VPN Tunnel monitoring
Moderators: Developers, Moderators
VPN Tunnel monitoring
Anyone done anything to monitor bandwidth used by individual VPN tunnels on either a router or firewall? We have SEVERAL customers that connect to us via VPN tunnels and we'd like to be able to see the traffic each generates. None of the templates I've seen thus far will do this - since I want more than just the number of sessions, but instead a graph like an ordinary interface for "bits/sec Total Bandwidth".
I'm pretty sure CiscoWorks can do this (at least for the concentrators) but I'm not sure what it uses and our installation of CiscoWorks is java-junk...
I'm pretty sure CiscoWorks can do this (at least for the concentrators) but I'm not sure what it uses and our installation of CiscoWorks is java-junk...
I don't know that you will be able to get that via snmp interface statistics. You can try doing a snmpwalk and check if your tunnel defs are shown individually.
We graph our ipsec with all tunnels on the single interface, but our VPN GW is a linux box.
If I was to start graphing the individual traffic with our device I would look into writing a script to read the values from iptables, which I believe that I have seen some templates for in past topics.
Hope that helps a little bit.
We graph our ipsec with all tunnels on the single interface, but our VPN GW is a linux box.
If I was to start graphing the individual traffic with our device I would look into writing a script to read the values from iptables, which I believe that I have seen some templates for in past topics.
Hope that helps a little bit.
- Attachments
-
- IPSec Interface Traffic
- ipsec_traffic.PNG (12.57 KiB) Viewed 83717 times
What do you think of these?
It would seem that the OID 1.3.6.1.4.1.9.9.171.1.3.2.1.32 is what I'm after or close to it, (http://tools.cisco.com/Support/SNMP/do/ ... 1.3.2.1.32) but while doing a basic "snmpwalk -v 2c -c public -t 120 10.10.10.10 .1.3.6.1.4.1.9.9" I get
Any ideas?
Code: Select all
1.3.6.1.2.1.31.1.1.1.15
1.3.6.1.4.1.9.9.171.1.2.1.4
Code: Select all
Error: OID not increasing: .1.3.6.1.4.1.9.9.171.1.2.2.1.6.1.13.54.53.46.49.57.55.46.50.56.46.49.52.49.1.14.54.54.46.49.54.50.46.50.53.50.46.49.53.48.6
>= .1.3.6.1.4.1.9.9.171.1.2.2.1.6.1.13.54.53.46.49.57.55.46.50.56.46.49.52.49.1.14.49.52.54.46.49.52.53.46.49.50.56.46.53.48.2
These are Cisco 2600 routers. Templates available for the concentrators are also kind of lame - only providing number of associations and the like. That's generally okay though, since most of their connections aren't LAN-to-LAN. The connections on the routers, however, are a different story.
The tunnels on the routers are defined as isakmp policies/SAs - as best I can figure. I can find those in the MIBs...I think - just not their more detailed info. On these routers, the closest I've found to a "sh int" command for the tunnels would have to be:
The tunnels on the routers are defined as isakmp policies/SAs - as best I can figure. I can find those in the MIBs...I think - just not their more detailed info. On these routers, the closest I've found to a "sh int" command for the tunnels would have to be:
Code: Select all
#sh crypto isakmp sa
dst src state conn-id slot
pub.ip.xx.141 cus.ip.xx.250 QM_IDLE 6 0
pub.ip.xx.141 cus.ip.xx.130 QM_IDLE 19 0
cus.ip.xx.2 pub.ip.xx.141 QM_IDLE 18 0
pub.ip.xx.141 cus.ip.xx.31 QM_IDLE 8 0
pub.ip.xx.141 cus.ip.xx.34 QM_IDLE 3 0
pub.ip.xx.141 cus.ip.xx.150 QM_IDLE 13 0
pub.ip.xx.141 cus.ip.xx.50 QM_IDLE 12 0
pub.ip.xx.141 cus.ip.xx.241 QM_IDLE 20 0
pub.ip.xx.141 cus.ip.xx.71 QM_IDLE 9 0
pub.ip.xx.141 cus.ip.xx.31 QM_IDLE 11 0
Are you doing dynamic user-based tunnels? Or site-to-site tunnels? As these are (can) normally configured like
That way, it's just an interface like any other. If you're doing dynamic per-user based tunnels, the story might get much more complex
cheers,
arthur
Code: Select all
interface Tunnel1
ip address 10.1.1.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 10.2.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SECUR1
cheers,
arthur
These are site-to-site tunnels, but to be honest I have yet to set one up myself or even look into how they're currently done. The guys I work with mostly copy/paste what was there before them. <shrug>adp wrote:Are you doing dynamic user-based tunnels?
Here's an example, though I'm not sure this is everything that goes into bringing a single tunnel up:
Code: Select all
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key akeyhash address pub.cust.ip.add
!
!
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto ipsec transform-set 3des-md5 esp-3des esp-md5-hmac
crypto map outside 1 ipsec-isakmp
set peer pub.cust.ip.add
set security-association lifetime kilobytes 256000
set transform-set 3des
match address customer_name-in
crypto map outside 3 ipsec-isakmp
set peer pub.cust.ip.add
set security-association lifetime kilobytes 256000
set security-association lifetime seconds 1200
set transform-set 3des-md5
ip access-list standard customer_name-nat
ip access-list extended customer-name
I use a Cisco VPN 3000 concentrator for lan-to-lan sessions. I wrote a perl script that you may be interested in. The script takes inputs of community, host, session ip and rx or tx. Based on the session ip you provide the script, it will search for the corresponding lan-to-lan session and grab the OID index and return either rx or tx ocets received/transfered. Let me know if you're interested in it.
-Dan
-Dan
VERY!!! If you don't want to post the to the community, feel free to send private message!
I've even played in perl before, so maybe I or one of my cohorts can look at what you've done in regards to these routers/firewalls.
Did I mention we also have firewalls managing LAN-to-LAN VPNs? Can't find a "tunnel interface OID" for them either...
I've even played in perl before, so maybe I or one of my cohorts can look at what you've done in regards to these routers/firewalls.
Did I mention we also have firewalls managing LAN-to-LAN VPNs? Can't find a "tunnel interface OID" for them either...
See attached. I appologize for how dirty and ugly the script is, but it works.
Note: I had to make the script like this because the OID index for lan2lan sessions change whenever a session is disconnected/reconnected.
UPDATE: Added Graph Template
-Dan
Note: I had to make the script like this because the OID index for lan2lan sessions change whenever a session is disconnected/reconnected.
UPDATE: Added Graph Template
-Dan
- Attachments
-
- cacti_graph_template_lan2lan_ancaliantectgw_traffic.xml
- (13.04 KiB) Downloaded 4563 times
-
- lan2lantraffic.txt
- (2.78 KiB) Downloaded 5002 times
Cool.
Can you describe the parameters a little more? Perhaps provide an example CLI statement?
What is the "sessionip" in 3000 concentrator terminology?
Actually, while I'm still not sure what some of those parameters (sessionip, rx/tx) refer to exactly, it looks like the RX and TX data templates, under "Custom Data", should have the SessionIP and Flow checkboxes checked so that you define them when applying 'em to a device?
Can you describe the parameters a little more? Perhaps provide an example CLI statement?
What is the "sessionip" in 3000 concentrator terminology?
Actually, while I'm still not sure what some of those parameters (sessionip, rx/tx) refer to exactly, it looks like the RX and TX data templates, under "Custom Data", should have the SessionIP and Flow checkboxes checked so that you define them when applying 'em to a device?
Yea the session IP is the Peer IP of the LAN2LAN session. I took out my data from the exported graph template so you are correct with the per-device settings.
If you have the web administration enabled for the VPN3000 you can see the peer ip for the lan2lan session under the monitoring->sessions.
-Dan
If you have the web administration enabled for the VPN3000 you can see the peer ip for the lan2lan session under the monitoring->sessions.
-Dan
Who is online
Users browsing this forum: No registered users and 1 guest