AVAYA-IPSEC-MIB: View SNMP OID List / Download MIB

The MIB module for configuring IPSec functionality in Avaya converged Gateways.

This object determines whether invalid-spi-recovery is enabled (true) or disabled (false). When enabled, the device shall open an IKE SA, if it does not already exist, in order to send DELETE message to the remote peer when receiving an invalid spi or invalid cookie with SIP of that remote peer. This causes faster recovery times in case of SADB inconsistency, but may cause D/DoS attack on the remote peer.

This object specifies whether IPSec NAT-T is invoked in the device. If this object is True then NAT-T is enabled.

This object determines the NAT-T keepalive interval in seconds. If this object is set to 0 then NAT-T keepalives are disabled.

The value of this object determines whether IPSec HW acceleration is enabled or disabled. In case the HW does not support acceleration the value of this object shall be false.

This table contains a list of all the remote peers and peer-groups we are willing to establish an IPSec VPN connection with. Each entry represents a peer or a peer-group, and is indexed by the peer's IKE identification (type and value), or the peer-group name. Each peer entry points to the ISAKMP policy that will be used for IKE negotiations (as an initiator or a responder). Note that in case this entry represents a peer-group the value of IsakmpIdentityType shall be set to peerGroup. In that case certain columns in this row are N/A.

A specific entry.

This object is an enumeration identifying the type of the Identity value. Note that value can also be peerGroup, in that case avipsIsakmpPeerId contains the peer-group's name. Also note that certain columns in this row are N/A for peer-group (refer to specific objects' descriptions for details). This is also the first index component of this table.

This object contains an Identity filter to be used to match against the identity payload in an IKE request. This is also the second index component of this table.

Free text describing this row.

This object contains the ID of the ISAKMP policy to be used in IKE Phase I negotiation with this peer. A value of 0 indicates that this object is empty. This object is N/A if avipsIsakmpPeerIdType is peerGroup.

This object specifies how to initiate IKE when communicating with this peer: none(1) - Never initiate IKE with this peer (i.e. respond only) main(2) - Initiate Main Mode (MM) aggressive(3) - Initiate Aggressive Mode (AM) This object is N/A if avipsIsakmpPeerIdType is peerGroup. Enumeration: 'none': 1, 'main': 2, 'aggressive': 3.

This object is an enumeration identifying the type of the Identity value which the local peer shall use in the its identity payload during Phase-1 negotiation. This object is N/A if avipsIsakmpPeerIdType is peerGroup.

If not empty, this object specifies the identity value which the local peer will send in the identification payload during IKE Phase-1 negotiation. If this object is empty, the default local identity shall be sent, according to the value of avipsIsakmpPeerSelfIdType. This object is N/A if avipsIsakmpPeerIdType is peerGroup.

The worry-metric to be used for deciding when to send R-U-THERE message to the remote peer. This object is N/A if avipsIsakmpPeerIdType is peerGroup.

The minimal interval, in seconds, between two consecutive R-U-THERE sent by the local peer, when the previous R-U-THERE message has been answered. The actual interval is based on this value and other parameters, such as the worry-metric. This object is N/A if avipsIsakmpPeerIdType is peerGroup.

The actual interval, in seconds, between R-U-THERE retries sent by the local peer, when the previous R-U-THERE message has not been answered. This object is N/A if avipsIsakmpPeerIdType is peerGroup.

Bind the status of this peer to an object-tracker by specifying the ID of the object-tracker (avstrTrackerId in AVAYA-SAA-TRACK-MIB). A value of 0 means that peer is not bound to any object-tracker. This object is N/A if avipsIsakmpPeerIdType is peerGroup.

This object determines whether continuous channel IKE mode is used for contacting the peer. Continuous channel IKE means that local peer tries to establish an IKE SA with the remote peer as soon as possible, also when there is no outbound traffic that requires it. This object is N/A if avipsIsakmpPeerIdType is peerGroup.

This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table. Use createAndGo (not createAndWait) to create this row.

The amount of time in seconds that secondary peer shall be up (after primary peer went down) before there will be failback to primary peer (in case it is up again). The default value is 24 hours. Relevant for peer-group only (values 1 and up). For peer return value of 0.

This table contains all the associations between peer-groups and isakmp peers. The relation between peer-group and isakmp peer is many-to-many. A valid peer-group (i.e. a peer-group that can be associated with an active crypto-list) contains one or more isakmp peers. An isakmp peer may be contained in zero or more peer-groups.

A specific entry.

The name of the peer-group associated with this isakmp peer. Note that there must exist a matching active entry in avipsIsakmpPeerTable which avipsIsakmpPeerIdType is peerGroup, otherwise a 'set' operation shall fail.

The ordered index of the peer within the peer-group.

This object is an enumeration identifying the type of the Identity value of the peer associated with this IPSec connection. Note that value cannot be peerGroup. The contents of this object object is interpreted along with avipsPeerGroupPeersPIdValue.

This object contains value of the peer ID. The contents of this object object is interpreted along with avipsPeerGroupPeersPIdType.

This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table. Use createAndWait (not createAndGo) to create this row. This object is active(1) after avipsPeerGroupPeersPIdType and avipsPeerGroupPeersPIdValue are set.

The table containing the list of all ISAKMP policy entries configured by the operator.

Each entry contains the attributes associated with a single ISAKMP Policy entry.

The ID of this ISAKMP Policy entry. This is also the index of this table.

Free text describing this object.

This object specifies the Oakley group used for Diffie Hellman exchange in the Main Mode. If this policy item is selected to negotiate Main Mode with an IKE peer, the local entity chooses the group specified by this object to perform Diffie Hellman exchange with the peer.

The encryption transform specified by this ISAKMP policy specification. The Internet Key Exchange (IKE) tunnels setup using this policy item would use the specified encryption transform to protect the ISAKMP PDUs.

The hash transform specified by this ISAKMP policy specification. The IKE tunnels setup using this policy item would use the specified hash transform to protect the ISAKMP PDUs.

This object specifies the lifetime, in seconds, of the IKE tunnels generated using this policy specification.

The peer authentication method specified by this ISAKMP policy specification. If this policy entity is selected for negotiation with a peer, the local entity would authenticate the peer using the method specified by this object. Enumeration: 'preSharedKey': 2, 'none': 1.

This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table.

This table contains all the crypto maps configured by the user. A crypto map essentially concentrates all the IPSec protection policy required for establishing IKE Phase-1 and Phase-2 connections.

A specific crypto map entry.

The ID of the crypto map entry. This is also the index of this table.

Free text describing this object.

This object is an enumeration identifying the type of the Identity value of the peer associated with this IPSec connection. The contents of this object object is interpreted along with avipsCryptoMapPeerIdValue.

This object contains an Identity filter to be used to select the remote peer or peer-group when initiating IKE, and to match against the identity payload in an IKE request when responding to IKE. The contents of this object object is interpreted along with avipsCryptoMapPeerIdType.

The name of the transforms-set for this crypto map. This object is the index into the avipsTranSetTable.

This field is true if and only if this crypto map entry and all the descendent configuration objects pointed by it are in the ready state. Note that crypto list activation requires that all the crypto maps it points to be ready.

The method used to set the high 6 bits of the TOS in the outer IP header. A value of -1 indicates that the bits are copied from the payload's header. A value between 0 and 63 inclusive indicates that the bit field is set to the indicated value.

This object determines whether continuous channel IPSec mode is used for the rule pointing to this crypto map. Continuous channel IPSec means that local peer tries to establish an IPSec SA with the remote peer as soon as possible, also when there is no outbound traffic that requires it.

This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by an active crypto list.

This table lists all the transform-sets which can be used to build or accept IPsec proposals.

An entry containing the information on an IPsec transform-set.

The name of this particular transform-set be referred to by an avipsCryptoMapEntry. This is the index of this table.

This object specifies the transform ID of the ESP encryption algorithm.

This object specifies the ESP hash algorithm ID.

This object specifies how long, in seconds, the security association (SA) derived from this transform should be used. The value 0 is reserved for future use.

This object specifies how long, in Kilobytes, the security association (SA) derived from this transform should be used. The value -1 means that no size based lifetime will be offered to the other side. The value 0 is reserved for future use.

This object specifies the DH group that shall be used for PFS in quick mode exchange, when creating the security association (SA) derived from this transform. The reserved value 'none' means that PFS shall not be used.

This object determines the ESP encapsulation mode that will be used. Possible values are 'tunnel' and 'transport'. In case transport mode is configured, it shall be used only if possible, i.e. the SIP and DIP of the relevant rule are equivalent to the LTEP and RTEP. Otherwise tunnel mode is used.

This object specifies the ESP compression algorithm: none(1) - no compression algorithm. ippcpLzs(2) - IPPCP with LZS compression. Enumeration: 'ippcpLzs': 2, 'none': 1.

This object indicates the conceptual status of this row. The value of this object has no effect on whether other objects in this conceptual row can be modified. If active, this object must remain active if it is referenced by a row in another table.

Use this object to reset all the IPSec counters. Set this object to reset(2) in order to do that. This operation is equivalent to issuing the 'clear crypto sa counters' command in the CLI. Enumeration: 'reset': 2, 'running': 1.

sysUpTime when last IPSec counters reset by avipsMonitorRstCntrs or 'clear crypto sa counters' in CLI, in hundredths of a second.

This table contains entries for every active isakmp peer in the system. The word 'active' suggests that in case the peer is part of a redundant list of peers within a crypto map, only the peer that is currently active will be included.

A specific peer entry.

A synthetic ID that uniquely identifies the local peer for monitoring purpose. Note that this ID is persistent for this peer. This is also the first index component of this table.

A synthetic ID that uniquely identifies the remote peer for monitoring purpose. Note that this ID is persistent for this peer. This is also the second index component of this table.

The type of the local peer identity, as it was configured. If the local peer ID was configured as an interface name, the value of this object shall be ifName.

The value of the local peer identity. If the local peer type is an IP Address, then this is the IP Address used to identify the local peer. If the local peer type is an interface name, then this is the name of the interface which IP is used to identify the local peer. If the local peer type is a fqdn, then this is the fqdn used to identify the local peer.

The type of the remote peer identity.

The value of the remote peer identity. If the remote peer type is an IP Address, then this is the IP Address used to identify the remote peer. If the remote peer type is a fqdn, then this is the fqdn used to identify the remote peer.

Free text describing the remote peer or peer-group. The value of this field is taken from avipsIsakmpPeerDescription.

The IP address of the local peer. This is derived from the local-address specified in the crypto-list that creates this connection. If the local peer type is an IP Address, then this is identical to avipsPeerLocalValue.

The IP address of the remote peer. If the remote peer type is an IP Address, then this is identical to avipsPeerRemoteValue. If the remote peer type is a fqdn, then this is the IP address that was received by DNS resolution of the fqdn specified in IsakmpIdentityValue.

In case the remote is a peer-group, i.e. avipsPeerRemoteType is peerGroup, this object specifies the index within the peer-group of the currently active peer. This value is taken from avipsPeerGroupPeersPeerIndex of the active peer in this peer-group.

In case the remote is a peer-group, i.e. avipsPeerRemoteType is peerGroup, this object specifies the id-type of the currently active peer. This value is taken from avipsIsakmpPeerIdType of the active peer in this peer-group.

In case the remote is a peer-group, i.e. avipsPeerRemoteType is peerGroup, this object specifies the id-value of the currently active peer. This value is taken from avipsIsakmpPeerId of the active peer in this peer-group.

This object specifies the state of the IKE connection between the peers. 1. closed - No IKE SA exists between peers because it was not negotiated yet, or because last IKE closed normally due to hard timeout, clear by admin, or DELETE received from the remote peer. This is also the initial state of the row when it is created. 2. inProgress - No IKE SA exists between peers, but it is currently being negotiated in Phase-1. 3. established - IKE SA exists between peers. 4. failed - No IKE SA exists between peers because of a failure. Possible reasons are: 1. Last time we tried to establish IKE the negotiation failed. 2. Last time we tried to establish IKE the remote peer DNS resolution failed. 3. During last connection DPD signaled a connection failure. 4. During last connection a track object signaled a connection failure. 5. The interface used for local-address does not have an IP address asigned to it 1 minute or more after this row was created. 6. Last time we negotiated Phase-2 the negotiation timed-out, and the current IKE was subsequently deleted. NOTE: When continuous-channel IKE is used, the state shall remain 'established' during the normal transition time between one IKE SA and the next. However, if the IKE SA was deleted due to a suspected problem then the state will change normally during the transition (i.e. 'closed' and then 'inProgress'). [Suspected problem: if the last IKE SA was DELETEd by the remote peer after less then 5 minutes,or if it was deleted by local admin] Enumeration: 'established': 3, 'inProgress': 2, 'closed': 1, 'failed': 4.

sysUpTime when the last change in avipsPeerIsakmpState occured, in hundredths of a second.

The number of IPSec tunnels associated with these peers, which are in the 'closed' state.

The number of IPSec tunnels associated with these peers, which are in the 'inProgress' state.

The number of IPSec tunnels associated with these peers, which are in the 'established' state.

The number of IPSec tunnels associated with these peers, which are in the 'failed' state.

The aggregate number of octets (bytes) successfully received through all the tunnels between the peers. This value is accumulated BEFORE determining whether or not the packet should be decompressed. This number is the sum of avipsTunnelInOctets together with avipsTunnelInOctetsWraps as a single 64-bit integer, for all the IPSec tunnels pertaining to the peers. See also avipsPeerInOctetsWraps for the number of times this counter has wrapped.

The number of times avipsPeerInOctets has wrapped.

The aggregate number of decompressed octets (bytes) successfully received through all the tunnels between the peers. This value is accumulated AFTER the packet is decompressed. If compression is not being used in any of the tunnels, this value will match the value of avipsPeerInOctets. This number is the sum of avipsTunnelInDecompOctets together with avipsTunnelInDecompOctetsWraps as a single 64-bit integer, for all the tunnels pertaining to the peers. See also avipsPeerInDecompOctetsWraps for the number of times this counter has wrapped.

The number of times avipsPeerInDecompOctets has wrapped.

The overall decompression ratio * 100. This is the ratio between the number of octets received after decompression and the number of octets received before decompression. It is calculated as the integer of {[(avipsPeerInDecompOctetsWraps*2^32 + avipsPeerInDecompOctets) / (avipsPeerInOctetsWraps*2^32 + avipsPeerInOctets)] * 100}

The aggregate number of packets successfully received through all the tunnels between the peers. This number is the sum of avipsTunnelInPkts for all the tunnels pertaining to the peers.

The aggregate number of packets dropped after being received through any of the tunnels between the peers. This number is the sum of avipsTunnelInDropTotalPkts for all the tunnels pertaining to the peers.

The aggregate number of octets (bytes) successfully transmitted through all the tunnels between the peers. This value is accumulated AFTER determining whether or not the packet should be compressed. This number is the sum of avipsTunnelOutOctets together with vipsTunnelOutOctetsWraps as a single 64-bit integer, for all the tunnels pertaining to the peers. See also avipsPeerOutOctetsWraps for the number of times this counter has wrapped.

The number of times avipsPeerOutOctets has wrapped.

The aggregate number of uncompressed octets (bytes) successfully transmitted through this IPsec Tunnel. This value is accumulated BEFORE the packet is compressed. If compression is not being used in any of the tunnels, this value will match the value of avipsPeerOutOctets. This number is the sum of avipsTunnelOutUncompOctets together with avipsTunnelOutUncompOctetsWraps as a single 64-bit integer, for all the tunnels pertaining to the peers. See also avipsPeerOutUncompOctetsWraps for the number of times this counter has wrapped.

The number of times avipsPeerInDecompOctets has wrapped.

The overall compression ratio * 100. This is the ratio between the number of outbound octets before compression and the number of outbound octets after compression. It is calculated as the integer of {[(avipsPeerOutUncompOctetsWraps*2^32 + avipsPeerOutUncompOctets) / (avipsPeerOutOctetsWraps*2^32 + avipsPeerOutOctets)]* 100}

The aggregate number of packets successfully transmitted through all the tunnels between the peers. This number is the sum of avipsTunnelOutPkts for all the tunnels pertaining to the peers.

The aggregate number of packets dropped before being transmitted through any of the tunnels between the peers. This number is the sum of avipsTunnelOutDropTotalPkts for all the tunnels pertaining to the peers.

This table contains a entries for all the tunnels in the system. A 'tunnel' is a rule within an active crypto-list.

A specific tunnel entry.

A synthetic ID that uniquely identifies the local peer for monitoring purpose. Note that this ID is persistent for this peer.

A synthetic ID that uniquely identifies the remote peer for monitoring purpose. Note that this ID is persistent for this peer.

The ID of the crypto-list containing the rule that creates this tunnel. This is also the fifth index component of this table.

The index of the crypto-list rule that creates this tunnel. This is also the sixth index component of this table.

The type of the local peer identity, as it was configured. If the local peer ID was configured as an interface name, the value of this object shall be ifName. This is also the first index component of this table.

The value of the local peer identity. If the local peer type is an IP Address, then this is the IP Address used to identify the local peer. If the local peer type is an interface name, then this is the name of the interface which IP is used to identify the local peer. If the local peer type is a fqdn, then this is the fqdn used to identify the local peer. This is also the second index component of this table.

The type of the remote peer identity. This is also the third index component of this table.

The value of the remote peer identity. If the remote peer type is an IP Address, then this is the IP Address used to identify the remote peer. If the remote peer type is a fqdn, then this is the fqdn used to identify the remote peer. This is also the fourth index component of this table.

Free text describing this tunnel. The value of this field is taken from the description specified for the crypto-list rule that creates this tunnel.

The IP address of the local peer.

The IP address of the remote peer.

The local subnet address this tunnel protects.

The local subnet mask this tunnel protects.

The remote subnet address this tunnel protects.

The remote subnet mask this tunnel protects.

This object specifies the state of this tunnel. 1. closed - The tunnel does not exist between the peers because it was not negotiated yet, or because last tunnel closed normally due to hard timeout, clear by admin or DELETE received from the remote peer. This is also the initial state of the row when it is created. 2. inProgress - The tunnel does not exist between peers, but it is currently being negotiated in IKE Quick Mode. 3. established - The tunnel exists between peers. 4. failed - The tunnel does not exist between peers because of a failure: 1. Last time we tried to establish this tunnel the negotiation failed. 2. The connection with the remote peer has failed due to one of the following, and hence all the corresponding ipsec tunnels were closed: a. Last time we tried to establish IKE the negotiation failed. b. During last connection a track object signaled a connection failure. c. The interface used for local-address does not have an IP address asigned to it 1 minute or more after this row was created. NOTE: The word 'tunnel' in this context refers to 1 or more IPSec SAs (ESP or AH) between the peers, pertaining to the proxy addresses specified in this entry. As long as there is at least 1 SA established, the tunnel state shall remain 'established'. Enumeration: 'established': 3, 'inProgress': 2, 'closed': 1, 'failed': 4.

sysUpTime when the last change in avipsTunnelState occured, in hundredths of a second.

sysUpTime when last counter reset for this tunnel occured, in hundredths of a second. Counters are zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The total number of octets (bytes) successfully received through this IPSec tunnel. This value is accumulated BEFORE determining whether or not the packet should be decompressed. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config). See also avipsTunnelInOctetsWraps for the number of times this counter has wrapped.

The number of times avipsTunnelInOctets has wrapped. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The total number of decompressed octets (bytes) successfully received through this IPsec Tunnel. This value is accumulated AFTER the packet is decompressed. If compression is not being used, this value will match the value of avipsTunnelInOctets. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config). See also avipsTunnelInDecompOctetsWraps for the number of times this counter has wrapped.

The number of times avipsTunnelInDecompOctets has wrapped. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The overall decompression ratio * 100. This is the ratio between the number of octets received after decompression and the number of octets received before decompression. It is calculated as the integer of {[(avipsTunnelInDecompOctetsWraps*2^32 + avipsTunnelInDecompOctets) / (avipsTunnelInOctetsWraps*2^32 + avipsTunnelInOctets)] * 100}

The number of packets succesfully received through this tunnel. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The total number of packets discarded after being received through this tunnel. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The number of packets discarded after being received through this tunnel due to anti-replay verification failure. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The number of packets discarded after being received through this tunnel due to HMAC verification failure. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The number of packets discarded after being received through this tunnel due to bad ESP trailer format received failure. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The number of packets discarded after being received through this tunnel due to invalid identity: inner (original) IP header address doesn't match the configured tunnel proxy IPs. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The number of packets discarded after being received in the clear (unprotected) although they were expected to arrive protected by this tunnel (i.e. unprotected packets with source and destination IP matching the proxy IPs of this tunnel). This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The number of packets discarded after being received through this tunnel due to length being not aligned to cipher block. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The number of packets discarded after being received through this tunnel due to SA KB lifetime being smaller then the external IP packet total length. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The total number of octets (bytes) successfully transmitted through this IPSec tunnel. This value is accumulated AFTER determining whether or not the packet should be compressed. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config). See also avipsTunnelOutOctetsWraps for the number of times this counter has wrapped.

The number of times avipsTunnelOutOctets has wrapped. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The total number of uncompressed octets (bytes) successfully transmitted through this IPsec Tunnel. This value is accumulated BEFORE the packet is compressed. If compression is not being used, this value will match the value of avipsTunnelOutOctets. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config). See also avipsTunnelOutUncompOctetsWraps for the number of times this counter has wrapped.

The number of times avipsTunnelInDecompOctets has wrapped. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The overall compression ratio * 100. This is the ratio between the number of outbound octets before compression and the number of outbound octets after compression. It is calculated as the integer of {[(avipsTunnelOutUncompOctetsWraps*2^32 + avipsTunnelOutUncompOctets) / (avipsTunnelOutOctetsWraps*2^32 + avipsTunnelOutOctets)]* 100}

The number of packets succesfully transmitted through this tunnel. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The total number of packets dropped before being transmitted through this tunnel. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The number of packets dropped before being transmitted through this tunnel due to no IPSec SA existed when the packet arrived. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The number of packets dropped before being transmitted through this tunnel due to sequence number rollover: the sequence number of the IPSec SA reached its capacity. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

The number of packets dropped before being transmitted through this tunnel due to SA expired: SA KB lifetime is smaller then the external IP packet total length. This counter is zeroized when: o Issuing 'clear crypto sa counters' in CLI. o Setting avipsMonitorRstCntrs in MIB (equivalent to above). o Issuing 'clear crypto sa all' in CLI. o Activating the crypto-list on an interface for the first time. o Failing-over to a different peer. o Learning a new local-address (DHCP, PPPoE, user config).

This notification is sent whenever avipsPeerIsakmpState moves into the 'established' state.

This notification is sent whenever avipsPeerIsakmpState moves into the 'closed' state, excluding during row creation.

This notification is sent whenever avipsPeerIsakmpState moves into the 'failed' state.

This notification is sent whenever avipsTunnelState moves into the 'established' state.

This notification is sent whenever avipsTunnelState moves into the 'closed' state, excluding during row creation.

This notification is sent whenever avipsTunnelState moves into the 'failed' state.

This group consists of: 1) Global configuration objects. 2) Isakmp configuration objects. 3) IPsec configuration objects.

This group consists of: 1) Global monitoring objects. 2) Peer monitoring objects. 3) IPSec tunnels monitoring objects.

The compliance statement for SNMP entities the IP Security Protocol.