diff --git a/agent_based/cisco_vpn_tunnel.py b/agent_based/cisco_vpn_tunnel.py
index b38d87556809a052c96067087017cbe959163b3a..285815b689c1e206fc6ed802be1250784bb224d7 100644
--- a/agent_based/cisco_vpn_tunnel.py
+++ b/agent_based/cisco_vpn_tunnel.py
@@ -16,13 +16,16 @@
 # 2018-07-11: added parameter for missing IPSec SA, changed 'parsed' to use peer ip as index
 # 2021-08-03: rewritten for CMK 2.0
 # 2021-11-03: fix negative vpn active tine
+# 2022-01-19: added workaround for not matching IKE_OID_end and cipSecTunIkeTunnelIndexfor not matching
+#             IKE_OID_end and cipSecTunIkeTunnelIndex, try to match IPSec nad IKE sa by remote address
 #
+
 # snmpwalk sample
 #
 #
 import time
 from dataclasses import dataclass
-from typing import List, Dict
+from typing import List, Dict, Optional
 
 from cmk.base.plugins.agent_based.agent_based_api.v1 import (
     register,
@@ -60,6 +63,7 @@ class IpsecSa:
     hc_out_octets: int
     out_pkts: int
     out_drop_pkts: int
+    tun_remote_addr: str
 
 
 @dataclass
@@ -119,6 +123,25 @@ def _cisco_vpn_tunnel_render_ipv4_address(bytestring):
     return '.'.join([f'{ord(m)}' for m in bytestring])
 
 
+def _get_ipsec_sa_by_remote_address(ike_remote_address: str, ipsec_sa_summary: Dict[str, IpsecSa]) -> Optional[IpsecSa]:
+    found_ipsec_sa = False
+    ipsec_sa = IpsecSa(0, 0, 0, 0, 0, 0, 0, 0, 0, '')
+    for ipsec_sa_to_check in ipsec_sa_summary.values():
+        if ipsec_sa_to_check.tun_remote_addr == ike_remote_address:
+            found_ipsec_sa = True
+            ipsec_sa.sa_count += 1
+            ipsec_sa.hc_in_octets += ipsec_sa_to_check.hc_in_octets
+            ipsec_sa.in_pkts += ipsec_sa_to_check.in_pkts
+            ipsec_sa.in_drop_pkts += ipsec_sa_to_check.in_drop_pkts
+            ipsec_sa.hc_out_octets += ipsec_sa_to_check.hc_out_octets
+            ipsec_sa.out_pkts += ipsec_sa_to_check.out_pkts
+            ipsec_sa.out_drop_pkts += ipsec_sa_to_check.out_drop_pkts
+            if ipsec_sa_to_check.active_time > ipsec_sa.active_time:
+                ipsec_sa.active_time = ipsec_sa_to_check.active_time
+    if found_ipsec_sa:
+        return ipsec_sa
+
+
 ###########################################################################
 #
 #  DATA Parser function
@@ -132,13 +155,13 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:
     ike_tunnel_entry, ipsec_tunnel_entry = string_table
 
     # summarize IPSec SAs, ASSUMPTION: except for counters all SA attributes are identical per IKE index
-    for ike_tunnel_index, ike_tunnel_alive, active_time, hc_in_octets, in_pkts, in_drop_pkts, hc_out_octets, \
-            out_pkts, out_drop_pkts in ipsec_tunnel_entry:
+    for ike_tunnel_index, ike_tunnel_alive, tun_remote_addr, active_time, hc_in_octets, in_pkts, in_drop_pkts, \
+        hc_out_octets, out_pkts, out_drop_pkts in ipsec_tunnel_entry:
 
         if ike_tunnel_index.isdigit():
             ipsec_sa = ipsec_sa_summary.setdefault(
                 ike_tunnel_index,
-                IpsecSa(0, 0, 0, 0, 0, 0, 0, 0, 0)
+                IpsecSa(0, 0, 0, 0, 0, 0, 0, 0, 0, tun_remote_addr)
             )
             ipsec_sa.sa_count += 1
             ipsec_sa.hc_in_octets += int(hc_in_octets)
@@ -156,6 +179,7 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:
             nego_mode in ike_tunnel_entry:
 
         if index.isdigit():
+            save_remote_addr = remote_addr
             remote_addr = _cisco_vpn_tunnel_render_ipv4_address(remote_addr)
             if remote_addr.split('.') != 4:
                 remote_addr = remote_value
@@ -178,7 +202,9 @@ def parse_cisco_vpn_tunnel(string_table: List[StringTable]) -> Dict[str, IkeSa]:
                     out_drop_pkts=int(out_droppkts),
                     status=int(status),
                     nego_mode=int(nego_mode),
-                    ipsec_summary=ipsec_sa_summary.get(index)
+                    # if/else is workaround for not matching IKE_OID_end and cipSecTunIkeTunnelIndex
+                    # try to match IPSec sa by remote address
+                    ipsec_summary=ipsec_sa_summary.get(index) if ipsec_sa_summary.get(index) is not None else _get_ipsec_sa_by_remote_address(save_remote_addr, ipsec_sa_summary)
                 )
                 vpntunnel.update({remote_addr: ike_sa})
 
@@ -352,8 +378,9 @@ register.snmp_section(
         SNMPTree(
             base='.1.3.6.1.4.1.9.9.171.1.3.2.1',  # CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunnelEntry
             oids=[
-                '2',  # ike tunnel index
+                '2',  # cipSecTunIkeTunnelIndex/ ike tunnel index
                 '3',  # cipSecTunIkeTunnelAlive
+                '5',  # cipSecTunRemoteAddr (needed as workaround if if cipSecTunIkeTunnelIndex and IKE OID don't match)
                 '10',  # cipSecTunActiveTime
                 '27',  # cipSecTunHcInOctets
                 '32',  # cipSecTunInPkts
diff --git a/cisco_vpn_tunnel.mkp b/cisco_vpn_tunnel.mkp
index 93fbe7991a96d9fbcd3e8279071b102f33f51103..e57f997e1c32bae79b1de31a50f7e90f252e02b0 100644
Binary files a/cisco_vpn_tunnel.mkp and b/cisco_vpn_tunnel.mkp differ
diff --git a/packages/cisco_vpn_tunnel b/packages/cisco_vpn_tunnel
index 6b859d52a7d19b416f039422c99ded8e841c2d4b..59ad7cb3f66596ba9b4c6a14a4f2f3923c678301 100644
--- a/packages/cisco_vpn_tunnel
+++ b/packages/cisco_vpn_tunnel
@@ -11,7 +11,7 @@
  'name': 'cisco_vpn_tunnel',
  'num_files': 3,
  'title': 'Monitor Cisco VPN Tunnel',
- 'version': '20210803.v0.2',
+ 'version': '20220119.v0.3',
  'version.min_required': '2.0.0',
  'version.packaged': '2021.09.20',
  'version.usable_until': None}
\ No newline at end of file