Hi Folks,
After digging around for something that would allow our organization to monitor LAN to LAN VPN tunnel traffic between our Cisco ASAs and remote peers, I stumbled across this thread but it didn't quite meet my needs. I threw something together based on the script listed in this thread, but enhanced it to work as an indexed script query, so tunnels can be selected by the VPN Peer IP.
Once installed, just add the 'Cisco ASA/PIX -VPN Statistics' data query to your host/host template and graph away.
Update: Added missing Data Query and Template.
Update 3/10/2010: Updated query_lan2lan_cisco.pl to v0.06.
Cisco ASA/PIX VPN Statistics
Moderators: Developers, Moderators
Cisco ASA/PIX VPN Statistics
- Attachments
-
- templates.zip
- Import these templates
- (6.81 KiB) Downloaded 5118 times
-
- Example Graph
- ASA-IPSec-Traffic.png (29.4 KiB) Viewed 64546 times
-
- cisco_asa_vpn_tunnel.xml
- Place this in your script_queries directory
- (895 Bytes) Downloaded 6320 times
-
- query_lan2lan_cisco.pl
- Place this in your scripts directory (v0.06)
- (8.28 KiB) Downloaded 8471 times
Last edited by Setarcos on Thu Mar 11, 2010 12:52 pm, edited 5 times in total.
Spikes when IPsec re-keys?
Hi.
I am relatively new to Cacti.
Has anyone else seen spikes in VPN tunnel graphs when the IPsec SA re-keys and the RX and TX counters on the ASA are zeroed?
It looks like the subtraction that takes place to get the number of bytes that have been transmitted or received between two polls becomes a negative number and that causes the calculation to produce a negative bits/sec value, which must confuse the graphing process.
Am I doing something wrong?
Thanks.
I am relatively new to Cacti.
Has anyone else seen spikes in VPN tunnel graphs when the IPsec SA re-keys and the RX and TX counters on the ASA are zeroed?
It looks like the subtraction that takes place to get the number of bytes that have been transmitted or received between two polls becomes a negative number and that causes the calculation to produce a negative bits/sec value, which must confuse the graphing process.
Am I doing something wrong?
Thanks.
Hi,
I've test your script and it works well. But i don't know why for certain host, it isn't detect all VPN peer, for example :
There are 2 VPN Actives but it detects only one :
perl query_lan2lan_cisco.pl public xxx.xxx.xx7.254 ASA index
xxx.xxx.xxx.234
This problem doesn't appear on all ASA, only two of them have this problem.
If you have any ideas
I've test your script and it works well. But i don't know why for certain host, it isn't detect all VPN peer, for example :
There are 2 VPN Actives but it detects only one :
perl query_lan2lan_cisco.pl public xxx.xxx.xx7.254 ASA index
xxx.xxx.xxx.234
This problem doesn't appear on all ASA, only two of them have this problem.
If you have any ideas
I am having the same issue running 8.0.3. And I also had to do more than what was mentioned in this thread to get it working. The data query needed to be created and linked to "resource/script_server/cisco_asa_vpn_tunnel.xml". I then was able to add the data query to the hosts, but it appears to only query one and not the true amount of tunnels for each device. Please let me know if anyone has a workaround to this. Thanks!
Hello! First of all sorry for my English.Gorbachov wrote:Maybe it is an OS version issue. Compare working with not working device to see if this is the problem.
I've done next steps:
1. Put query_lan2lan_cisco.pl in <cacti_path>/scripts
2. Put cisco_asa_vpn_tunnel_848.xml in <cacti_path>/resource/script_queries/
3. Import cacti_graph_template_cisco_asa_pix.xml
4. Add a data query 'Cisco ASA/PIX - VPN Statistics' with assosiated graph tempates - 'Cisco ASA/PIX - VPN Statistics'.
5. In host template added 'Cisco ASA/PIX - VPN Statistics' in Associated Data Queries
6. Go to the 'New Graphs' in which I can see 2 of 3! my peers, switch them and click 'Create'.
But .rrd and graphs don't created!
RRDTool Command:
/usr/local/bin/rrdtool graph - \
--imgformat=PNG \
--start=-86400 \
--end=-300 \
--title="92.242.xx.xxx - VPN Statistics" \
--rigid \
--base=1000 \
--height=120 \
--width=500 \
--alt-autoscale-max \
--lower-limit=0 \
--vertical-label="bits per second" \
--slope-mode \
--font TITLE:12: \
--font AXIS:8: \
--font LEGEND:10: \
--font UNIT:8: \
DEF:a="/usr/local/share/cacti/rra/cisco_asa_5510_rx_34.rrd":RX:AVERAGE \
DEF:b="/usr/local/share/cacti/rra/cisco_asa_5510_rx_34.rrd":TX:AVERAGE \
CDEF:cdefa=a,8,* \
CDEF:cdefe=b,8,* \
AREA:cdefa#00CF00FF:"Inbound" \
GPRINT:cdefa:LAST:" Current\:%8.2lf %s" \
GPRINT:cdefa:AVERAGE:"Average\:%8.2lf %s" \
GPRINT:cdefa:MAX:"Maximum\:%8.2lf %s\n" \
LINE1:cdefe#4123A1FF:"Outbound" \
GPRINT:cdefe:LAST:"Current\:%8.2lf %s" \
GPRINT:cdefe:AVERAGE:"Average\:%8.2lf %s" \
GPRINT:cdefe:MAX:"Maximum\:%8.2lf %s"
RRDTool Says:
ERROR: opening '/usr/local/share/cacti/rra/cisco_asa_5510_rx_34.rrd': No such file or directory
/usr/local/bin/rrdtool graph - \
--imgformat=PNG \
--start=-86400 \
--end=-300 \
--title="92.242.xx.xxx - VPN Statistics" \
--rigid \
--base=1000 \
--height=120 \
--width=500 \
--alt-autoscale-max \
--lower-limit=0 \
--vertical-label="bits per second" \
--slope-mode \
--font TITLE:12: \
--font AXIS:8: \
--font LEGEND:10: \
--font UNIT:8: \
DEF:a="/usr/local/share/cacti/rra/cisco_asa_5510_rx_34.rrd":RX:AVERAGE \
DEF:b="/usr/local/share/cacti/rra/cisco_asa_5510_rx_34.rrd":TX:AVERAGE \
CDEF:cdefa=a,8,* \
CDEF:cdefe=b,8,* \
AREA:cdefa#00CF00FF:"Inbound" \
GPRINT:cdefa:LAST:" Current\:%8.2lf %s" \
GPRINT:cdefa:AVERAGE:"Average\:%8.2lf %s" \
GPRINT:cdefa:MAX:"Maximum\:%8.2lf %s\n" \
LINE1:cdefe#4123A1FF:"Outbound" \
GPRINT:cdefe:LAST:"Current\:%8.2lf %s" \
GPRINT:cdefe:AVERAGE:"Average\:%8.2lf %s" \
GPRINT:cdefe:MAX:"Maximum\:%8.2lf %s"
RRDTool Says:
ERROR: opening '/usr/local/share/cacti/rra/cisco_asa_5510_rx_34.rrd': No such file or directory
I always get an error when I try to select a peer and graph it, damn really wanted to use this instead of the old one.
Cacti 8.7b patched.
Notice: Undefined index: sgg_10 in /www/htdocs/cacti/graphs_new.php on line 71
Warning: Cannot modify header information - headers already sent by (output started at /www/htdocs/cacti/graphs_new.php:71) in /www/htdocs/cacti/graphs_new.php on line 323
Cacti 8.7b patched.
Notice: Undefined index: sgg_10 in /www/htdocs/cacti/graphs_new.php on line 71
Warning: Cannot modify header information - headers already sent by (output started at /www/htdocs/cacti/graphs_new.php:71) in /www/htdocs/cacti/graphs_new.php on line 323
Thanks for catching this electro93. The data template and data query are attached to the original message in this thread.electro93 wrote:I am having the same issue running 8.0.3. And I also had to do more than what was mentioned in this thread to get it working. The data query needed to be created and linked to "resource/script_server/cisco_asa_vpn_tunnel.xml". I then was able to add the data query to the hosts, but it appears to only query one and not the true amount of tunnels for each device. Please let me know if anyone has a workaround to this. Thanks!
Note: The in/out statistics are for the sum of all tunnels to/from a given VPN peer.
Last edited by Setarcos on Thu Jul 10, 2008 1:25 pm, edited 1 time in total.
Re: Spikes when IPsec re-keys?
See the recently attached data templates to the original message. I originally had these set to COUNTER but had seen the same problem. Once they were changed to DERIVE, the spikes stopped occurring.tonyv250 wrote:Hi.
I am relatively new to Cacti.
Has anyone else seen spikes in VPN tunnel graphs when the IPsec SA re-keys and the RX and TX counters on the ASA are zeroed?
It looks like the subtraction that takes place to get the number of bytes that have been transmitted or received between two polls becomes a negative number and that causes the calculation to produce a negative bits/sec value, which must confuse the graphing process.
Am I doing something wrong?
Thanks.
Who is online
Users browsing this forum: No registered users and 2 guests