VPN Tunnel monitoring

knobdy · Post by **knobdy** » Thu Apr 27, 2006 12:28 pm

when I check the box for use an individual SessionIP, I get an error trying to save (error states I should check items in red which are all four of the custom data boxes)?

dbrummer · Post by **dbrummer** » Thu Apr 27, 2006 12:30 pm

Hmm, what I had to do was create a data source per device for each rx/tx pair. I ran into problems setting the per-device parameters so I just hard configured them in the data sources. Sorry for the confusion.

-Dan

knobdy · Post by **knobdy** » Thu Apr 27, 2006 12:37 pm

It seems like you should be able to check "Use Per-Data Source Value (Ignore this Value)" for at least sessionIP.

But, wait, what if you have more than one? We need to be able to add a graph per lan-to-lan tunnel, so in the device we would currently have to add "Lan2Lan Traffic" graph template for each lan2lan tunnel we have. What needs to happen is that you add a data querry (perhaps - just guessing now) which querries the device for all possible session IPs. When you go to create graphs it would prompt you to check which of those sessions you want to graph.

Naturally, I don't know that there ARE OIDs to do that with - but there must be because your script gets them, right...?

I have 4 3000 concentrators, 2 routers and 1 firewall (all dedicated to providing VPNs)...this will be HUGELY helpful.

knobdy · Post by **knobdy** » Thu Apr 27, 2006 12:51 pm

Well, another thing, I've run the script against our employee concentrator with all of the parameters as they should be (pretty sure anyway) and it just completes but doesn't show any data. What is the output supposed to be - where's it sending the data its getting back, if its getting anything back?

I used perl -w and just received a lot of complaints about "Scalar value @splits[1] better written as $splits[1] at lan2lantraffic.pl line 55." and line 71, "Argument "peer.ip.add" isn't numeric in numeric eq (==) at lan2lantraffic.pl line 71."

In the line 71 error there are several other addresses as well - to include the private IP of the concentrator...wait, looks like if there isn't a match, it just ends? Well, there is a match so beyond not reporting an error there's a problem with the "isn't numeric eq (==)"...

I also noticed that if I ran the script manually with the hostname (which is how its configured in Cacti) it reports:
session error: Unable to resolve destination UDP/IPv4 address 'arugs_kc2v1' at lan2lantraffic.pl line 38.

dbrummer · Post by **dbrummer** » Thu Apr 27, 2006 1:22 pm

Output should be an integer. Like I said before, this script is not pretty. Feel free to modify.

-Dan

knobdy · Post by **knobdy** » Thu Apr 27, 2006 2:37 pm

I'm not a developer and I've already run out of ideas to google to correct the issues.

What version of perl are you running? If you run this script manually, with the -w switch, does it not report anything?

I'm going through the script adding print statements now, trying to figure out if/when variables are getting hosed - if they're coming in correctly at all in the first place!

dbrummer · Post by **dbrummer** » Thu Apr 27, 2006 2:50 pm

Perl = 5.8.8

I did run it with -w and I see the errors. I'll fix and repost when it's available.

-Dan

knobdy · Post by **knobdy** » Thu Apr 27, 2006 3:49 pm

I'm running 5.8.7 - so I don't see that being the cause (I'll upgrade anyway, just 'cause).

I've noticed that it DOES get the active session IPs. It DOES find the one I'm looking for. Problem is, it just doesn't match it, and I figure it has to be me doing something wrong - too simple of a process for me to get right perhaps.

From an idiots perspective it looks like this:

Code: Select all

if($datatable{$key} == $sessionip)

Means to:

Code: Select all

if "1 => 10.10.10.3" is the same as the address I provided on the command line, then...blah, blah

I get this mostly from the print statement you had in the script and I uncommented - which spits out a list of all the found IP addresses, but each prefixed with a "1 =>", "2 =>", etc.. Naturally the IP I provide on the command line for sessionip isn't going to be prefixed that way...if that's really what is going on... IF that is the case though, how could it be working on your machine? Again, it has to be something I'm doing wrong.

knobdy · Post by **knobdy** » Fri Apr 28, 2006 10:42 am

putting off working on that script for a little while, can someone tell me if:

Code: Select all

.1.3.6.1.4.1.9.9.171.1.3.2.1.26.1

corresponds to the outpackets of the tunnel found at:

Code: Select all

.1.3.6.1.4.1.9.9.172.1.2.1.1.4.1

Or if there's a better index OID out there to figure out which outpackets OID goes to which VPN? I'm pretty sure there is....there has to be a table or something, but for the life of me I can't find it.

dbrummer · Post by **dbrummer** » Tue May 02, 2006 10:31 am

I found this tool from Cisco to be very helpful with Cisco SNMP data:

http://tools.cisco.com/Support/SNMP/do/ ... o?local=en

knobdy · Post by **knobdy** » Tue May 02, 2006 10:54 am

Yeah, that's mostly what I've been using to find OIDs that might work... problem is, I haven't found any for sure OIDs.

Can you take a look at them - that's I've found - and using Cisco's tool see how I might use them, if they're usable?

knobdy · Post by **knobdy** » Wed May 03, 2006 12:22 pm

COuld a command such as "sh cryp sa" on the PIX provide enough output to build graphs from?

Perhaps a script that scraped all configured tunnels from the pix. Like the "Interface-Traffic" data template, this would pull all of the available "interfaces" from the device. Then when you went to graph you could have one that showed wether or not it is up and another to show how much traffic its doing, right? I know I'm not putting this in the correct Cacti lingo - and possibly not in the right order - so feel free to straighten me out.

Maybe theres a better PIX command that could show somethign like bits or something...

richrumble · Post by **richrumble** » Mon Oct 16, 2006 9:21 pm

I'll have a script up soon for this, we are also looking to graph our lan-to-lan tunnles only, not the users as they come and go too often to really need to graph them much. The lan-to-lan's keep the same Ip's everytime and will be easier to trend over their lifespan.

Here is what I know so far, just need to code the perl...
.1.3.6.1.4.1.3076.2.1.2.17.1.7.0 = Gauge32: 36 The number of currently active management sessions.

.1.3.6.1.4.1.3076.2.1.2.17.2.1.2.x = INTEGER: 46 ||| x= Index of this session
.1.3.6.1.4.1.3076.2.1.2.17.2.1.4.x = STRING: "69.69.69.123" ||| x= index, the ip of the remote host is in quotes after string:
.1.3.6.1.4.1.3076.2.1.2.17.2.1.5.x = INTEGER: 15 ||| 15:ipsecLanToLan see
http://tools.cisco.com/Support/SNMP/do/ ... 2.17.2.1.5

.1.3.6.1.4.1.3076.2.1.2.17.2.1.8.x = Gauge32: 18300 ||| x= the ifindex. The total amount of time, in seconds that this session has been established is listed in the Gauge32
.1.3.6.1.4.1.3076.2.1.2.17.2.1.9.x = Counter32: 624 ||| x= the ifindex. The total number of bytes sent over this session.
.1.3.6.1.4.1.3076.2.1.2.17.2.1.10.x = Counter32: 176 ||| x= the ifindex. The total number of bytes recieved on this session.

EXAMPLE
.1.3.6.1.4.1.3076.2.1.2.17.1.7.0 = Gauge32: 36 (the number of active lan-to-lan sessions)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.2.46 = INTEGER: 46 (the 46 will match to the last digit(s) in the OID from here on...)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.4.46 = STRING: "69.69.69.123"
.1.3.6.1.4.1.3076.2.1.2.17.2.1.5.46 = INTEGER: 15 (session type, we only want sesstions that are interger: 15)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.8.46 = Gauge32: 72209 (seconds counter)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.9.46 = Counter32: 624 (bytes tx)
.1.3.6.1.4.1.3076.2.1.2.17.2.1.9.46 = Counter32: 176 (bytes rx)

more to come...

lt.overflow · Post by **lt.overflow** » Thu Jun 07, 2007 11:37 am

First post to this forum, so I'd like to take the opportunity to thank everyone for their suggestions and solutions that I'm sure many read-only users find to be incredibly helpful.

Regarding graphing Cisco PIX VPN tunnel traffic, I have, thorugh trial and error, found the correct OIDs that seem to accomplish this goal. These are:

Cisco ASA - VPN Traffic - traffic_in
1.3.6.1.4.1.9.9.171.1.3.1.3.0

Cisco ASA - VPN Traffic - traffic_out
1.3.6.1.4.1.9.9.171.1.3.1.16.0

This seems to work with both Cisco PIX 6.X and 7.X code, as well as the ASA chassis, and I have deployed it on several Cacti installations now with much success.

I hope this helps, but please contact me with any questions or concerns.

Setarcos · Post by **Setarcos** » Mon Aug 27, 2007 2:03 pm

Anyone have a version of this that can uniquely disambiguate multiple IPSec instances on the same peers for LAN-2-LAN tunnels on Cisco firewalls?

Looks like the data is there in CISCO-IPSEC-FLOW-MONITOR-MIB for the local and remote networks, but the return values are in hex:

CISCO-IPSEC-FLOW-MONITOR-MIB::cikePeerCorrIpSecTunIndex.ipAddrPeer."10.200.1.2".ipAddrPeer."10.200.90.5".500.8369 = INTEGER: 8369
CISCO-IPSEC-FLOW-MONITOR-MIB::cikePeerCorrIpSecTunIndex.ipAddrPeer."10.200.1.2".ipAddrPeer."10.200.90.6".500.8308 = INTEGER: 8308

CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunLocalAddr.8369 = Hex-STRING: 0A C8 01 02
CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunLocalAddr.8308 = Hex-STRING: 0A C8 01 02

CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunRemoteAddr.8369 = Hex-STRING: 0A C8 5A 05
CISCO-IPSEC-FLOW-MONITOR-MIB::cipSecTunRemoteAddr.8308 = Hex-STRING: 0A C8 5A 06

The fields all appear to be addressable via an indexed SNMP Query, but can the hex string be converted into decimal somehow?

Cacti

VPN Tunnel monitoring

Working on this now

Hope this helps

Who is online