VPN Tunnel monitoring
Moderators: Developers, Moderators
It seems like you should be able to check "Use Per-Data Source Value (Ignore this Value)" for at least sessionIP.
But, wait, what if you have more than one? We need to be able to add a graph per lan-to-lan tunnel, so in the device we would currently have to add "Lan2Lan Traffic" graph template for each lan2lan tunnel we have. What needs to happen is that you add a data querry (perhaps - just guessing now) which querries the device for all possible session IPs. When you go to create graphs it would prompt you to check which of those sessions you want to graph.
Naturally, I don't know that there ARE OIDs to do that with - but there must be because your script gets them, right...?
I have 4 3000 concentrators, 2 routers and 1 firewall (all dedicated to providing VPNs)...this will be HUGELY helpful.
But, wait, what if you have more than one? We need to be able to add a graph per lan-to-lan tunnel, so in the device we would currently have to add "Lan2Lan Traffic" graph template for each lan2lan tunnel we have. What needs to happen is that you add a data querry (perhaps - just guessing now) which querries the device for all possible session IPs. When you go to create graphs it would prompt you to check which of those sessions you want to graph.
Naturally, I don't know that there ARE OIDs to do that with - but there must be because your script gets them, right...?
I have 4 3000 concentrators, 2 routers and 1 firewall (all dedicated to providing VPNs)...this will be HUGELY helpful.
Well, another thing, I've run the script against our employee concentrator with all of the parameters as they should be (pretty sure anyway) and it just completes but doesn't show any data. What is the output supposed to be - where's it sending the data its getting back, if its getting anything back?
I used perl -w and just received a lot of complaints about "Scalar value @splits[1] better written as $splits[1] at lan2lantraffic.pl line 55." and line 71, "Argument "peer.ip.add" isn't numeric in numeric eq (==) at lan2lantraffic.pl line 71."
In the line 71 error there are several other addresses as well - to include the private IP of the concentrator...wait, looks like if there isn't a match, it just ends? Well, there is a match so beyond not reporting an error there's a problem with the "isn't numeric eq (==)"...
I also noticed that if I ran the script manually with the hostname (which is how its configured in Cacti) it reports:
session error: Unable to resolve destination UDP/IPv4 address 'arugs_kc2v1' at lan2lantraffic.pl line 38.
I used perl -w and just received a lot of complaints about "Scalar value @splits[1] better written as $splits[1] at lan2lantraffic.pl line 55." and line 71, "Argument "peer.ip.add" isn't numeric in numeric eq (==) at lan2lantraffic.pl line 71."
In the line 71 error there are several other addresses as well - to include the private IP of the concentrator...wait, looks like if there isn't a match, it just ends? Well, there is a match so beyond not reporting an error there's a problem with the "isn't numeric eq (==)"...
I also noticed that if I ran the script manually with the hostname (which is how its configured in Cacti) it reports:
session error: Unable to resolve destination UDP/IPv4 address 'arugs_kc2v1' at lan2lantraffic.pl line 38.
I'm not a developer and I've already run out of ideas to google to correct the issues.
What version of perl are you running? If you run this script manually, with the -w switch, does it not report anything?
I'm going through the script adding print statements now, trying to figure out if/when variables are getting hosed - if they're coming in correctly at all in the first place!
What version of perl are you running? If you run this script manually, with the -w switch, does it not report anything?
I'm going through the script adding print statements now, trying to figure out if/when variables are getting hosed - if they're coming in correctly at all in the first place!
I'm running 5.8.7 - so I don't see that being the cause (I'll upgrade anyway, just 'cause).
I've noticed that it DOES get the active session IPs. It DOES find the one I'm looking for. Problem is, it just doesn't match it, and I figure it has to be me doing something wrong - too simple of a process for me to get right perhaps.
From an idiots perspective it looks like this:
Means to:
I get this mostly from the print statement you had in the script and I uncommented - which spits out a list of all the found IP addresses, but each prefixed with a "1 =>", "2 =>", etc.. Naturally the IP I provide on the command line for sessionip isn't going to be prefixed that way...if that's really what is going on... IF that is the case though, how could it be working on your machine? Again, it has to be something I'm doing wrong.
I've noticed that it DOES get the active session IPs. It DOES find the one I'm looking for. Problem is, it just doesn't match it, and I figure it has to be me doing something wrong - too simple of a process for me to get right perhaps.
From an idiots perspective it looks like this:
Code: Select all
if($datatable{$key} == $sessionip)
Code: Select all
if "1 => 10.10.10.3" is the same as the address I provided on the command line, then...blah, blah
putting off working on that script for a little while, can someone tell me if:
corresponds to the outpackets of the tunnel found at:
Or if there's a better index OID out there to figure out which outpackets OID goes to which VPN? I'm pretty sure there is....there has to be a table or something, but for the life of me I can't find it.
Code: Select all
.1.3.6.1.4.1.9.9.171.1.3.2.1.26.1
Code: Select all
.1.3.6.1.4.1.9.9.172.1.2.1.1.4.1
I found this tool from Cisco to be very helpful with Cisco SNMP data:
http://tools.cisco.com/Support/SNMP/do/ ... o?local=en
http://tools.cisco.com/Support/SNMP/do/ ... o?local=en
COuld a command such as "sh cryp sa" on the PIX provide enough output to build graphs from?
Perhaps a script that scraped all configured tunnels from the pix. Like the "Interface-Traffic" data template, this would pull all of the available "interfaces" from the device. Then when you went to graph you could have one that showed wether or not it is up and another to show how much traffic its doing, right? I know I'm not putting this in the correct Cacti lingo - and possibly not in the right order - so feel free to straighten me out.
Maybe theres a better PIX command that could show somethign like bits or something...
Perhaps a script that scraped all configured tunnels from the pix. Like the "Interface-Traffic" data template, this would pull all of the available "interfaces" from the device. Then when you went to graph you could have one that showed wether or not it is up and another to show how much traffic its doing, right? I know I'm not putting this in the correct Cacti lingo - and possibly not in the right order - so feel free to straighten me out.
Maybe theres a better PIX command that could show somethign like bits or something...
-
- Posts: 14
- Joined: Thu Oct 07, 2004 8:34 am
- Contact:
Working on this now
I'll have a script up soon for this, we are also looking to graph our lan-to-lan tunnles only, not the users as they come and go too often to really need to graph them much. The lan-to-lan's keep the same Ip's everytime and will be easier to trend over their lifespan.
Here is what I know so far, just need to code the perl...
.1.3.6.1.4.1.3076.2.1.2.17.1.7.0 = Gauge32: 36 The number of currently active management sessions.
.1.3.6.1.4.1.3076.2.1.2.17.2.1.2.x = INTEGER: 46 ||| x= Index of this session
.1.3.6.1.4.1.3076.2.1.2.17.2.1.4.x = STRING: "69.69.69.123" ||| x= index, the ip of the remote host is in quotes after string:
.1.3.6.1.4.1.3076.2.1.2.17.2.1.5.x = INTEGER: 15 ||| 15:ipsecLanToLan see
http://tools.cisco.com/Support/SNMP/do/ ... 2.17.2.1.5
.1.3.6.1.4.1.3076.2.1.2.17.2.1.8.x = Gauge32: 18300 ||| x= the ifindex. The total amount of time, in seconds that this session has been established is listed in the Gauge32
.1.3.6.1.4.1.3076.2.1.2.17.2.1.9.x = Counter32: 624 ||| x= the ifindex. The total number of bytes sent over this session.
.1.3.6.1.4.1.3076.2.1.2.17.2.1.10.x = Counter32: 176 ||| x= the ifindex. The total number of bytes recieved on this session.
EXAMPLE
.1.3.6.1.4.1.3076.2.1.2.17.1.7.0 = Gauge32: 36 (the number of active lan-to-lan sessions)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.2.46 = INTEGER: 46 (the 46 will match to the last digit(s) in the OID from here on...)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.4.46 = STRING: "69.69.69.123"
.1.3.6.1.4.1.3076.2.1.2.17.2.1.5.46 = INTEGER: 15 (session type, we only want sesstions that are interger: 15)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.8.46 = Gauge32: 72209 (seconds counter)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.9.46 = Counter32: 624 (bytes tx)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.9.46 = Counter32: 176 (bytes rx)
more to come...
Here is what I know so far, just need to code the perl...
.1.3.6.1.4.1.3076.2.1.2.17.1.7.0 = Gauge32: 36 The number of currently active management sessions.
.1.3.6.1.4.1.3076.2.1.2.17.2.1.2.x = INTEGER: 46 ||| x= Index of this session
.1.3.6.1.4.1.3076.2.1.2.17.2.1.4.x = STRING: "69.69.69.123" ||| x= index, the ip of the remote host is in quotes after string:
.1.3.6.1.4.1.3076.2.1.2.17.2.1.5.x = INTEGER: 15 ||| 15:ipsecLanToLan see
http://tools.cisco.com/Support/SNMP/do/ ... 2.17.2.1.5
.1.3.6.1.4.1.3076.2.1.2.17.2.1.8.x = Gauge32: 18300 ||| x= the ifindex. The total amount of time, in seconds that this session has been established is listed in the Gauge32
.1.3.6.1.4.1.3076.2.1.2.17.2.1.9.x = Counter32: 624 ||| x= the ifindex. The total number of bytes sent over this session.
.1.3.6.1.4.1.3076.2.1.2.17.2.1.10.x = Counter32: 176 ||| x= the ifindex. The total number of bytes recieved on this session.
EXAMPLE
.1.3.6.1.4.1.3076.2.1.2.17.1.7.0 = Gauge32: 36 (the number of active lan-to-lan sessions)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.2.46 = INTEGER: 46 (the 46 will match to the last digit(s) in the OID from here on...)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.4.46 = STRING: "69.69.69.123"
.1.3.6.1.4.1.3076.2.1.2.17.2.1.5.46 = INTEGER: 15 (session type, we only want sesstions that are interger: 15)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.8.46 = Gauge32: 72209 (seconds counter)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.9.46 = Counter32: 624 (bytes tx)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.9.46 = Counter32: 176 (bytes rx)
more to come...
-rich
-
- Posts: 1
- Joined: Thu Jun 07, 2007 11:11 am
Hope this helps
First post to this forum, so I'd like to take the opportunity to thank everyone for their suggestions and solutions that I'm sure many read-only users find to be incredibly helpful.
Regarding graphing Cisco PIX VPN tunnel traffic, I have, thorugh trial and error, found the correct OIDs that seem to accomplish this goal. These are:
Cisco ASA - VPN Traffic - traffic_in
1.3.6.1.4.1.9.9.171.1.3.1.3.0
Cisco ASA - VPN Traffic - traffic_out
1.3.6.1.4.1.9.9.171.1.3.1.16.0
This seems to work with both Cisco PIX 6.X and 7.X code, as well as the ASA chassis, and I have deployed it on several Cacti installations now with much success.
I hope this helps, but please contact me with any questions or concerns.
Regarding graphing Cisco PIX VPN tunnel traffic, I have, thorugh trial and error, found the correct OIDs that seem to accomplish this goal. These are:
Cisco ASA - VPN Traffic - traffic_in
1.3.6.1.4.1.9.9.171.1.3.1.3.0
Cisco ASA - VPN Traffic - traffic_out
1.3.6.1.4.1.9.9.171.1.3.1.16.0
This seems to work with both Cisco PIX 6.X and 7.X code, as well as the ASA chassis, and I have deployed it on several Cacti installations now with much success.
I hope this helps, but please contact me with any questions or concerns.
- Attachments
-
- IPSec VPN Tunnel Traffic
- ipsec_traffic.png (23.25 KiB) Viewed 18354 times
-
- cacti_graph_template_cisco_asa_ipsec_vpn_traffic_bitssec.xml
- The actual graph template
- (16.45 KiB) Downloaded 1194 times
Anyone have a version of this that can uniquely disambiguate multiple IPSec instances on the same peers for LAN-2-LAN tunnels on Cisco firewalls?
Looks like the data is there in CISCO-IPSEC-FLOW-MONITOR-MIB for the local and remote networks, but the return values are in hex:
CISCO-IPSEC-FLOW-MONITOR-MIB::cikePeerCorrIpSecTunIndex.ipAddrPeer."10.200.1.2".ipAddrPeer."10.200.90.5".500.8369 = INTEGER: 8369
CISCO-IPSEC-FLOW-MONITOR-MIB::cikePeerCorrIpSecTunIndex.ipAddrPeer."10.200.1.2".ipAddrPeer."10.200.90.6".500.8308 = INTEGER: 8308
CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunLocalAddr.8369 = Hex-STRING: 0A C8 01 02
CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunLocalAddr.8308 = Hex-STRING: 0A C8 01 02
CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunRemoteAddr.8369 = Hex-STRING: 0A C8 5A 05
CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunRemoteAddr.8308 = Hex-STRING: 0A C8 5A 06
The fields all appear to be addressable via an indexed SNMP Query, but can the hex string be converted into decimal somehow?
Looks like the data is there in CISCO-IPSEC-FLOW-MONITOR-MIB for the local and remote networks, but the return values are in hex:
CISCO-IPSEC-FLOW-MONITOR-MIB::cikePeerCorrIpSecTunIndex.ipAddrPeer."10.200.1.2".ipAddrPeer."10.200.90.5".500.8369 = INTEGER: 8369
CISCO-IPSEC-FLOW-MONITOR-MIB::cikePeerCorrIpSecTunIndex.ipAddrPeer."10.200.1.2".ipAddrPeer."10.200.90.6".500.8308 = INTEGER: 8308
CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunLocalAddr.8369 = Hex-STRING: 0A C8 01 02
CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunLocalAddr.8308 = Hex-STRING: 0A C8 01 02
CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunRemoteAddr.8369 = Hex-STRING: 0A C8 5A 05
CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunRemoteAddr.8308 = Hex-STRING: 0A C8 5A 06
The fields all appear to be addressable via an indexed SNMP Query, but can the hex string be converted into decimal somehow?
Who is online
Users browsing this forum: No registered users and 7 guests