group
   --
   -- This group of objects controls the sending of IKE TRAPs.
   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
      cifIkeNotifCntlInNewGrpRejected OBJECT-TYPE
         SYNTAX     TruthValue
         MAX-ACCESS read-write
         STATUS     current
         DESCRIPTION
          "
          The generation of the 'ciscoIkeFlowInNewGrpRejected'
          notification is enabled if and only if this object has the
          value 'true'.
          "
         DEFVAL { false }
         ::= { cifIkeNotifControl 1 }

      cifIkeNotifCntlOutNewGrpRejected OBJECT-TYPE
         SYNTAX     TruthValue
         MAX-ACCESS read-write
         STATUS     current
         DESCRIPTION
          "
          The generation of the 'ciscoIkeFlowOutNewGrpRejected'
          notification is enabled if and only if this object has the
          value 'true'.
	      "
         DEFVAL { false }
         ::= { cifIkeNotifControl 2 }

   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
   -- Internet Key Exchange Notifications
   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
      ciscoIkeFlowInNewGrpRejected NOTIFICATION-TYPE
         OBJECTS {
                   cisgIpsSgFailLocalAddress,
                   cisgIpsSgFailRemoteAddress
                 }
         STATUS  current
         DESCRIPTION
          "
          This notification is generated when the managed 
          entity receives and rejects an incoming new group 
          proposal from an IKE peer identified by
          'cisgIpsSgFailRemoteAddress'. 
          'cisgIpsSgFailLocalAddress' identifies the address of
          the local peer.  
          The ISAKMP context of the exchange can be obtained 
          from the IKE tunnel index which is contained in the 
          index of the varbind objects of this trap.
          "
         ::= { ciscoIkeFlowMIBNotifs 1 }

      ciscoIkeFlowOutNewGrpRejected NOTIFICATION-TYPE
         OBJECTS {
                   cisgIpsSgFailLocalAddress,
                   cisgIpsSgFailRemoteAddress
                 }
         STATUS  current
         DESCRIPTION
          "
          This notification is generated when the managed entity
          issues a new group proposal to the remote peer identified 
          by 'cisgIpsSgFailRemoteAddress' and the peer rejects the 
          proposal. 'cisgIpsSgFailLocalAddress' identifies the
          address of the local peer.
          The ISAKMP context of the exchange can be 
          obtained from the IKE tunnel index which is contained 
          in the index of the varbind objects of this trap.
          "
         ::= { ciscoIkeFlowMIBNotifs 2 }

   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
   -- Conformance Information
   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
      ciscoIkeFlowMIBCompliances OBJECT IDENTIFIER
                      ::= { ciscoIkeFlowMIBConform 1 }

      ciscoIkeFlowMIBGroups OBJECT IDENTIFIER
                      ::= { ciscoIkeFlowMIBConform 2 }

   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
   -- Compliance Statements
   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
      ciscoIkeFlowMIBCompliance MODULE-COMPLIANCE
         STATUS      current
         DESCRIPTION
           "The compliance statement for SNMP entities
            implementing this MIB."

         MODULE -- this module
           MANDATORY-GROUPS  { 
               ciscoIkeFlowActivityGroup
           }

       GROUP cifIkeFlowNewGroupGroup
       DESCRIPTION   
        "This group is conditionally mandatory and must be
        implemented by the agent of the managed entity if and only
        if the IKE implementation on the managed entity
        implements new group operations."

       GROUP cifIkeFlowXauthGroup 
       DESCRIPTION   
         "This group is conditionally mandatory and must be 
         implemented by the agent of the managed entity
         if the managed entity implements remote access
         of users using IPsec and implements extended
         authentication as a part of its IKE implementation."

       GROUP cifIkeFlowModeConfigGroup
       DESCRIPTION   
        "This group is a conditionally mandatory group which 
        must be implemented by the agent of the managed entity if 
        the managed entity implements Mode Configuration 
        as a part of IKE."

       GROUP cifIkeFlowHistoryGroup
       DESCRIPTION   
        "This group is conditionally mandatory and must be 
        implemented by the agent of the managed entity if and only
        if
         a) the managed entity implements Internet Key 
            Exchange as an IPsec control protocol and
         b) the managed entity implements historical 
            archiving of IKE tunnels (ISAKMP security
            associations)."

       GROUP cifIkeFlowNewGroupHistoryGroup
       DESCRIPTION   
        "This group is conditionally mandatory and must be 
        implemented by the agent of the managed entity if and only
        if
         a) the managed entity implements the group
            'cifIkeFlowHistoryGroup' and
         b) the managed entity supports new group
            operations."

       GROUP cifIkeFlowModeConfigHistoryGroup
       DESCRIPTION   
        "This group is conditionally mandatory and must be 
        implemented by the agent of the managed entity if and only
        if
         a) the managed entity implements the group
            'cifIkeFlowHistoryGroup' and
         b) the managed entity implements mode configuration
            operations."

       GROUP cifIkeFlowNotificationGroup
       DESCRIPTION   
        "This group is conditionally mandatory. It may be 
        implemented only if the group 'cifIkeFlowNewGroupGroup'
        is implemented. This is because the only 
        notifications defined in this version of
        the MIB Module pertain to New Group negotiations."
         

       GROUP cifIkeFlowNotifCntlGroup
       DESCRIPTION   
        "This group is conditionally mandatory and the agent 
        must implement this group if it implements 
        the group 'cifIkeFlowNotificationGroup'."
         
       ::= { ciscoIkeFlowMIBCompliances 1 }

   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
   -- Units of Conformance: List of current groups
   -- +++++++++++++++++++++++++++++++++++++++++++++++++++++++
      ciscoIkeFlowActivityGroup OBJECT-GROUP
         OBJECTS {
                   -- 
                   -- Metrics pertaining to
                   -- IKE real-time status 
                   -- 
                  cifIkeGlobalInP2Exchgs,
                  cifIkeGlobalInP2ExchgInvalids,
                  cifIkeGlobalInP2ExchgRejects,
                  cifIkeGlobalOutP2Exchgs,
                  cifIkeGlobalOutP2ExchgInvalids,
                  cifIkeGlobalOutP2ExchgRejects,

                   -- Tunnel-level metrics pertaining to
                   -- Internet Key Exchange Tunnel 
                  cifIkeTunNegoMode             ,
                  cifIkeTunDHGrp                ,
                  cifIkeTunSaRefreshThreshold   ,
                  cifIkeTunTotalRefreshes       ,
                  cifIkeTunInP2Exchgs           ,
                  cifIkeTunInP2ExchgInvalids    ,
                  cifIkeTunInP2ExchgRejects     ,
                  cifIkeTunInP2SaDelRequests    ,
                  cifIkeTunOutP2Exchgs          ,
                  cifIkeTunOutP2ExchgInvalids   ,
                  cifIkeTunOutP2ExchgRejects
                 }
         STATUS current
         DESCRIPTION
          "
          This group consists of objects that track the 
          current IKE protocol activity:
          1) IKE Global Objects
          2) IKE Tunnel table.
          "
         REFERENCE 
          "
          rfc2408, rfc2407; rfc2409 section 5.1, 5.2, 5.3
          and 5.4.
          "
         ::= { ciscoIkeFlowMIBGroups 1 }

      cifIkeFlowNewGroupGroup OBJECT-GROUP
         OBJECTS {
                   -- 
                   -- Metrics pertaining to IKE New Group 
                   -- operations.
                   -- 
                   cifIkeGlobalInNewGrpReqs,
                   cifIkeGlobalOutNewGrpReqs,
                   cifIkeGlobalInNewGrpRejectReqs ,
                   cifIkeGlobalOutNewGrpRejectReqs ,
                   cifIkeTunInNewGrpReqs         ,
                   cifIkeTunOutNewGrpReqs        ,
                   cifIkeTunInNewGrpRejectedReqs ,
                   cifIkeTunOutNewGrpRejectedReqs
                 }
         STATUS current
         DESCRIPTION
          "
          This group consists of:
           1) Global metrics about new group negotiations
           2) IKE Tunnel-wise new group metrics
          "
         REFERENCE
          "
          rfc2408, rfc2407; rfc2409 section 5.6.
          "
         ::= { ciscoIkeFlowMIBGroups 2 }

      cifIkeFlowXauthGroup OBJECT-GROUP
         OBJECTS {
                 -- The IPsec extended authentication (Phase-1.5)
                 -- Global Statistics
                   cifIkeGlobalInXauths,
                   cifIkeGlobalInXauthFailures,
                   cifIkeGlobalOutXauthFailures
                 }
         STATUS current
         DESCRIPTION
          "
          This group consists of metrics pertaining to
          IKE extended authentication. Devices that do
          not support Xauth need not implement this group.
          "
         ::= { ciscoIkeFlowMIBGroups 3 }

      cifIkeFlowModeConfigGroup OBJECT-GROUP
         OBJECTS {
                 -- The IPsec extended authentication (Phase-1.5)
                 -- Global Statistics
                   cifIkeTunInConfigs            ,
                   cifIkeTunOutConfigs           ,
                   cifIkeTunInConfigRejects     ,
                   cifIkeTunOutConfigRejects
                 }
         STATUS current
         DESCRIPTION
          "
          This group consists of metrics pertaining to
          IKE extended authentication. Devices that do
          not support Xauth need not implement this group.
          "
         ::= { ciscoIkeFlowMIBGroups 4 }

      cifIkeFlowHistoryGroup OBJECT-GROUP
         OBJECTS {
                   -- IKE History Global Control Objects
                   cifIkeTunHistNegoMode           ,
                   cifIkeTunHistDHGrp              ,
                   cifIkeTunHistTotalRefreshes     ,
                   cifIkeTunHistTotalSas           ,
                   cifIkeTunHistInP2Exchgs         ,
                   cifIkeTunHistInP2ExchgInvalids  ,
                   cifIkeTunHistInP2ExchgRejects   ,
                   cifIkeTunHistOutP2Exchgs        ,
                   cifIkeTunHistOutP2ExchgInvalids ,
                   cifIkeTunHistOutP2ExchgRejects
         }
         STATUS current
         DESCRIPTION
          "
          This group consists of the core (mandatory) 
          objects pertaining to maintaining history of 
          Internet Key Exchange protocol activity.
          "
         ::= { ciscoIkeFlowMIBGroups 5 }

      cifIkeFlowNewGroupHistoryGroup OBJECT-GROUP
         OBJECTS {
                   -- IKE History pertaining to new group
                   cifIkeTunHistInNewGrpReqs       ,
                   cifIkeTunHistOutNewGrpReqs      ,
                   cifIkeTunHistInNewGrpRejectReqs ,
                   cifIkeTunHistOutNewGrpRejectReqs
         }
         STATUS current
         DESCRIPTION
          "
          This group consists of archive of new group
          activity pertaining to expired IKE Phase-1 
          tunnels.
          "
         ::= { ciscoIkeFlowMIBGroups 6 }

      cifIkeFlowModeConfigHistoryGroup OBJECT-GROUP
         OBJECTS {
                   -- IKE History pertaining to new group
                   cifIkeTunHistInConfigs          ,
                   cifIkeTunHistOutConfigs         ,
                   cifIkeTunHistInConfigsRejects   ,
                   cifIkeTunHistOutConfigsRejects  
         }
         STATUS current
         DESCRIPTION
          "
          This group consists of archive of mode
          config activity pertaining to expired IKE 
          Phase-1 Tunnels.
          "
         ::= { ciscoIkeFlowMIBGroups 7 }


      cifIkeFlowNotifCntlGroup OBJECT-GROUP
         OBJECTS {
                 cifIkeNotifCntlInNewGrpRejected,
                 cifIkeNotifCntlOutNewGrpRejected
                 }
         STATUS current
         DESCRIPTION
          "
          This group of objects controls the sending 
          of notifications pertaining to Phase-1 IKE
          operations.
          "
         ::= { ciscoIkeFlowMIBGroups 8 }

       cifIkeFlowNotificationGroup NOTIFICATION-GROUP
         NOTIFICATIONS {
                       ciscoIkeFlowInNewGrpRejected,
                       ciscoIkeFlowOutNewGrpRejected
                         }
         STATUS current
         DESCRIPTION
          "
          This group contains the notifications pertaining
          to Phase-1 IKE operations.
          "
         REFERENCE
          "
          rfc2408, rfc2407; rfc2409 section 5.1, 5.2, 5.3
          and 5.4.
          "
         ::= { ciscoIkeFlowMIBGroups 9 }

   END