BROCADE-IPSEC-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, IpAddress FROM SNMPv2-SMI -- [RFC2578] DisplayString, DateAndTime FROM SNMPv2-TC -- [RFC2579] spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, spdPacketDirection FROM IPSEC-SPD-MIB -- [RFC4807-IPSEC-SPD-MIB] brcdIPSec FROM FOUNDRY-SN-ROOT-MIB; brocadeIPSecMIB MODULE-IDENTITY LAST-UPDATED "201708070000Z" -- Aug 7, 2017 ORGANIZATION "Ruckus Wireless, Inc." CONTACT-INFO "Technical Support Center 350 West Java Drive, Sunnyvale, CA 94089, USA Support URL: https://support.ruckuswireless.com Phone: +1-855-782-5871 ROW TF Numbers: https://support.ruckuswireless.com/contact-us" DESCRIPTION "This Ruckus Wireless, Inc' proprietery MIB module describes SNMP Objects and Traps for IPSec support on router/switch product. Supported Platforms: - supported on NI XMR/MLX platforms. - supported on FI ICX7450 platforms. Copyright 1996-2017 Ruckus Wireless, Inc. All rights reserved. This Ruckus Wireless, Inc SNMP Management Information Base Specification embodies Ruckus Wireless, Inc' confidential and proprietary intellectual property. Ruckus Wireless, Inc retains all title and ownership in the Specification, including any revisions. This Specification is supplied AS IS, and Ruckus Wireless, Inc Systems makes no warranty, either express or implied, as to the use, operation, condition, or performance of the specification, and any unintended consequence it may on the user environment." REVISION "201404210000Z" -- 21 April 2014 DESCRIPTION "Initial version" REVISION "201708070000Z" -- Aug 7, 2017 DESCRIPTION "Modified contact Info, Organization and Description" ::= { brcdIPSec 1 } -- -- high level object identifiers -- brcdIPSecMIBNotification OBJECT IDENTIFIER ::= { brocadeIPSecMIB 0 } brcdIPSecMIBObjects OBJECT IDENTIFIER ::= { brocadeIPSecMIB 1 } -- Below objects are used only by notifications as varbinds. --No other SNMP operations are supported on these. brcdIPSecSPIValue OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "It's a 4-byte field at the beginning of Encapsulating Security Payload Packet. It's value will be displayed in hex." ::= { brcdIPSecMIBObjects 1 } brcdIPSecSequenceNumber OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "This denotes the ESP sequence number used for anti-replay check." ::= { brcdIPSecMIBObjects 2 } brcdIKEMessageType OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Specifies the type of notification message. Only IKE_SA_INIT(34), IKE_AUTH(35), CREATE_CHILD_SA(36) and INFORMATIONAL(37) are currently supported as per RFC5996." ::= { brcdIPSecMIBObjects 3 } brcdIKEPayloadType OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Specifies the type of IKE payload. As per RFC5996 current valid values are {0, 32 to 48}." ::= { brcdIPSecMIBObjects 4 } brcdIPSecSlotNumber OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Indicates the Slot id of the IPsec module." ::= { brcdIPSecMIBObjects 5 } brcdIPSecUnitNumber OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Indicates the unit number." ::= { brcdIPSecMIBObjects 6 } brcdIPSecVRFValue OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Indicates the VRF value." ::= { brcdIPSecMIBObjects 7 } brcdIPSecSessionState OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Indicates the state of IPsec/IKE session." ::= { brcdIPSecMIBObjects 8 } brcdIPSecModuleState OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS accessible-for-notify STATUS current DESCRIPTION "Indicates the state of IPsec module." ::= { brcdIPSecMIBObjects 9 } ---Notifications brcdIPSecInvalidSANotification NOTIFICATION-TYPE OBJECTS { spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, brcdIPSecSPIValue } STATUS current DESCRIPTION "The SNMP trap that is generated when no valid Security Association exists for a session." --#TYPE "Ruckus Wireless Trap: No valid Security Association exists for a session." --#SUMMARY "I:ESP: No IPsec SA Found for Received Packet with Source -- address type %u Source %s Destination address type %u Destination %s -- SPI %s." --#ARGUMENTS {0, 1, 2, 3, 4} --#SEVERITY INFORMATIONAL --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 1 } brcdIPSecFragmentedPacketNotification NOTIFICATION-TYPE OBJECTS { spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, brcdIPSecSPIValue } STATUS current DESCRIPTION "The SNMP trap that is generated when a packet offered to ESP for processing appears to be an IP fragment, i.e., the OFFSET field is non-zero or the MORE FRAGMENTS flag is set." --#TYPE "Ruckus Wireless Trap: Received Fragmented Packet with SPI ." --#SUMMARY "I:ESP: Received Fragmented Packet with Source -- Address type %u Source %s Destination address type %u -- Destination %s SPI %s." --#ARGUMENTS {0, 1, 2, 3, 4} --#SEVERITY INFORMATIONAL --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 2 } brcdIPSecSequenceOverflowNotification NOTIFICATION-TYPE OBJECTS { spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, brcdIPSecSPIValue } STATUS current DESCRIPTION "The SNMP trap that is generated when there is an attempt to transmit a packet that would result in Sequence Number overflow." --#TYPE "Ruckus Wireless Trap: Sequence Number Overflow." --#SUMMARY "I:ESP: Sequence Number Overflow when Trying to Send Packet -- with with SPI %s Source address type %u Source %s Destination -- address type %u Destination %s." --#ARGUMENTS { 4, 0, 1, 2, 3} --#SEVERITY INFORMATIONAL --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 3 } brcdIPSecFailedAntiReplayCheckNotification NOTIFICATION-TYPE OBJECTS { spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, brcdIPSecSPIValue, brcdIPSecSequenceNumber } STATUS current DESCRIPTION "The SNMP trap that is generated when the received packet fails the anti-replay checks." --#TYPE "Ruckus Wireless Trap: received packet fails the anti-replay check." --#SUMMARY "I:ESP: Anti-Replay Check Failed for Received Packet with -- Source address type %u Source %s Destination address type %u -- Destination %s SPI %s Sequence Number %u." --#ARGUMENTS {0, 1, 2, 3, 4, 5} --#SEVERITY INFORMATIONAL --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 4 } brcdIPSecFailedIntegrityCheckNotification NOTIFICATION-TYPE OBJECTS { spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, brcdIPSecSPIValue, brcdIPSecSequenceNumber } STATUS current DESCRIPTION "The SNMP trap that is generated when the received packet fails integrity check." --#TYPE "Ruckus Wireless Trap: received packet fails integrity check." --#SUMMARY "I:ESP: Integrity Check Failed for Received Packet with -- Source address type %u Source %s Destination address type %u -- Destination %s SPI %s Sequence Number %u." --#ARGUMENTS {0, 1, 2, 3, 4, 5} --#SEVERITY INFORMATIONAL --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 5 } brcdIPSecDeencapsulationFailedNotification NOTIFICATION-TYPE OBJECTS { spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, brcdIPSecSPIValue, brcdIPSecSequenceNumber } STATUS current DESCRIPTION "The SNMP trap that is generated when the deencapsulation of received packet failed." --#TYPE "Ruckus Wireless Trap: deencapsulation of received packet failed." --#SUMMARY "I:ESP: Deencapsulation Failed for Received Packet with -- Source address type %u Source %s Destination address type %u -- Destination %s SPI %s Sequence Number %u." --#ARGUMENTS { 0, 1, 2, 3, 4, 5} --#SEVERITY INFORMATIONAL --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 6 } brcdIPSecLengthErrorNotification NOTIFICATION-TYPE OBJECTS { spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, brcdIPSecSPIValue } STATUS current DESCRIPTION "The SNMP trap that is generated when the check on IP packet length fails for the received packet." --#TYPE "Ruckus Wireless Trap: Length Error Detected." --#SUMMARY "I:ESP: Length Error Detected for -- Received Packet with SPI %s Source address type %u -- Source %s Destination address type %u Destination %s." --#ARGUMENTS {4, 0, 1, 2, 3} --#SEVERITY INFORMATIONAL --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 7 } brcdIKEInvalidMsgTypeNotification NOTIFICATION-TYPE OBJECTS { spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, brcdIPSecSPIValue, brcdIKEMessageType } STATUS current DESCRIPTION "The SNMP trap that is generated when an invalid IKE message Type is received." --#TYPE "Ruckus Wireless Trap: Invalid IKE Message Type received." --#SUMMARY "I:IKEv2: Invalid Message Type Received with -- Source address type %u Source %s Destination address type %u -- Destination %s SPI %s Message Type %u. --#ARGUMENTS {0, 1, 2, 3, 4, 5} --#SEVERITY INFORMATIONAL --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 8 } brcdIKEInvalidPayloadNotification NOTIFICATION-TYPE OBJECTS { spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, brcdIPSecSPIValue, brcdIKEPayloadType } STATUS current DESCRIPTION "The SNMP trap that is generated when an invalid IKE payload is received." --#TYPE "Ruckus Wireless Trap: Invalid IKE Payload Received." --#SUMMARY "I:IKEv2: Invalid Payload Type Received with -- Source address type %u Source %s Destination address type %u -- Destination %s SPI %s Payload Type %u." --#ARGUMENTS {0, 1, 2, 3, 4, 5} --#SEVERITY INFORMATIONAL --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 9 } brcdIKEMaxPeerReachedNotification NOTIFICATION-TYPE OBJECTS { brcdIPSecSlotNumber } STATUS current DESCRIPTION "The SNMP trap that is generated when maximum IKE peer limit is reached." --#TYPE "Ruckus Wireless Trap: Max IKE peers limit reached." --#SUMMARY "W:IKEv2: Maximum IKE Peers Limit Reached." --#ARGUMENTS {0} --#SEVERITY WARNING --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 10 } brcdIKERecoveredMaxPeerLimitNotification NOTIFICATION-TYPE OBJECTS { brcdIPSecSlotNumber } STATUS current DESCRIPTION "The SNMP trap that is generated when the system recovers from the maximum IKE peer limit condition." --#TYPE "Ruckus Wireless Trap: Recovered Max IKE peers limit condition." --#SUMMARY "W:IKEv2: Recovered from Maximum IKE Peers Limit -- Condition." --#ARGUMENTS {0} --#SEVERITY WARNING --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 11 } brcdIPSecSessionNotification NOTIFICATION-TYPE OBJECTS { brcdIPSecSessionState, spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, brcdIPSecVRFValue, brcdIPSecSPIValue, spdPacketDirection } STATUS current DESCRIPTION "The SNMP trap that is generated when IPsec session state is changed." --#TYPE "Ruckus Wireless Trap: IPsec session state." --#SUMMARY "I:IPsec: IPsec session Source address type %u -- Source %s Destination address type %u Destination %s -- VRF %u SPI %u Direction %s.” --#ARGUMENTS {0, 1, 2, 3, 4, 5, 6, 7} --#SEVERITY INFORMATIONAL --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 12 } brcdIKESessionNotification NOTIFICATION-TYPE OBJECTS { brcdIPSecSessionState, spdIPSourceType, spdIPSourceAddress, spdIPDestinationType, spdIPDestinationAddress, brcdIPSecVRFValue, brcdIPSecSPIValue } STATUS current DESCRIPTION "The SNMP trap that is generated when IKEv2 session state is changed." --#TYPE "Ruckus Wireless Trap: IKEv2 session state." --#SUMMARY "I:IKEv2: IKEv2 session %s Source address type %u -- Source %s Destination address type %u Destination %s -- VRF %u SPI %u.” --#ARGUMENTS {0, 1, 2, 3, 4, 5, 6} --#SEVERITY INFORMATIONAL --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 13 } brcdIPSecModuleNotification NOTIFICATION-TYPE OBJECTS { brcdIPSecSlotNumber, brcdIPSecUnitNumber, brcdIPSecModuleState } STATUS current DESCRIPTION "The SNMP trap that is generated when IPsec module state is changed." --#TYPE "Ruckus Wireless Trap: IPsec module state." --#SUMMARY "I:IPsec: IPsec module %u on unit %u is %s.” --#ARGUMENTS {0, 1, 2} --#SEVERITY INFORMATIONAL --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 14 } brcdIKEMaxPeerReachedStackingNotification NOTIFICATION-TYPE STATUS current DESCRIPTION "The SNMP trap that is generated when maximum IKE peer limit is reached." --#TYPE "Ruckus Wireless Trap: Max IKE peers limit reached." --#SUMMARY "W:IKEv2: Maximum IKE Peers Limit Reached." --#ARGUMENTS { } --#SEVERITY WARNING --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 15 } brcdIKERecoveredMaxPeerLimitStackingNotification NOTIFICATION-TYPE STATUS current DESCRIPTION "The SNMP trap that is generated when the system recovers from the maximum IKE peer limit condition." --#TYPE "Ruckus Wireless Trap: Recovered Max IKE peers limit condition." --#SUMMARY "W:IKEv2: Recovered from Maximum IKE Peers LimitCondition." --#ARGUMENTS { } --#SEVERITY WARNING --#STATE OPERATIONAL ::= {brcdIPSecMIBNotification 16 } END