Cisco Pix - Authenticated VPN Users

[speedy]

Hello,

here is a template for the Cisco Pix firewall, which shows the number of authenticated VPN users.

Unfortunetly I find no way to get the number of authenticated users using snmp.
Because of this I wrote a Perl script, which connects over telnet to the firewall , executes the command "sh unauth" and calculates the number of connected users.

Installation Instructions:

1. extract the file pix-vpn-users.zip and copy pix-vpn-users.pl into <path_cacti>/scripts/pix-vpn-users.pl
2. Import the Template cacti_graph_template_cisco_vpn_active_vpn_users.xml
3. Allow Telnet connection to firewall
4. If you don't need a username for telnet login, delete the input field username from "Data Input Methods" --> "Cisco VPN - Active VPN users" in Cacti Gui.

Regards

Speedy

[RUM]

Hi Speedy,

Thanks for the Template. It's a nice, useable feature.

I was able to get the graph shown, but there is no data on it. Do you know how it's possible?

Thanks in advance

[speedy]

Hi,

maybe the perl script isn't executed correctly.
Please check if you are able to execute the script from the command line:

./pix-vpn-users.pl -r <router> -u <username> -p <password> -e <enable password>

You should get the number of connected vpn users.

Regards

speedy

[RUM]

Hi Speedy,

Thanks for the quick reply. I'm still not sure if it is executing correctly, because maybe I'm running it wrong at the command line. I typed:

C:\cacti2\scripts>pix-vpn-users.pl -r <ipaddress router> -u <> -p <password> -e <enable>
> was unexpected at this time.

Note that the username is null and in cacti I allowed it to have a null value. Also when I write <null> as username or when I write the hostname instead of the IP address of the router, it says that the syntax is incorrect. Can I do it diferently?

Regards

[speedy]

Hi RUM,

at the moment the script isn't able to handle a blank username. I will change it and post the new version.

[RUM]

Thanks I will keep an eye on this topic for updates.

Regards

[RUM]

By the way,

Since you are a PIX user as well, maybe you can help me with this problem:

http://forums.cacti.net/viewtopic.php?t ... highlight=

If not, no hard feelings ofcourse.

Regards

[speedy]

I have updated the scripts. Please delete the username from the Data Input method "Cisco VPN - Active VPN users" if you don't want to use a username for telnet login.

Regards

speedy

[RUM]

Hi,

Thanks for updating so fast Speedy, well ofcourse, that's why you're called Speedy.

Now, I have one problem left. I looked at the poller when it runs. It doesn't seem to recognize the password of the router, or at least part of the password. It tells me that: &xcvjk (example password), is not recognized as an internal or external command.

Is it possible that it's because of the & character?

Regards

[knobdy]

Hey Speedy, thanks for the template!

I've been desperate to find a way to monitor VPN connections to a couple of PIXen and a couple of 2600 routers. Like you, I haven't found any SNMP/MIB support for VPN monitoring.

Having seen your script, I'm wondering if I might be able to edit it for use with Nagios to verify specific tunnels. If you know how to do this already, please share!

[speedy]

Hi,

sorry there was a mistake in the new script. Please download the new version.

For the password problem try to put the password into quotes. Normally the chracter & is used for command execution.

There is no problem to use the script to execute other commands. You only have to replace the command in the line "print $handle "sh uauth\n";" and change the section for output handling.

Otherwise take a look at the MRAT Tool:
http://www.serreyn.com/software/mrat/

Regards

speedy

[knobdy]

There is no problem to use the script to execute other commands. You only have to replace the command in the line "print $handle "sh uauth\n";" and change the section for output handling.

No problem for you maybe... I, on the otherhand, will spend a week pouring over the meaning of everything in the output section.

[kharford]

Has anyone wrote a script that uses ssh instead of telnet?

Thanks

[JJX]

Hi,

Thanks for updating so fast Speedy, well ofcourse, that's why you're called Speedy.

Now, I have one problem left. I looked at the poller when it runs. It doesn't seem to recognize the password of the router, or at least part of the password. It tells me that: &xcvjk (example password), is not recognized as an internal or external command.

Is it possible that it's because of the & character?

Regards

replace & with \&

[egarnel]

check out remote-access under the CLI in ver 7.2.1... I believe this may be what you are looking for

per the cli:

remote-access Configure SNMP trap threshold for VPN remote-access
sessions

granted, it is for thresholding, at least you can trigger an snmp trap