Cisco ASA/PIX VPN Statistics

Templates, scripts for templates, scripts and requests for templates.

Moderators: Developers, Moderators

Post Reply
Posts: 8
Joined: Fri May 21, 2010 8:49 pm

Can't get graphs for the L2L Tunnels to graph ASA 5520,8.0.4

Post by ktcarlson »

Hey I'm new to Cacti and would really like this graph to work. I have 8 vpn tunnels I would like to keep track of. I've loaded the IP addresses of the tunnels into the Data Query Template Suggested Values, but when I run the Data Debug Query I get the following:
Data Query Debug Information

+ Running data query [14].
+ Found type = '4 '[script query].
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ XML file parsed ok.
+ Executing script for list of indexes 'perl E:\Apache2\htdocs\cacti\scripts\ HlScCsLh ASA index'
+ Executing script query 'perl E:\Apache2\htdocs\cacti\scripts\ HlScCsLh ASA query index'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'

I've loaded the in the scripts directory, cisco_asa_vpn_tunnel.xml is in the scripts_queries directory and the templates have all been imported, but still no love.

Here is the BBCode from my System I am running Cacti on a Windows Server 2003 R2, Enterprise Edition, Service Pack 2:
Cacti Version - 0.8.7e
Plugin Architecture - 2.5
Poller Type - CMD.php
Server Info - Windows NT 5.2
Web Server - Apache/2.2.14 (Win32) PHP/5.2.11
PHP - 5.2.11
PHP Extensions - bcmath, calendar, com_dotnet, ctype, date, filter, ftp, hash, iconv, json, odbc, pcre, Reflection, session, libxml, standard, tokenizer, zlib, SimpleXML, dom, SPL, wddx, xml, xmlreader, xmlwriter, apache2handler, ldap, mysql, snmp, sockets
MySQL - 5.0.88-community-nt
RRDTool - 1.2.30
SNMP - At line 1 in (none)
No hostname specified.

Version: 5.5

-h, --help display this help message
-H display configuration file directives understood
-v 1|2c|3 specifies SNMP version to use
-V, --version display package version number
SNMP Version 1 or 2c specific
-c COMMUNITY set the community string
SNMP Version 3 specific
-a PROTOCOL set authentication protocol (MD5|SHA)
-A PASSPHRASE set authentication protocol pass phrase
-e ENGINE-ID set security engine ID (e.g. 800000020109840301)
-E ENGINE-ID set context engine ID (e.g. 800000020109840301)
-l LEVEL set security level (noAuthNoPriv|authNoPriv|authPriv)
-n CONTEXT set context name (e.g. bridge1)
-u USER-NAME set security name (e.g. bert)
-x PROTOCOL set privacy protocol (DES)
-X PASSPHRASE set privacy protocol pass phrase
-Z BOOTS,TIME set destination engine boots/time
General communication options
-r RETRIES set the number of retries
-t TIMEOUT set the request timeout (in seconds)
-d dump input/output packets in hexadecimal
-D TOKEN[,...] turn on debugging output for the specified TOKENs
(ALL gives extremely verbose debugging output)
General options
-m MIB[:...] load given list of MIBs (ALL loads everything)
-M DIR[:...] look in given list of directories for MIBs
-P MIBOPTS Toggle various defaults controlling MIB parsing:
u: allow the use of underlines in MIB symbols
c: disallow the use of "--" to terminate comments
d: save the DESCRIPTIONs of the MIB objects
e: disable errors when MIB symbols conflict
w: enable warnings when MIB symbols conflict
W: enable detailed warnings when MIB symbols conflict
R: replace MIB symbols from latest module
-O OUTOPTS Toggle various defaults controlling output display:
0: print leading 0 for single-digit hex characters
a: print all strings in ascii format
b: do not break OID indexes down
e: print enums numerically
E: escape quotes in string indices
f: print full OIDs on output
n: print OIDs numerically
q: quick print for easier parsing
Q: quick print with equal-signs
s: print only last symbolic element of OID
S: print MIB module-id plus last element
t: print timeticks unparsed as numeric integers
T: print human-readable text along with hex strings
u: print OIDs using UCD-style prefix suppression
U: don't print units
v: print values only (not OID = value)
x: print all strings in hex format
X: extended index format
-I INOPTS Toggle various defaults controlling input parsing:
b: do best/regex matching to find a MIB node
h: don't apply DISPLAY-HINTs
r: do not check values for range/type legality
R: do random access to OID labels
u: top-level OIDs must have '.' prefix (UCD-style)
s SUFFIX: Append all textual OIDs with SUFFIX before parsing
S PREFIX: Prepend all textual OIDs with PREFIX before parsing
-L LOGOPTS Toggle various defaults controlling logging:
e: log to standard error
o: log to standard output
n: don't log at all
f file: log to the specified file
s facility: log to syslog (via the specified facility)

[EON] pri: log to standard error, output or /dev/null for level 'pri' and above
[EON] p1-p2: log to standard error, output or /dev/null for levels 'p1' to 'p2'
[FS] pri token: log to file/syslog for level 'pri' and above
[FS] p1-p2 token: log to file/syslog for levels 'p1' to 'p2'
-C APPOPTS Set various application specific behaviours:
p: print the number of variables found
i: include given OID in the search range
I: don't include the given OID, even if no results are returned
c: do not check returned OIDs are increasing
t: Display wall-clock time to complete the request
E {OID}: End the walk at the specified OID
  • Update Checker (update - v0.4)
    Network Tools (tools - v0.3)
    Global Plugin Settings (settings - v0.6)
    Host Info (hostinfo - v0.2)

Any help will be greatly appreciated!
Posts: 32
Joined: Wed Mar 28, 2007 1:37 pm

Post by DWAyotte »

Here is what I get.

perl scripts/ public 10.x.x.1 ASA query RX
Can't locate Net/ in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 .) at scripts/ line 36.
BEGIN failed--compilation aborted at scripts/ line 36.

happens for all perl queries. What to do?

snmpwalk succeeds.

i am on centos 5.5, cacti 0.8.7f

My graph also doesn't seem to create, see image
Capture.GIF (7.36 KiB) Viewed 8069 times
User avatar
Cacti User
Posts: 143
Joined: Mon Dec 13, 2004 2:55 pm
Location: San Jose, CA

Post by Setarcos »

DWAyotte wrote:Here is what I get.

perl scripts/ public 10.x.x.1 ASA query RX
Can't locate Net/ in @INC (@INC contains: /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 .) at scripts/ line 36.
BEGIN failed--compilation aborted at scripts/ line 36.
You need to install the Net::SNMP Perl module.

When properly installed, running the script from the command line shouldn't error out.
Posts: 32
Joined: Wed Mar 28, 2007 1:37 pm

Post by DWAyotte »

is that different then these?

net-snmp.i386 1: installed
net-snmp-libs.i386 1: installed
net-snmp-utils.i386 1: installed
User avatar
Cacti User
Posts: 143
Joined: Mon Dec 13, 2004 2:55 pm
Location: San Jose, CA

Post by Setarcos »

DWAyotte wrote:is that different then these?

net-snmp.i386 1: installed
net-snmp-libs.i386 1: installed
net-snmp-utils.i386 1: installed
Yep, not the same. If you don't already have it, add the RPMForge or EPEL Repos, and install the RPM:

yum install perl-Net-SNMP
Posts: 32
Joined: Wed Mar 28, 2007 1:37 pm

Post by DWAyotte »

awesome thanks! that did the trick for running

perl scripts/ public 10.x.x.1 ASA index

Now I still have the same graph problem. Any ideas on that one?
User avatar
Cacti User
Posts: 143
Joined: Mon Dec 13, 2004 2:55 pm
Location: San Jose, CA

Post by Setarcos »

DWAyotte wrote:awesome thanks! that did the trick for running

perl scripts/ public 10.x.x.1 ASA index

Now I still have the same graph problem. Any ideas on that one?
You will need to provide some additional details on the "graph problem".

How did you create the graphs? What do the graphs and data source debug mode say?
Posts: 32
Joined: Wed Mar 28, 2007 1:37 pm

Post by DWAyotte »

I spoke a little too soon. I thought it had polled a few times, but it hadn't.

It just seems that I have an "extra" graph (looks like that screen snip above).

I have 1 graph for each of my IPSEC Peers. Is there a graph that show total ipsec traffic? I wonder if that could be the case.

I created the graphs by adding device, then into create graph section, checked the "Cisco ASA/PIX -VPN Statistics" graph along with the defaul cisco cpu usage graph. I then selected the peer ip of my vpns in the data query section and lastly the interface stats for each of my interfaces and chose in/out bits (64bit counters)

Should I maybe not select the "Cisco ASA/PIX -VPN Statistics" under graph templates?
User avatar
Cacti User
Posts: 143
Joined: Mon Dec 13, 2004 2:55 pm
Location: San Jose, CA

Post by Setarcos »

DWAyotte wrote:I spoke a little too soon. I thought it had polled a few times, but it hadn't.

It just seems that I have an "extra" graph (looks like that screen snip above).


Should I maybe not select the "Cisco ASA/PIX -VPN Statistics" under graph templates?
Correct, since the graph templates are already associated to the query, this isn't needed, and is the source of your "extra" graph.
DWAyotte wrote: I have 1 graph for each of my IPSEC Peers. Is there a graph that show total ipsec traffic? I wonder if that could be the case.
Yes, the Cisco ASA - IPSec Global Traffic (bits/sec) graph template from another thread provides this.
DWAyotte wrote: I created the graphs by adding device, then into create graph section, checked the "Cisco ASA/PIX -VPN Statistics" graph along with the defaul cisco cpu usage graph. I then selected the peer ip of my vpns in the data query section and lastly the interface stats for each of my interfaces and chose in/out bits (64bit counters)
So do the "IPSec Traffic" graphs work now?
Posts: 32
Joined: Wed Mar 28, 2007 1:37 pm

Post by DWAyotte »

They sure do, I really appreciate your help. Thanks a million and especially thanks for being patient with my noob self. :)
User avatar
Cacti User
Posts: 143
Joined: Mon Dec 13, 2004 2:55 pm
Location: San Jose, CA

Post by Setarcos »

DWAyotte wrote:They sure do, I really appreciate your help. Thanks a million and especially thanks for being patient with my noob self. :)
No problem. Glad to hear it is working!
Posts: 8
Joined: Fri May 21, 2010 8:49 pm

still no graphs

Post by ktcarlson »

I've got the Associated Graph/Data Templates [edit: Cisco ASA/PIX -VPN Statistics] configured (both Data Templates and Graph Templates). I also have the Data Queries correctly configured (I think, see attached). But when I try to create a graph I am still getting 0 items and 0 rows discovered. Here is the debug:
Data Query Debug Information

+ Running data query [14].
+ Found type = '4 '[script query].
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ XML file parsed ok.
+ Executing script for list of indexes 'perl E:\Apache2\htdocs\cacti\scripts\ HlScCsLh ASA index'
+ Executing script query 'perl E:\Apache2\htdocs\cacti\scripts\ HlScCsLh ASA query index'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
User avatar
Cacti User
Posts: 143
Joined: Mon Dec 13, 2004 2:55 pm
Location: San Jose, CA

Re: still no graphs

Post by Setarcos »

ktcarlson wrote:I've got the Associated Graph/Data Templates [edit: Cisco ASA/PIX -VPN Statistics] configured (both Data Templates and Graph Templates). I also have the Data Queries correctly configured (I think, see attached). But when I try to create a graph I am still getting 0 items and 0 rows discovered.
Run the following at the command line and let me know what you see:

perl E:\Apache2\htdocs\cacti\scripts\ HlScCsLh ASA index
Posts: 8
Joined: Fri May 21, 2010 8:49 pm

No perl

Post by ktcarlson »

maybe this is the problem. I ran the command and got:

C:\>perl E:\Apache2\htdocs\cacti\scripts\ HlScCsLh ASA index
'perl' is not recognized as an internal or external command, operable program or batch file.

I guess I need to have perl installed? How do I go about doing that?

Cacti Guru User
Posts: 1884
Joined: Mon Oct 16, 2006 5:57 am
Location: United Kingdom

Post by mcutting »

Cacti Version 0.8.8b
Cacti OS Ubuntu LTS
RRDTool Version RRDTool 1.4.7
Poller Information
Type SPINE 0.8.8b
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest