Cisco ASA/PIX VPN Statistics
Moderators: Developers, Moderators
E:\Perl\bin>perl E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl xxxxxx
172.19.x.x ASA index
Can't locate Net/SNMP.pm in @INC (@INC contains: E:/Perl/site/lib E:/Perl/lib .)
at E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl line 36.
BEGIN failed--compilation aborted at E:\Apache2\htdocs\cacti\scripts\query_lan2l
an_cisco.pl line 36.
How do I load Net::SNMP?
172.19.x.x ASA index
Can't locate Net/SNMP.pm in @INC (@INC contains: E:/Perl/site/lib E:/Perl/lib .)
at E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl line 36.
BEGIN failed--compilation aborted at E:\Apache2\htdocs\cacti\scripts\query_lan2l
an_cisco.pl line 36.
How do I load Net::SNMP?
You will need to install both Net-SNMP, and the Net::SNMP Perl module. A quick Google search turned up the following:ktcarlson wrote:E:\Perl\bin>perl E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl xxxxxx
172.19.x.x ASA index
Can't locate Net/SNMP.pm in @INC (@INC contains: E:/Perl/site/lib E:/Perl/lib .)
at E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl line 36.
BEGIN failed--compilation aborted at E:\Apache2\htdocs\cacti\scripts\query_lan2l
an_cisco.pl line 36.
How do I load Net::SNMP?
Code: Select all
Q: How to I enable the Perl support for UCD-SNMP / Net-SNMP under Windows?
Native Windows:
Install ActiveState ActivePerl and then the ActivePerl .ppm module included in the Net-SNMP binary available from the Net-SNMP web site.
If you compiled your own version of Net-SNMP, see the perl/README document for instructions on compiling the Perl modules.
Still no Luck
Hey, sorry it's been so long, but I had other things get in the way.
I have loaded Net::SNMP and I am now getting responses to the query_lan2lan_cisco.pl. the returned IP adddresses are in the format:
xxx.xxx.xxx.xxx:xxx.xxx.xxx.xxx
Once I got the response to that query I started the cacti poller and then waited about 15 minutes, but I am still not getting a response to the Data Query:
+ Running data query [14].
+ Found type = '4 '[script query].
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ XML file parsed ok.
+ Executing script for list of indexes 'perl E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl HlScCsLh 172.19.26.217 ASA index'
+ Executing script query 'perl E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl HlScCsLh 172.19.26.217 ASA query index'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
Any ideas?
Kyle
I have loaded Net::SNMP and I am now getting responses to the query_lan2lan_cisco.pl. the returned IP adddresses are in the format:
xxx.xxx.xxx.xxx:xxx.xxx.xxx.xxx
Once I got the response to that query I started the cacti poller and then waited about 15 minutes, but I am still not getting a response to the Data Query:
+ Running data query [14].
+ Found type = '4 '[script query].
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ XML file parsed ok.
+ Executing script for list of indexes 'perl E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl HlScCsLh 172.19.26.217 ASA index'
+ Executing script query 'perl E:\Apache2\htdocs\cacti\scripts\query_lan2lan_cisco.pl HlScCsLh 172.19.26.217 ASA query index'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'E:/Apache2/htdocs/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
Any ideas?
Kyle
Its working
I had to reboot!
Thanks for all your help!
Thanks for all your help!
Re: Its working
Glad you got it going!ktcarlson wrote:I had to reboot!
Thanks for all your help!
Sorry for the delay in responding. I am traveling this week.
-
- Posts: 2
- Joined: Thu Jun 17, 2010 1:39 am
Sorry for my English. This script worked fine and it's just what I needed but I have a problem. Suddenly one day left to paint the graphics. I have not made any software change. Running the script returns me the following error:
"request error: A loop Was detected with the table on the remote host at / var/www/cacti/scripts/query_lan2lan_cisco.pl line 246"
Does anyone know how to fix? I think it is related to the router does not increase the OID and may be solved with the option "Non Increasing" Net:: SNMP but I do not know how to activate it. Anybody can help me?
Thank you very much
"request error: A loop Was detected with the table on the remote host at / var/www/cacti/scripts/query_lan2lan_cisco.pl line 246"
Does anyone know how to fix? I think it is related to the router does not increase the OID and may be solved with the option "Non Increasing" Net:: SNMP but I do not know how to activate it. Anybody can help me?
Thank you very much
Re: Cisco ASA/PIX VPN Statistics
Hi there,
I am new to Cacti. I have configured it on win32 and normal graphs are working fine.
I have installed and configured this addin and initially i thought it was working. All my VPN's (105 of them) appeared int eh data series and i added the graphs.
Unfortunately the rrd's haven't appeared.
Any ideas?
Thanks in advance.
I am new to Cacti. I have configured it on win32 and normal graphs are working fine.
I have installed and configured this addin and initially i thought it was working. All my VPN's (105 of them) appeared int eh data series and i added the graphs.
Unfortunately the rrd's haven't appeared.
Any ideas?
Thanks in advance.
Re: Cisco ASA/PIX VPN Statistics
Does anyone know why 1.3.6.1.4.1.9.9.171.1.2.3.1.7 would not show IP addresses for all connections that are up? It shows almost half of the connections that are up. I am using a PIX 515E w/ 7.2.x.
Thanks,
Scooby2
Thanks,
Scooby2
Re: Cisco ASA/PIX VPN Statistics
I am unable to get my data query to return any rows within cacti. I've tried the rebooting, adding the full path but nothing seems to have worked so far.
+ Running data query [10].
+ Found type = '4 '[script query].
+ Found data query XML file at 'C:/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ XML file parsed ok.
+ Executing script for list of indexes 'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA index'
+ Executing script query 'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA query index'
+ Found data query XML file at 'C:/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'C:/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'C:/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
When I run the following commands manually I get these results:
'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA index' : "aaa.aaa.aaa.aaa"
'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA query index' : "aaa.aaa.aaa.aaa:aaa.aaa.aaa.aaa"
'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA query RX' : aaa.aaa.aaa.aaa:3570406544
'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA get RX' : aaa.aaa.aaa.aaa:3571540048
'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA get RX aaa.aaa.aaa.aaa' : 3571540123
aaa.aaa.aaa.aaa is the ip address of the "up" tunnel.
Any ideas?
+ Running data query [10].
+ Found type = '4 '[script query].
+ Found data query XML file at 'C:/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ XML file parsed ok.
+ Executing script for list of indexes 'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA index'
+ Executing script query 'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA query index'
+ Found data query XML file at 'C:/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'C:/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
+ Found data query XML file at 'C:/cacti/resource/script_queries/cisco_asa_vpn_tunnel.xml'
When I run the following commands manually I get these results:
'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA index' : "aaa.aaa.aaa.aaa"
'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA query index' : "aaa.aaa.aaa.aaa:aaa.aaa.aaa.aaa"
'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA query RX' : aaa.aaa.aaa.aaa:3570406544
'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA get RX' : aaa.aaa.aaa.aaa:3571540048
'c:\perl\bin\perl C:\cacti\scripts\query_lan2lan_cisco.pl public 192.168.1.1 ASA get RX aaa.aaa.aaa.aaa' : 3571540123
aaa.aaa.aaa.aaa is the ip address of the "up" tunnel.
Any ideas?
Re: Cisco ASA/PIX VPN Statistics
Am trying to set the same profiles for a cisco 7206 running ipsec aware vrf. However am running into error :
perl query_lan2lan_cisco.pl community 1x0.x.x.245 ASA index
request error: No response from remote host '1x0.x.x.245' at /local/cacti/scripts/query_lan2lan_cisco.pl line 229.
I can snmpwalk the device and get values associated with:
my $cikeTunRemoteValue = "1.3.6.1.4.1.9.9.171.1.2.3.1.7";
my $cipSecTunIkeTunnelIndex = "1.3.6.1.4.1.9.9.171.1.3.2.1.2";
my $cipSecTunInOctets = "1.3.6.1.4.1.9.9.171.1.3.2.1.26";
my $cipSecTunOutOctets = "1.3.6.1.4.1.9.9.171.1.3.2.1.39";
Any ideas?
perl query_lan2lan_cisco.pl community 1x0.x.x.245 ASA index
request error: No response from remote host '1x0.x.x.245' at /local/cacti/scripts/query_lan2lan_cisco.pl line 229.
I can snmpwalk the device and get values associated with:
my $cikeTunRemoteValue = "1.3.6.1.4.1.9.9.171.1.2.3.1.7";
my $cipSecTunIkeTunnelIndex = "1.3.6.1.4.1.9.9.171.1.3.2.1.2";
my $cipSecTunInOctets = "1.3.6.1.4.1.9.9.171.1.3.2.1.26";
my $cipSecTunOutOctets = "1.3.6.1.4.1.9.9.171.1.3.2.1.39";
Any ideas?
Re: Cisco ASA/PIX VPN Statistics
I had to abandon getting the vpn stats using snmp because to use vrf-aware snmp I would have had to use different community strings for each vrf. I have instead opted to use netflow and have adapted the snmp scripts and templates but altered them to query netflow instead. Am getting some data back but its not correct. Am having a script push a steady 40mbs traffic through the tunnel but the graph produced by cacti from the netflow data fluctuates and is a little lower by 10mbps. Does any one know where there would be this discrepancy. I have attached the data that is getting fed into cacti and the data that cacti is exporting out to the graph.
- Attachments
-
- snmp graph
- ipsec peer snmp stats.png (41.08 KiB) Viewed 7300 times
-
- netflow graph
- ipsec netflow stats.png (98.75 KiB) Viewed 7300 times
-
- netflow stats.rar
- (129.92 KiB) Downloaded 291 times
Re: Cisco ASA/PIX VPN Statistics
I modified this so that it works with snmpv3. The original script only did snmpv2. Its not 100% tested but it worked well in my environment.
- Attachments
-
- Cisco ASA Lan to Lan snmpv3.zip
- (7.26 KiB) Downloaded 375 times
Re: Cisco ASA/PIX VPN Statistics
Hello Setarcos,
Pretty old post, and don't know or you're still around?
I had the same problems with your script iharvey described earlier.
line 263 says:
Can you tell me the effect of removing this rules?
Pretty old post, and don't know or you're still around?
I had the same problems with your script iharvey described earlier.
I try to monitor the VPN traphic on an cisco 1921. After some tweaking in your code (don't know what im exactly doing) i got some results. I removed line 263 & 268.query_lan2lan_cisco.pl <community> <hostname> ASA index:
<ip of peer>
query_lan2lan_cisco.pl <community> <hostname> ASA query RX
<ip of peer>:0
query_lan2lan_cisco.pl <community> <hostname> ASA get RX <ip of peer>
0
line 263 says:
Code: Select all
if ($v eq ("." . $datatable{$dataindex})){
Re: Cisco ASA/PIX VPN Statistics
Is anyone using this script in a live environment, or is there a better way to do it? I don't have much knowledge of Perl, but I have been testing in our dev Cacti environment. It seems to work, but puts a tremendous load on the Cacti server. I initially tried monitoring about 10 IPsec tunnels from our ASA 5520, but that pegged the CPU of our dev server at 100%. I tried with 2 tunnels and it seemed to use about 10% CPU per tunnel monitored.
I'm hesitant to try it in our live environment. The live server has better specs, but I would like it to monitor about 20-25 tunnels.
Any thoughts?
I'm hesitant to try it in our live environment. The live server has better specs, but I would like it to monitor about 20-25 tunnels.
Any thoughts?
Re: Cisco ASA/PIX VPN Statistics
Installed CactiEZ(0.7, Cacti 0.8.8a), added 30 Cisco devices and im trying to monitor the VPN tunnel traphic on those devices (1 each).
Those graphs show lots of baps, and in the log I got a lot of error message aboud nifty popen (SPINE: Poller[0] Host[17] ERROR: The NIFTY POPEN timed out)
I configured spine with these parameters:
Maximum Threads per Process: 10
Number of PHP Script Servers: 10
Script and Script Server Timeout Value: 10
The Maximum SNMP OID's Per SNMP Get Request: 30
Has anyone these graphs working in an simular environment?
Those graphs show lots of baps, and in the log I got a lot of error message aboud nifty popen (SPINE: Poller[0] Host[17] ERROR: The NIFTY POPEN timed out)
I configured spine with these parameters:
Maximum Threads per Process: 10
Number of PHP Script Servers: 10
Script and Script Server Timeout Value: 10
The Maximum SNMP OID's Per SNMP Get Request: 30
Has anyone these graphs working in an simular environment?
Who is online
Users browsing this forum: No registered users and 1 guest