Cisco ASA/PIX VPN Statistics

Templates, scripts for templates, scripts and requests for templates.

Moderators: Developers, Moderators

Post Reply
henrys
Posts: 7
Joined: Wed Dec 09, 2009 1:18 pm

Post by henrys »

I had to mangle a few things on my system to get this to work. First of all the perl script didn't like the '.' on the end of the OID's. Also, on the indexes returned I had to strip the '.' off.

Next I had to add an <HR> to the last item in the graph template. Otherwise its working great! Thanks for this script.
GunnarPhilipp
Posts: 10
Joined: Sun Dec 20, 2009 10:22 pm
Location: USA

Post by GunnarPhilipp »

Hello.

I've been trying to implement this script - but without success so far.

I am running cacti on a winXP box, and have an ASA5510.

I've copied the files to the correct folders and imported all the templates.

When i added the Associated Data Querie the status returned 0 items and 0 rows..

The verbose query shows:

Code: Select all

+ Running data query [25].
+ Found type = '4 '[script query].
+ Found data query XML file at 'C:/Inetpub/wwwroot/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ XML file parsed ok.
+ Executing script for list of indexes 'perl C:\Inetpub\wwwroot\cacti\scripts\query_lan2lan_cisco.pl public x.x.x.254 ASA index'
+ Executing script query 'perl C:\Inetpub\wwwroot\cacti\scripts\query_lan2lan_cisco.pl public x.x.x.254 ASA query index'
+ Found data query XML file at 'C:/Inetpub/wwwroot/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'C:/Inetpub/wwwroot/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'C:/Inetpub/wwwroot/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
then I tried this the manual way:

Code: Select all

C:\Inetpub\wwwroot\cacti>perl C:\Inetpub\wwwroot\cacti\scripts\query_lan2lan_cisco.pl public x.x.x.254 ASA index
Can't locate Net/SNMP.pm in @INC (@INC contains: C:/Perl/site/lib C:/Perl/lib .) at c:\Inetpub\wwwroot\cacti\scripts\query_lan2lan_cisco.pl line 25.
BEGIN failed--compilation aborted at C:\Inetpub\wwwroot\cacti\scripts\query_lan2lan_cisco.pl line 25.
I have no idea what that "Net/SNMP.pm" is and how to implement it.

I appreciate any ideas and help you could give me.

Thank you in advance!
commoboy
Posts: 6
Joined: Mon Mar 21, 2005 1:46 pm
Location: Seattle
Contact:

Post by commoboy »

I've noticed that there seems to be an issue with the latest version of Net::SNMP and the query_lan2lan.pl script. On all of my servers that I have updated to the latest Perl and Net::SNMP module, I get the following error.

Odd number of elements in hash assignment at /usr/local/share/perl/5.10.0/Net/SNMP.pm line 2276.

This is happening on CentOS, Solaris and Ubuntu. From what I can tell the way SNMP.pm handles the hashing as it gathers it from the query_lan2lan.pl variables is not working correctly.

Has anyone else seen this?

Update: As "Henrys" noted, removing the trailing dots from the OIDs in the perl script seems to have done the trick. Time will tell if this causes any other problems. So far, so good on my deployment.
commoboy
Posts: 6
Joined: Mon Mar 21, 2005 1:46 pm
Location: Seattle
Contact:

Post by commoboy »

GunnarPhilipp wrote:Hello.

I've been trying to implement this script - but without success so far.

I am running cacti on a winXP box, and have an ASA5510.

I've copied the files to the correct folders and imported all the templates.

When i added the Associated Data Querie the status returned 0 items and 0 rows..

The verbose query shows:

Code: Select all

+ Running data query [25].
+ Found type = '4 '[script query].
+ Found data query XML file at 'C:/Inetpub/wwwroot/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ XML file parsed ok.
+ Executing script for list of indexes 'perl C:\Inetpub\wwwroot\cacti\scripts\query_lan2lan_cisco.pl public x.x.x.254 ASA index'
+ Executing script query 'perl C:\Inetpub\wwwroot\cacti\scripts\query_lan2lan_cisco.pl public x.x.x.254 ASA query index'
+ Found data query XML file at 'C:/Inetpub/wwwroot/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'C:/Inetpub/wwwroot/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'C:/Inetpub/wwwroot/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
then I tried this the manual way:

Code: Select all

C:\Inetpub\wwwroot\cacti>perl C:\Inetpub\wwwroot\cacti\scripts\query_lan2lan_cisco.pl public x.x.x.254 ASA index
Can't locate Net/SNMP.pm in @INC (@INC contains: C:/Perl/site/lib C:/Perl/lib .) at c:\Inetpub\wwwroot\cacti\scripts\query_lan2lan_cisco.pl line 25.
BEGIN failed--compilation aborted at C:\Inetpub\wwwroot\cacti\scripts\query_lan2lan_cisco.pl line 25.
I have no idea what that "Net/SNMP.pm" is and how to implement it.

I appreciate any ideas and help you could give me.

Thank you in advance!
Hi Gunnar,

It would be best if you familiarized yourself with the PPM on Windows. It's somewhat similar to the CPAN tool for PERL that we all enjoy/hate in the *nix environments.

Once you get PPM running you can follow the steps detailed at this URL to get the Net::SNMP perl module installed. That would be the "Net/SNMP.pm" that your script is complaining about.

http://www.netadmintools.com/part489.html
User avatar
nebj00la
Cacti User
Posts: 112
Joined: Fri Feb 17, 2006 9:02 pm
Location: Massachusetts, USA
Contact:

Post by nebj00la »

This script will not work with the poller configured as spine/cactid. Here's a thread I've started to discuss the issue:

http://forums.cacti.net/viewtopic.php?t=35963

Technically, here is why it's failing:
...it[the script] uses multiple prints to output the ASA specs, it will fail under spine. You need to, internal to the script, maintain a buffer and output all at once.
Thanks,
nebj00la
iharvey
Posts: 42
Joined: Wed Nov 01, 2006 6:10 am

Post by iharvey »

Hi, this looks like another excellent tool for Cacti, I wish I could get it to work. It has been a steep learning curve to get to an error free installation, but I now only get blank graphs

I am using Debian...and have an ASA 5540

Step one, I had to install CPAN to get rid of the error


(there are other ways to do this but I found this was the easiest)


I then had to edit the cisco_asa_vpn_tunnel.xml script to show the full path to query_lan2lan_cisco.pl (see previous post)


I then had to remove the last 'dot' from the end of the MIBs in query_lan2lan_cisco.pl (see previous post)


This works
perl /usr/share/cacti/site/scripts/query_lan2lan_cisco.pl community hostname ASA index

output is a list of Peer IP Addresses


This sort of works
perl /usr/share/cacti/site/scripts/query_lan2lan_cisco.pl community hostname ASA query RX

output is the list of Peer IP Addresses followed by colon zero


This sort of works:
perl /usr/share/cacti/site/scripts/query_lan2lan_cisco.pl community hostname ASA get RX -peer ip address-

output is 0 (zero)


I know that I DO have traffic on my VPN Tunnels - some are being graphed individually from the remote device when I have SNMP access to them, so with this I can graph the utilisation of the others


Any input would be very much appreciated
iharvey
Posts: 42
Joined: Wed Nov 01, 2006 6:10 am

Post by iharvey »

more info, I checked the MIB from the pl script with snmpwalk,

snmpwalk -c community -v 2c hostname 1.3.6.1.4.1.9.9.171.1.3.2.1.26

and the output was

SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.26.76028 = Counter32: 699186453
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.26.96553 = Counter32: 1139340567
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.26.98464 = Counter32: 3181623888
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.26.99694 = Counter32: 11372476
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.26.101996 = Counter32: 2242940553
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.26.101998 = Counter32: 182383434

and I found this on the web (here http://www.oidview.com/mibs/9/CISCO-IPS ... R-MIB.html)

cipSecTunInOctets 1.3.6.1.4.1.9.9.171.1.3.2.1.26
which is the correct name in the pl script
User avatar
Setarcos
Cacti User
Posts: 143
Joined: Mon Dec 13, 2004 2:55 pm
Location: San Jose, CA
Contact:

Post by Setarcos »

iharvey, can you post the results of the following:

query_lan2lan_cisco.pl <community> <hostname> ASA index

query_lan2lan_cisco.pl <community> <hostname> ASA query RX
iharvey
Posts: 42
Joined: Wed Nov 01, 2006 6:10 am

Post by iharvey »

query_lan2lan_cisco.pl <community> <hostname> ASA index:

<ip of peer>
<ip of peer>
<ip of peer>
<ip of peer>
<ip of peer>


query_lan2lan_cisco.pl <community> <hostname> ASA query RX


<ip of peer>:0
<ip of peer>:0
<ip of peer>:0
<ip of peer>:0
<ip of peer>:0


query_lan2lan_cisco.pl <community> <hostname> ASA get RX <ip of peer>
0


This indicates to me that the info for the MIB in the perl script is correct, but the perl script doesn't 'run correctly' to output the correct data. I have a look at the perl script, but it is far to complicated for me... :-(
User avatar
Setarcos
Cacti User
Posts: 143
Joined: Mon Dec 13, 2004 2:55 pm
Location: San Jose, CA
Contact:

Post by Setarcos »

Hi Folks,

I tried stripping off the trailing '.' from the OID as recommended by henrys in an earlier post, and started getting 0 in the TX and RX responses. Without digging into the code further, it appears doing so is actually breaking things.

Let me have a more in-depth look at the code and see what is actually happening...
User avatar
Setarcos
Cacti User
Posts: 143
Joined: Mon Dec 13, 2004 2:55 pm
Location: San Jose, CA
Contact:

Post by Setarcos »

iharvey wrote:
query_lan2lan_cisco.pl <community> <hostname> ASA query RX


<ip of peer>:0
<ip of peer>:0
<ip of peer>:0
<ip of peer>:0
<ip of peer>:0


query_lan2lan_cisco.pl <community> <hostname> ASA get RX <ip of peer>
0


This indicates to me that the info for the MIB in the perl script is correct, but the perl script doesn't 'run correctly' to output the correct data. I have a look at the perl script, but it is far to complicated for me... :-(
This script doesn't use a MIB (just using OIDs), but clearly something is amiss. iharvey please try the attached version on the command line as before and post the results.

Update: Test script removed.
Last edited by Setarcos on Thu Mar 11, 2010 12:54 pm, edited 1 time in total.
iharvey
Posts: 42
Joined: Wed Nov 01, 2006 6:10 am

Post by iharvey »

Hi Setarcos, many thanks for investigating this and sorry for the delay in replying

The results are:

/usr/share/cacti/site/scripts# perl /usr/share/cacti/site/scripts/query_lan2lan_cisco.pl <community> <hostname> ASA index
Odd number of elements in hash assignment at /usr/local/share/perl/5.10.0/Net/SNMP.pm line 2276.
request error: The argument "1.3.6.1.4.1.9.9.171.1.2.3.1.7." is unknown at /usr/share/cacti/site/scripts/query_lan2lan_cisco.pl line 227.


/usr/share/cacti/site/scripts# perl /usr/share/cacti/site/scripts/query_lan2lan_cisco.pl <community> <hostname> ASA query RX
Odd number of elements in hash assignment at /usr/local/share/perl/5.10.0/Net/SNMP.pm line 2276.
request error: The argument "1.3.6.1.4.1.9.9.171.1.2.3.1.7." is unknown at /usr/share/cacti/site/scripts/query_lan2lan_cisco.pl line 227.


/usr/share/cacti/site/scripts# perl /usr/share/cacti/site/scripts/query_lan2lan_cisco.pl <community> <hostname> ASA get RX <ip address>
Odd number of elements in hash assignment at /usr/local/share/perl/5.10.0/Net/SNMP.pm line 2276.
request error: The argument "1.3.6.1.4.1.9.9.171.1.2.3.1.7." is unknown at /usr/share/cacti/site/scripts/query_lan2lan_cisco.pl line 244.

I never really thought of the difference between MIB and OID so I googled it: Think of a MIB as a DNS
table or a HOSTS file, and the OID as IP address. The MIB relates words to OID numbers as a DNS or HOSTS file relates URLs & names to actual IP addresses
User avatar
Setarcos
Cacti User
Posts: 143
Joined: Mon Dec 13, 2004 2:55 pm
Location: San Jose, CA
Contact:

Post by Setarcos »

Thanks iharvey,

We are slowly getting to the bottom of this... Could you try the attached version with the same tests and post the results?

Update: Test script removed
Last edited by Setarcos on Thu Mar 11, 2010 12:54 pm, edited 1 time in total.
iharvey
Posts: 42
Joined: Wed Nov 01, 2006 6:10 am

Post by iharvey »

slowly?? javascript:emoticon(':D') fast enough for me, because it works.

<ip of peer>:3396162449
<ip of peer>:478313915
<ip of peer>:2434121908
<ip of peer>:2246398182

etc. Many many thanks - what a great start to the day
User avatar
Setarcos
Cacti User
Posts: 143
Joined: Mon Dec 13, 2004 2:55 pm
Location: San Jose, CA
Contact:

Post by Setarcos »

iharvey wrote:slowly?? javascript:emoticon(':D') fast enough for me, because it works.

<ip of peer>:3396162449
<ip of peer>:478313915
<ip of peer>:2434121908
<ip of peer>:2246398182

etc. Many many thanks - what a great start to the day
Glad to hear it! I just updated the script in the first post of this thread with these changes.
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest