Cisco ASA/PIX VPN Statistics

[ktcarlson]

E:\Perl\bin>perl E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl xxxxxx
172.19.x.x ASA index
Can't locate Net/SNMP.pm in @INC (@INC contains: E:/Perl/site/lib E:/Perl/lib .)
at E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl line 36.
BEGIN failed--compilation aborted at E:\Apache2\htdocs\cacti\scripts\query_lan2l
an_cisco.pl line 36.

How do I load Net::SNMP?

[Setarcos]

E:\Perl\bin>perl E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl xxxxxx
172.19.x.x ASA index
Can't locate Net/SNMP.pm in @INC (@INC contains: E:/Perl/site/lib E:/Perl/lib .)
at E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl line 36.
BEGIN failed--compilation aborted at E:\Apache2\htdocs\cacti\scripts\query_lan2l
an_cisco.pl line 36.

How do I load Net::SNMP?

You will need to install both Net-SNMP, and the Net::SNMP Perl module. A quick Google search turned up the following:

Code: Select all

Q:  How to I enable the Perl support for UCD-SNMP / Net-SNMP under Windows?

Native Windows:

Install ActiveState ActivePerl and then the ActivePerl .ppm module included in the Net-SNMP binary available from the Net-SNMP web site.

If you compiled your own version of Net-SNMP, see the perl/README document for instructions on compiling the Perl modules.

[ktcarlson]

Hey, sorry it's been so long, but I had other things get in the way.
I have loaded Net::SNMP and I am now getting responses to the query_lan2lan_cisco.pl. the returned IP adddresses are in the format:
xxx.xxx.xxx.xxx:xxx.xxx.xxx.xxx

Once I got the response to that query I started the cacti poller and then waited about 15 minutes, but I am still not getting a response to the Data Query:
+ Running data query [14].
+ Found type = '4 '[script query].
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ XML file parsed ok.
+ Executing script for list of indexes 'perl E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl HlScCsLh 172.19.26.217 ASA index'
+ Executing script query 'perl E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl HlScCsLh 172.19.26.217 ASA query index'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'

Any ideas?
Kyle

[ktcarlson]

I had to reboot!
Thanks for all your help!

[Setarcos]

I had to reboot!
Thanks for all your help!

Glad you got it going!

Sorry for the delay in responding. I am traveling this week.

[cgi_itdeusto]

Sorry for my English. This script worked fine and it's just what I needed but I have a problem. Suddenly one day left to paint the graphics. I have not made any software change. Running the script returns me the following error:

"request error: A loop Was detected with the table on the remote host at / var/www/cacti/scripts/query_lan2lan_cisco.pl line 246"

Does anyone know how to fix? I think it is related to the router does not increase the OID and may be solved with the option "Non Increasing" Net:: SNMP but I do not know how to activate it. Anybody can help me?

Thank you very much

[DAVE2318]

Hi there,

I am new to Cacti. I have configured it on win32 and normal graphs are working fine.
I have installed and configured this addin and initially i thought it was working. All my VPN's (105 of them) appeared int eh data series and i added the graphs.

Unfortunately the rrd's haven't appeared.

Any ideas?
Thanks in advance.

[scooby2]

Does anyone know why 1.3.6.1.4.1.9.9.171.1.2.3.1.7 would not show IP addresses for all connections that are up? It shows almost half of the connections that are up. I am using a PIX 515E w/ 7.2.x.

Thanks,
Scooby2

[Leddy]

I am unable to get my data query to return any rows within cacti. I've tried the rebooting, adding the full path but nothing seems to have worked so far.

+ Running data query [10].
+ Found type = '4 '[script query].
+ Found data query XML file at 'C:/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ XML file parsed ok.
+ Executing script for list of indexes 'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA index'
+ Executing script query 'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA query index'
+ Found data query XML file at 'C:/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'C:/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'C:/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'

When I run the following commands manually I get these results:
'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA index' : "aaa.aaa.aaa.aaa"
'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA query index' : "aaa.aaa.aaa.aaa:aaa.aaa.aaa.aaa"

'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA query RX' : aaa.aaa.aaa.aaa:3570406544
'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA get RX' : aaa.aaa.aaa.aaa:3571540048
'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA get RX aaa.aaa.aaa.aaa' : 3571540123

aaa.aaa.aaa.aaa is the ip address of the "up" tunnel.
Any ideas?

[maguac]

Am trying to set the same profiles for a cisco 7206 running ipsec aware vrf. However am running into error :

perl query_lan2lan_cisco.pl community 1x0.x.x.245 ASA index
request error: No response from remote host '1x0.x.x.245' at /local/cacti/scripts/query_lan2lan_cisco.pl line 229.

I can snmpwalk the device and get values associated with:

my $cikeTunRemoteValue = "1.3.6.1.4.1.9.9.171.1.2.3.1.7";
my $cipSecTunIkeTunnelIndex = "1.3.6.1.4.1.9.9.171.1.3.2.1.2";
my $cipSecTunInOctets = "1.3.6.1.4.1.9.9.171.1.3.2.1.26";
my $cipSecTunOutOctets = "1.3.6.1.4.1.9.9.171.1.3.2.1.39";

Any ideas?

[maguac]

I had to abandon getting the vpn stats using snmp because to use vrf-aware snmp I would have had to use different community strings for each vrf. I have instead opted to use netflow and have adapted the snmp scripts and templates but altered them to query netflow instead. Am getting some data back but its not correct. Am having a script push a steady 40mbs traffic through the tunnel but the graph produced by cacti from the netflow data fluctuates and is a little lower by 10mbps. Does any one know where there would be this discrepancy. I have attached the data that is getting fed into cacti and the data that cacti is exporting out to the graph.

[ntsecrets]

I modified this so that it works with snmpv3. The original script only did snmpv2. Its not 100% tested but it worked well in my environment.

[Sjoerd]

Hello Setarcos,

Pretty old post, and don't know or you're still around?
I had the same problems with your script iharvey described earlier.

query_lan2lan_cisco.pl <community> <hostname> ASA index:
<ip of peer>

query_lan2lan_cisco.pl <community> <hostname> ASA query RX
<ip of peer>:0

query_lan2lan_cisco.pl <community> <hostname> ASA get RX <ip of peer>
0

I try to monitor the VPN traphic on an cisco 1921. After some tweaking in your code (don't know what im exactly doing) i got some results. I removed line 263 & 268.
line 263 says:

Code: Select all

if ($v eq ("." . $datatable{$dataindex})){

Can you tell me the effect of removing this rules?

[Jake11]

Is anyone using this script in a live environment, or is there a better way to do it? I don't have much knowledge of Perl, but I have been testing in our dev Cacti environment. It seems to work, but puts a tremendous load on the Cacti server. I initially tried monitoring about 10 IPsec tunnels from our ASA 5520, but that pegged the CPU of our dev server at 100%. I tried with 2 tunnels and it seemed to use about 10% CPU per tunnel monitored.

I'm hesitant to try it in our live environment. The live server has better specs, but I would like it to monitor about 20-25 tunnels.

Any thoughts?

[Sjoerd]

Installed CactiEZ(0.7, Cacti 0.8.8a), added 30 Cisco devices and im trying to monitor the VPN tunnel traphic on those devices (1 each).
Those graphs show lots of baps, and in the log I got a lot of error message aboud nifty popen (SPINE: Poller[0] Host[17] ERROR: The NIFTY POPEN timed out)

I configured spine with these parameters:
Maximum Threads per Process: 10
Number of PHP Script Servers: 10
Script and Script Server Timeout Value: 10
The Maximum SNMP OID's Per SNMP Get Request: 30

Has anyone these graphs working in an simular environment?