1. Administrative Security Guide
  2. Configuring IKEv2 Interfaces
  3. Threshold Crossing Alert Configuration

Threshold Crossing Alert Configuration

Threshold Crossing Alerts (TCAs) monitor specific MIB variables or counters, and generate SNMP traps when object values cross defined thresholds. Three types of TCAs are supported:

  • IKE Failed Authentication (monitors IKE negotiation counters)
  • IPsec Tunnel Removal (monitors IPsec tunnel counters)
  • Dead Peer Detections (monitors DPD protocol counters)

Threshold levels, listed in order of increasing importance are clear, minor, major, and critical. Each threshold level is user-configurable and is accompanied by a associated reset-counter, also user-configurable, which prevents the issue of extraneous SNMP traps when a counter is bouncing across threshold values.

A threshold crossing event occurs when the associated counter value rises above the next-highest threshold value, or when the associated counter value falls below the next-lowest reset-threshold value. An SNMP trap, raising the alert level, is generated as soon as the counter value exceeds the next-highest threshold. An SNMP trap, lowering the alert level, occurs only during a check period when the TCA examines all counter values. Such check periods occur at 100 second intervals.

The following scenario illustrates TCA operations. The sample TCA, ike-tca-group, monitors the count of dead IKEv2 peers. Threshold and reset values are shown. A minor alarm threshold and its associated reset threshold have not been configured. 

nameike-tca-group
tca-typeike-dpd
critical100
reset-critical90
major80
reset-major50
minor0
reset-minor0

t=time

t=0 ike-dpd counter= 30 ike-dpd alert level=clear

t=1 ike-dpd counter= 60 ike-dpd alert level=clear

t=2 ike-dpd counter= 80 ike-dpd alert level=major trap sent

t=3 ike-dpd counter= 95 ike-dpd alert level=major

t=4 ike-dpd counter=100 ike-dpd alert level=critical trap sent

t=5 ike-dpd counter=120 ike-dpd alert level=critical

t=6 ike-dpd counter= 99 ike-dpd alert level=critical

t=7 ike-dpd counter= 90 ike-dpd alert level=major trap sent

t=8 ike-dpd counter= 60 ike-dpd alert level=major

t=9 ike-dpd counter= 0 ike-dpd alert level=clear trap sent

Use the following procedure to configure TCAs.

  1. From superuser mode, use the following command sequence to access 
threshold-crossing-alert-group configuration mode. While in this mode, you configure threshold-crossing-alert-group configuration elements. 
    ORACLE# configure terminal
ORACLE(configure)# system
ORACLE(system)# threshold-crossing-alert-group
ORACLE(threshold-crossing-alert-group)#
  2. Use the name parameter to provide a unique identifier for this 
threshold-crossing-alert-group instance.

    name enables the creation of multiple threshold-crossing-alert-group instances. 

    ORACLE(threshold-crossing-alert-group)# name ikeTCA
ORACLE(threshold-crossing-alert-group)#
  3. Use the threshold-crossing-alert parameter to enter threshold-crossing-alert configuration mode. While in this mode, you create specific TCA types and associated values. 
    ORACLE(threshold-crossing-alert-group)# threshold-crossing-alert
ORACLE(threshold-crossing-alert)#
  4. Use the type parameter to specify the TCA type.

    Supported values are:

    • ike-failed-auth — (the default) tracks authentication failures
    • ipsec-tunnel-removal — tracks the destruction of IPsec tunnels
    • ike-dpd — tracks the detection of dead DPD peers 
    ORACLE(threshold-crossing-alert)# type ike-dpd
ORACLE(threshold-crossing-alert)#
  5. Use the critical parameter to specify the critical threshold level.

    The default value (0) indicates that the threshold is not configured. 

    ORACLE(threshold-crossing-alert)# critical 100
ORACLE(threshold-crossing-alert)#
  6. Use the reset-critical parameter to specify the value at which the critical level is replaced with the next lowest configured threshold level (major, minor, or clear, depending on configuration values).

    The default value (0) indicates that the threshold is not configured. 

    ORACLE(threshold-crossing-alert)# reset-critical 90
ORACLE(threshold-crossing-alert)#
  7. Use the major parameter to specify the major threshold level.

    The default value (0) indicates that the threshold is not configured. 

    ORACLE(threshold-crossing-alert)# major 80
ORACLE(threshold-crossing-alert)#
  8. Use the reset-major parameter to specify the value at which the major level is replaced with the next lowest configured threshold level (minor or clear, depending on configuration values).

    The default value (0) indicates that the threshold is not configured. 

    ORACLE(threshold-crossing-alert)# reset-major 50
ORACLE(threshold-crossing-alert)#
  9. Use the minor parameter to specify the minor threshold level.

    The default value (0) indicates that the threshold is not configured. 

    ORACLE(threshold-crossing-alert)# minor 0
ORACLE(threshold-crossing-alert)#
  10. Use the reset-minor parameter to specify the value at which the minor level is replaced with the next lowest configured threshold level (clear).

    The default value (0) indicates that the threshold is not configured. 

    ORACLE(threshold-crossing-alert)# reset-minor 0
ORACLE(threshold-crossing-alert)#
  11. If required, repeat Steps 4 through 10 to add other TCA types to the current threshold-crossing-alert-group configuration element.

    The threshold-crossing-alert-group configuration element can contain a maximum of three individual threshold-crossing-alerts, one of each supported type.

  12. Use done, exit, and verify-config to complete configuration of the 
threshold-crossing-alert-group configuration element.
  13. If necessary, repeat Steps 1 through 12 to configure additional 
threshold-crossing-alert-group configuration elements.
  14. From superuser mode, use the following command sequence to access ike-config configuration mode. While in this mode, you configure IKEv2 interface parameters. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# ike
ORACLE(ike)# ike-interface
ORACLE(ike-interface)#
  15. Use the optional threshold-crossing-alert-group-name parameter to assign an existing threshold-crossing-alert-group configuration element to this IKEv2 interface. 
    ORACLE(ike-interface)# threshold-crossing-alert-group-name ikeTCA
ORACLE(ike-interface)#
  16. Use done, exit, and verify-config to complete configuration of the TCA.