Cisco ASA/PIX VPN Statistics

[prospero63]

I have these working in multiple environments, but it is a bit of a PITA to make it work. Best advice I can give is:

1) Make sure you have perl installed. See your appropriate distro for how to do that.
2) Make sure you have net perl-Net-SNMP installed
3) Use the files in the first post and copy them as per normal cacti stuff
4) Check your permissions on the script. I run on linux in most places and need to run something along the lines of chmod 755 /var/www/cacti/scripts/query_lan2lan_cisco.pl to make it work.
5) Try a reboot. I know, it's stupid, it's Linux, you don't need to reboot it ever. Just try it anyway.

HTH

[mhansson]

Hi there, I needed to get these working with SNMPv3, so I edited them to use SNMPv3 instead, please see attached. Let me know if that works for you guys.
I have not put in any effort to make it work with BOTH v2 and v3, this one is only tested to work with v3. It uses the same template, I only changed a bit in the queries...

-- Magnus

[ikorzha758]

Guys is there a way to modify the script to include additional statistics on the graph or at the bottom of the graph such as individual tunnel up/down status (lets say 1 up 2 down). And additionally I would love to have tunnel uptime.
The reason I want these stats so I can plot them directly on the Cacti Weathermap Table for NOC team to see.

[blaztoff]

When you go to create graphs for this host it has you fill in information for 3 fields:
Index Type
Index Value
Output Type ID

Where do these come from or what are they supposed to be? I was trying to figure out where I would specify my VPN Peer IP and Name that I wanted to monitor but was not sure what these values are supposed to represent.

[Dan5ielle]

Once installed, just add the 'Cisco ASA/PIX -VPN Statistics' data query to your host/host template and graph away.

[blaztoff]

Hi Dan5ielle, I cannot see your Images links.

I see this associated graph in my host graph template

graph_template.JPG (52.57 KiB) Viewed 5592 times

But when I try to create the graphs I get asked a series of questions.

Index.JPG (32.96 KiB) Viewed 5592 times

I am not sure what these values represent or how do I distinguish one VPN Endpoint here.

[prospero63]

Another thing to make sure is that you have an active VPN tunnel when you run the data query. For me that's as simple as getting a ping going and then manually executing the data query. That will populate the end point information.

[jerich007]

Anyone happen to have an older version of the template? I'm on Cacti version 0.8.6f and the posted template won't install.

[mhurley131]

I am getting stuck at the page asking for IndexType/IndexValue/etc. Can anyone help?

I know I have to specify what peer IP to graph for, but I'm not sure where.

[mhurley131]

For anyone else with this issue in the future...

Under the host I had to add the "Cisco ASA/PIX -VPN Statistics" query. I had it originally under the host host template, but that wasn't working.

Once you do that, you click on create graph, and you'll see a list of all your current Tunnels. Then pick the one(s) you want to graph and click on create.

[floaty]

But when I try to create the graphs I get asked a series of questions.

spended several hours with the same problem. if you have to fill in this manually you're wrong.

I guess you've tried to add a new graph via -> devices -> "your-asa" -> add graph ?! ... I did ... that will not do the job !

it's also not possible to add the per-tunnel-graphs via new-graphs and choosing a graph template - since the template don't appear in the drop-down-list.

it seems to be mandatory to associate the data-queury "Cisco ASA/PIX -VPN Statistics" with your host (or your connected host-template),

after done so, you will be able to execute a verbose-queury from your device-site and choose the tunnel-destinations you want

see shots

verbose-queury.jpg (31.29 KiB) Viewed 4825 times

new-graph.jpg (111.1 KiB) Viewed 4825 times

data-source.jpg (64.33 KiB) Viewed 4825 times

done.jpg (25.67 KiB) Viewed 4825 times

[TvL2386]

Is it also possible to monitor the total bandwidth consumed?

[korcoil]

Hi ,

I got a strange problem. Graphs are working just fine , just that I cannot see the drawing on the graphs on the main tree page. However if I click on the main graph and a new page with the expanded view is opened ( daily , weekly , monthly , etc ) everything is just fine.

any ideea what it can be wrong ?

to see what I mean here are some screenshots

main tree view

22222.png (16.39 KiB) Viewed 4578 times

expanded view

1111.png (31.26 KiB) Viewed 4578 times

[AkosBeginner1]

You can monitor whatever you want on cisco asa without snmp:
multiple ipsec traffics:

5ipsec_demo.png (54.82 KiB) Viewed 4466 times

or inspected traffics:

inspected_traffic_demo.png (54.63 KiB) Viewed 4466 times

The howto is here:
http://itsecworks.com/2014/05/06/custom ... and-cacti/

[Cornel]

I was able to get this Template to work, somewhat, but I cant get the individual VPN Tunnels to show up.
When I do an snmpwalk, I get the proper tunnel info, but not in Cacti. Can someone help me with this please?

This is what I get when I do an snmpwalk:
root@Network-Monitoring:~# snmpwalk -v 2c -c mykey 10.4.255.26 1.3.6.1.4.1.9.9.171.1.2.3.1.7 ?
iso.3.6.1.4.1.9.9.171.1.2.3.1.7.6111232 = STRING: "xxx.xxx.xxx.xxx"
iso.3.6.1.4.1.9.9.171.1.2.3.1.7.25395200 = STRING: "xxx.xxx.xxx.xxx"
iso.3.6.1.4.1.9.9.171.1.2.3.1.7.25698304 = STRING: "xxx.xxx.xxx.xxx"
iso.3.6.1.4.1.9.9.171.1.2.3.1.7.26263552 = STRING: "xxx.xxx.xxx.xxx"
iso.3.6.1.4.1.9.9.171.1.2.3.1.7.36610048 = STRING: "xxx.xxx.xxx.xxx"
iso.3.6.1.4.1.9.9.171.1.2.3.1.7.40488960 = STRING: "xxx.xxx.xxx.xxx"
iso.3.6.1.4.1.9.9.171.1.2.3.1.7.41570304 = STRING: "xxx.xxx.xxx.xxx"
iso.3.6.1.4.1.9.9.171.1.2.3.1.7.44654592 = STRING: "xxx.xxx.xxx.xxx"
iso.3.6.1.4.1.9.9.171.1.2.3.1.7.44908544 = STRING: "xxx.xxx.xxx.xxx"


Thanks...