Cisco Pix - Authenticated VPN Users

Templates, scripts for templates, scripts and requests for templates.

Moderators: Developers, Moderators

speedy
Posts: 5
Joined: Fri Jun 23, 2006 4:13 am

Cisco Pix - Authenticated VPN Users

Post by speedy »

Hello,

here is a template for the Cisco Pix firewall, which shows the number of authenticated VPN users.

Unfortunetly I find no way to get the number of authenticated users using snmp.
Because of this I wrote a Perl script, which connects over telnet to the firewall , executes the command "sh unauth" and calculates the number of connected users.

Installation Instructions:

1. extract the file pix-vpn-users.zip and copy pix-vpn-users.pl into <path_cacti>/scripts/pix-vpn-users.pl
2. Import the Template cacti_graph_template_cisco_vpn_active_vpn_users.xml
3. Allow Telnet connection to firewall
4. If you don't need a username for telnet login, delete the input field username from "Data Input Methods" --> "Cisco VPN - Active VPN users" in Cacti Gui.

Regards

Speedy
Attachments
cacti_graph_template_cisco_vpn_active_vpn_users.xml
import from GUI
(10.26 KiB) Downloaded 4087 times
pix-vpn-users.zip
extract file and copy to /scripts/pix-vpn-users.pl
(895 Bytes) Downloaded 3555 times
graph_image.php.png
graph_image.php.png (17.51 KiB) Viewed 50884 times
Last edited by speedy on Tue Jun 27, 2006 2:21 am, edited 3 times in total.
RUM
Posts: 20
Joined: Thu Jun 22, 2006 3:43 am

Post by RUM »

Hi Speedy,

Thanks for the Template. It's a nice, useable feature.

I was able to get the graph shown, but there is no data on it. Do you know how it's possible?

Thanks in advance
speedy
Posts: 5
Joined: Fri Jun 23, 2006 4:13 am

Post by speedy »

Hi,

maybe the perl script isn't executed correctly.
Please check if you are able to execute the script from the command line:

./pix-vpn-users.pl -r <router> -u <username> -p <password> -e <enable password>

You should get the number of connected vpn users.

Regards

speedy
RUM
Posts: 20
Joined: Thu Jun 22, 2006 3:43 am

Post by RUM »

Hi Speedy,

Thanks for the quick reply. I'm still not sure if it is executing correctly, because maybe I'm running it wrong at the command line. I typed:

C:\cacti2\scripts>pix-vpn-users.pl -r <ipaddress router> -u <> -p <password> -e <enable>
> was unexpected at this time.

Note that the username is null and in cacti I allowed it to have a null value. Also when I write <null> as username or when I write the hostname instead of the IP address of the router, it says that the syntax is incorrect. Can I do it diferently?

Regards
speedy
Posts: 5
Joined: Fri Jun 23, 2006 4:13 am

Post by speedy »

Hi RUM,

at the moment the script isn't able to handle a blank username. I will change it and post the new version.
RUM
Posts: 20
Joined: Thu Jun 22, 2006 3:43 am

Post by RUM »

Thanks I will keep an eye on this topic for updates.

Regards
RUM
Posts: 20
Joined: Thu Jun 22, 2006 3:43 am

Post by RUM »

By the way,

Since you are a PIX user as well, maybe you can help me with this problem:

http://forums.cacti.net/viewtopic.php?t ... highlight=

If not, no hard feelings ofcourse.

Regards
speedy
Posts: 5
Joined: Fri Jun 23, 2006 4:13 am

Post by speedy »

I have updated the scripts. Please delete the username from the Data Input method "Cisco VPN - Active VPN users" if you don't want to use a username for telnet login.

Regards

speedy
RUM
Posts: 20
Joined: Thu Jun 22, 2006 3:43 am

Post by RUM »

Hi,

Thanks for updating so fast Speedy, well ofcourse, that's why you're called Speedy.

Now, I have one problem left. I looked at the poller when it runs. It doesn't seem to recognize the password of the router, or at least part of the password. It tells me that: &xcvjk (example password), is not recognized as an internal or external command.

Is it possible that it's because of the & character?

Regards
knobdy
Cacti User
Posts: 495
Joined: Wed Sep 28, 2005 1:39 pm

Post by knobdy »

Hey Speedy, thanks for the template!

I've been desperate to find a way to monitor VPN connections to a couple of PIXen and a couple of 2600 routers. Like you, I haven't found any SNMP/MIB support for VPN monitoring.

Having seen your script, I'm wondering if I might be able to edit it for use with Nagios to verify specific tunnels. If you know how to do this already, please share! :)
speedy
Posts: 5
Joined: Fri Jun 23, 2006 4:13 am

Post by speedy »

Hi,

sorry there was a mistake in the new script. Please download the new version.

For the password problem try to put the password into quotes. Normally the chracter & is used for command execution.

There is no problem to use the script to execute other commands. You only have to replace the command in the line "print $handle "sh uauth\n";" and change the section for output handling.

Otherwise take a look at the MRAT Tool:
http://www.serreyn.com/software/mrat/

Regards

speedy
knobdy
Cacti User
Posts: 495
Joined: Wed Sep 28, 2005 1:39 pm

Post by knobdy »

speedy wrote: There is no problem to use the script to execute other commands. You only have to replace the command in the line "print $handle "sh uauth\n";" and change the section for output handling.
No problem for you maybe... :) I, on the otherhand, will spend a week pouring over the meaning of everything in the output section.
kharford
Cacti User
Posts: 50
Joined: Thu Jul 07, 2005 11:53 am
Location: Mass, USA

Post by kharford »

Has anyone wrote a script that uses ssh instead of telnet?

Thanks :D
JJX
Cacti User
Posts: 402
Joined: Thu Oct 06, 2005 5:03 am

Post by JJX »

RUM wrote:Hi,

Thanks for updating so fast Speedy, well ofcourse, that's why you're called Speedy.

Now, I have one problem left. I looked at the poller when it runs. It doesn't seem to recognize the password of the router, or at least part of the password. It tells me that: &xcvjk (example password), is not recognized as an internal or external command.

Is it possible that it's because of the & character?

Regards
replace & with \&
cacti rulez!
User avatar
egarnel
Cacti Pro User
Posts: 708
Joined: Thu Nov 21, 2002 8:55 am
Location: Austin, TX

revisting this

Post by egarnel »

check out remote-access under the CLI in ver 7.2.1... I believe this may be what you are looking for

per the cli:
remote-access Configure SNMP trap threshold for VPN remote-access
sessions
granted, it is for thresholding, at least you can trigger an snmp trap
Cacti1 OS: CentOS 5.6 | 300+ devices
Cacti2 OS: CentOS 5.6 | 300+ devices
King of the Elves
Local Anarchists Union #427
"Anarchism is founded on the observation that since few men are wise enough to rule themselves, even fewer are wise enough to rule others." -Edward Abbey
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest