Cisco ASA/PIX VPN Statistics

[jpmantx]

I wrote/use the attached script to get my SA traffic from our ASA5520.

I run this on Intel Solaris 10. So, it might need a little syntax hacking for sed/awk/etc but it should be easy to get going on other Unix flavors.

The script syntax is:
./get_ipsec.sh <host ip> <direction>

[ ./get_ipsec.sh 192.168.200.15 sent ]
[ ./get_ipsec.sh 192.168.200.15 receive ]

<host ip> = ip address of the host at the other end of the tunnel (not the tunnel endpoint).
<direction> = sent or receive

I have Cacti running this script and creating graphs that show the traffic for our peers. Sorry I don't have templates. I'm not too keen on that part yet. :O

I hope this helps someone. Feel free to IM me if you have questions.

Note: When SA's reset, it skews the graphs. I have trained our techs to understand that it simply means the SA reset and they use the zoom features to view the current traffic until the 'spike' moves off the graph.


Regards,
Jason

[ericgearhart]

Hi,

I've test your script and it works well. But i don't know why for certain host, it isn't detect all VPN peer, for example :

There are 2 VPN Actives but it detects only one :
perl query_lan2lan_cisco.pl public xxx.xxx.xx7.254 ASA index
xxx.xxx.xxx.234

This problem doesn't appear on all ASA, only two of them have this problem.

If you have any ideas

I've noticed the same thing... a verbose query in cacti to our ASA device reveals that the actual data returned by the perl script's index is missing a couple of tunnels (we have about 20... 18 get returned)

This could very well be a bug in Cisco's SNMP presentation of the sessions though, and not a problem with the script. I can run the perl script by hand and have the same problem. If I go into ASDM I can confirm a tunnel is up, but not listed in the SNMP index output from the perl script.

We're planning on upgrading to ASA software ver 8 (we're currently on 7.1)... if this gets fixed I'll post.

I wouldn't put it past Cisco that this is a bug in their SNMP reporting though...

Argh I wish they let us define tunnels as virtual interfaces, like they do with routers and DMVPNs, instead of this "magical VPN session" crap

[prospero63]

Does anyone know how to get the TX/RX traffic to update a weathermap link? I can get the floatover graphs to work just fine, but I can't get the traffic to show anything other than "0" for the link. TIA

[prospero63]

Does anyone know how to get the TX/RX traffic to update a weathermap link? I can get the floatover graphs to work just fine, but I can't get the traffic to show anything other than "0" for the link. TIA

Figured it out. Added RX:TX to the datasource.

[privart]

Hi,

I did every thing described, data query, graph templates, perl script, everything seem to be correct.

When I invoke query_lan2lan_cisco.pl with ASA query index or ASA index, I got the good answers (2 active peers for now).

But in cacti (0.8.7b), the data query for the host return 0 row.

Do one know how to get more debug info ?

Thanks in advance,

In addition, here is the result of the verbose query through cacti web interface:

+ Running data query [11].
+ Found type = '4 '[script query].
+ Found data query XML file at '/opt/http/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ XML file parsed ok.
+ Executing script for list of indexes 'perl /opt/http/cacti/scripts/query_lan2lan_cisco.pl xxxx xxx.xxx.xxx.13 ASA index'
+ Executing script query 'perl /opt/http/cacti/scripts/query_lan2lan_cisco.pl xxxx xxx.xxx.xxx.13 ASA query index'
+ Found data query XML file at '/opt/http/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at '/opt/http/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at '/opt/http/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'

Edit: I just noticed that there was no data input method for the script query. Is it the missing thing ?

[privart]

Ok found, be advised to check the perl path in .xml file (I had to add it manually).

Thanks for the excellent work anyway !

Edit: wrote too quick, rrd files are not created :/

I'm using spine as poller, is it the problem ?

[guitar7man]

Did anyone figure out the db error?

RRDTool Says:

ERROR: opening '/srv/www/virtual/cacti/html/rra/core_vpn_peers_tx_3649.rrd': No such file or directory

[dbrummer]

Hey guys,
I just tried the script with great success! Only modification was to make sure the path is correct for the Data Query.

Setarcos,
Thanks for including me in the script's credits, I completely forgot about the script I created for the 3000 series haha.

-Dan

[Djiguidjik]

Does anyone got those statistics, but for VPN SSL on Cisco ASA ???

[f0rd42]

Hi there

I just downloaded these scripts and uploaded as described, but when I try to run the verbose query, it get

Code: Select all

+ Running data query [10].
+ Found type = '4 '[script query].
+ Could not find data query XML file at '/var/www/html/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Error parsing XML file into an array.
+ Could not find data query XML file at '/var/www/html/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Could not find data query XML file at '/var/www/html/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Could not find data query XML file at '/var/www/html/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'

can anyone guide me a bit in the right direction?

thanks

Andre


EDIT:
ignore that, I just had to rename the file

[Djiguidjik]

Finally I've done the SSL Statistics on Cacti myslef:
http://forums.cacti.net/viewtopic.php?p ... ht=#174500

If you wanna try it!

[uno]

Thanks for the template, it works great.
I only have a minor problem, when I go to "create graphs", it does not only list Site-to-Site VPNs, but also Remote Access IPSec VPNs. Is there some way I can modify the scrpipt to only return Site-to-Site VPNs? It's no real problem, just a little more work because I have to check which peers are Site-to-Site VPNs.

[kb122]

Hi,

I did every thing described, data query, graph templates, perl script, everything seem to be correct.

When I invoke query_lan2lan_cisco.pl with ASA query index or ASA index, I got the good answers (2 active peers for now).

But in cacti (0.8.7b), the data query for the host return 0 row.

Do one know how to get more debug info ?

Thanks in advance,

In addition, here is the result of the verbose query through cacti web interface:

+ Running data query [11].
+ Found type = '4 '[script query].
+ Found data query XML file at '/opt/http/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ XML file parsed ok.
+ Executing script for list of indexes 'perl /opt/http/cacti/scripts/query_lan2lan_cisco.pl xxxx xxx.xxx.xxx.13 ASA index'
+ Executing script query 'perl /opt/http/cacti/scripts/query_lan2lan_cisco.pl xxxx xxx.xxx.xxx.13 ASA query index'
+ Found data query XML file at '/opt/http/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at '/opt/http/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at '/opt/http/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'

Edit: I just noticed that there was no data input method for the script query. Is it the missing thing ?

I'm getting this also, however, my Cacti install is in Windows (2003 x64). When I try to run the script manually, I get this:

Code: Select all

Odd number of elements in hash assignment at C:/Perl64/site/lib/Net/SNMP.pm line 2276.
request error: The argument "1.3.6.1.4.1.9.9.171.1.2.3.1.7." is unknown at C:\Inetpub\wwwroot\cacti\scripts\query_lan2lan_cisco.pl line 208.

I've tried both ActiveState and Strawberry perl, but get the same results. Any ideas?

[aggie]

I've download the scripts, templates etc... from the first post, and I'm now getting the following error when I try to run the query_lan2lan_cisco.pl script.

Code: Select all

perl query_lan2lan_cisco.pl public 192.168.1.1 ASA index

request error: Requested table is empty or does not exist at query_lan2lan_cisco.pl line 208.

perl query_lan2lan_cisco.pl public 192.168.1.1 ASA query RX
request error: Requested table is empty or does not exist at query_lan2lan_cisco.pl line 208.

I'm running this against a Cisco PIX Firewall Version 6.3(5) - I think it's either 506 or 515 (not sure I'm remotely monitoring for a third party)

Any advise? Thanks in advance

[aggie]

I'm running this against a Cisco PIX Firewall Version 6.3(5) -

Answered me own Q -- not supported on PIX 6.3...

http://www.velocityreviews.com/forums/s ... ostcount=2