Cisco PIX v7.0/ASA IPSec Traffic Graphing Issue

[cybex_77]

Hi All,

I have been using Cacti to graph some of our Cisco PIX and new ASA firewalls and I am having problems creating graphs for the IPSec interface traffic. I have downloaded the new v7.0/ASA MIBS from the Cisco web site and we can know use SNMP to pull statistics on a variety of new information including IPSec traffic using CISCO-IPSEC-FLOW-MONITOR-MIB. I have tried to create a graph that is similar to the standard interface stats graph that is used in cacti but changing the sections on ifinoctets/ifoutoctects for cikeglobalinoctects/cikeglobaloutoctects but I can not seem to get cacti to recognise the xml file that I have modified (ipsec.xml).

I have also tried to create the graph by using a data and graph template (cacti_graph_template_cisco_pix_v7_0_ipsec_traffic), which seems to graph the data but can not be correct as it is marking the data integers to high (in 20-30Mb when it is not possible to exceed 10Mb per interface).

Can anyone please help before I loose my mind.

Thanks in advance.

[gandalf]

Please try last link of my signature as a starting point
Reinhard

[cybex_77]

Thanks for the advice and I am still having difficulties with this. I can not seem to run the snmptable command on the given MIB. I have downloaded the Cisco MIBs from the Cisco site listed below and copied them to the correct directory I have also ran a chmod 744 on them to ensure that they have the same permissions as the rest of the MIBs.

RedHat v9.0

MIB Dir: /usr/share/snmp/mibs

Cisco MIBs

CISCO-CRYPTO-ACCELERATOR-MIB.my
CISCO-ENTITY-FRU-CONTROL-MIB.my
CISCO-FIREWALL-MIB.txt
CISCO-IPSEC-FLOW-MONITOR-MIB.my
CISCO-MEMORY-POOL-MIB.my
CISCO-PROCESS-MIB-V1SMI.my
CISCO-REMOTE-ACCESS-MONITOR-MIB.my
CISCO-SMI.my
CISCO-SMI-V1SMI.my
CISCO-SYSLOG-MIB.my
CISCO-TC.my
CISCO-TC-V1SMI.my

Every time I run an snmwalk on the IPSEC-FLOW-MONITOR-MIB (as shown below) it defaults to using the standard set of MIB's and does not use the IPSEC MIB. Then when I run an snmptable on the object id I wish to graph it displays the below error.

[code]snmpwalk -v 1 -c public 192.168.10.1 -m IPSEC-FLOW-MONITOR-MIB[/code]

[code]snmptable -c merl1n -v 1 192.200.10.1 CISCO-IPSEC-FLOW-MONITOR-MIB::cikeGlobalInOctets[/code]

[code]Was that a table? CISCO-IPSEC-FLOW-MONITOR-MIB::cikeGlobalInOctets.1.1[/code]

I realise that this is probably quite simple but I would really appreciate any help.

Thanks

[gandalf]

To use those newly imported mibs, please use the -m or the -M parameter for snmpwalk. For more help, I need the output for snmpwalk-ing one of the OIDs you want to graph. Then, please chop the last index from the OID and snmpwalk again. Doing this 1-4 times should give you an impression about the OIDs that belongs (or may belong) to an snmptable.
Reinhard

[cybex_77]

Thanks for that but how will I know what should be in the snmptable and not? I think I am not that care on what is an snmptable, I thought it was outlined in the MIB?

cikeGlobalInOctets OBJECT-TYPE
SYNTAX Counter32
UNITS "Octets"
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of octets received by all currently
and previously active IPsec Phase-1 IKE Tunnels."
::= { cikeGlobalStats 3 }

OR

CikePeerCorrEntry ::= SEQUENCE {
cikePeerCorrLocalType IkePeerType,
cikePeerCorrLocalValue DisplayString,
cikePeerCorrRemoteType IkePeerType,
cikePeerCorrRemoteValue DisplayString,
cikePeerCorrIntIndex Integer32,
cikePeerCorrSeqNum Integer32,
cikePeerCorrIpSecTunIndex Integer32
}

OR

cipSecTrapCntlGroup OBJECT-GROUP
OBJECTS {
cipSecTrapCntlIkeTunnelStart,
cipSecTrapCntlIkeTunnelStop,
cipSecTrapCntlIkeSysFailure,
cipSecTrapCntlIkeCertCrlFailure,
cipSecTrapCntlIkeProtocolFail,
cipSecTrapCntlIkeNoSa,
cipSecTrapCntlIpSecTunnelStart,
cipSecTrapCntlIpSecTunnelStop,
cipSecTrapCntlIpSecSysFailure,
cipSecTrapCntlIpSecSetUpFailure,
cipSecTrapCntlIpSecEarlyTunTerm,
cipSecTrapCntlIpSecProtocolFail,
cipSecTrapCntlIpSecNoSa
}
STATUS current
DESCRIPTION
"This group of objects controls the sending of IPsec TRAPs."
::= { cipSecMIBGroups 6 }



I have also attached a copy of the snmpwalk output as you can see they look like the same OID's both times it was run.

[gandalf]

Sorry, but your snmpwalk's did not help cause you requested the wrong OIDs. Please see http://www.mibdepot.com/cgi-bin/getmib3 ... View%20MIB for available tables as

• cikePeerTable
• cikeTunnelTable
• ...

But the requested cikeGlobalInOctets are part of the structure cikeGlobalStats, so they are not related to any index. In this case, an SNMP XML Query is not the correct data gathering method.
You may use a Data Input Method fetching all relevant OIDs step by step and print them with ONE SINGLE statement, e.g.
cikeGlobalInOctets:nnn cikeGlobalOutOctets:nnn ... (if further OIDs needed)

Reinhard

[knobdy]

So...are these templates ready to go?!