VPN Tunnel monitoring

[nduda78]

So confused here...How can I get Site-to-Site stats on individual tunnels using my ASA?

I have an ASA here that talks to remote offices, I want to chart the bandwidth for each of them. I've been looking at all these OID entries and just cant figure it out.

Help!

[aquila125]

dbrummer,

I'm very new to cacti but would like to use your script to gather data from our ASA device.

Since the ASA uses different MIB's I'll have to change them.

I found out that I can get the peer IP's with this MIB: 1.3.6.1.4.1.9.9.171.1.2.3.1.7.X
Received packets: enterprises.9.9.171.1.3.2.1.32.X
Send packets: enterprises.9.9.171.1.3.2.1.45.X

I can easily adapt your script to use these new MIB's.

Can you provide me with the query script xml file for this to load into Cacti? I'm not sure how I can build this myself (cacti-noob-talking)



Thanks!

[nduda78]

aquila125,

Just what I am looking for, but how can i tell which OID is for what peer?

I issue the following to get the peers:

snmpwalk -v 1 -c community x.x.x.x 1.3.6.1.4.1.9.9.171.1.2.3.1.7
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.7 = STRING: "69.x.x.x"
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.9 = STRING: "193.x.x.x"
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.27 = STRING: "142.x.x.x"

and I see my Tunnel peers, awesome....but then I execute the tx/rx ones you posted:

snmpwalk -v 1 -c community x.x.x.x 1.3.6.1.4.1.9.9.171.1.3.2.1.32
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.14 = Counter32: 2053927579
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.15 = Counter32: 20499255
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.16 = Counter32: 59644
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.17 = Counter32: 92451453
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.18 = Counter32: 42574699
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.19 = Counter32: 9964751
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.20 = Counter32: 2407151
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.21 = Counter32: 442837
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.168 = Counter32: 5961323
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.507 = Counter32: 538955
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.689 = Counter32: 17708799
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.690 = Counter32: 444305
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.692 = Counter32: 4503
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.759 = Counter32: 189532
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.760 = Counter32: 11066
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.761 = Counter32: 2831
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.762 = Counter32: 24

How do i know what TX is for what peer?

Update: so yea, i need to know how to find out which entry goes to what tunnel i have when issuing a snmpwalk against 1.3.6.1.4.1.9.9.171.1.3.2.1 on the ASA

[aquila125]

Well,

I'm not 100% sure, but in our case:

enterprises.9.9.171.1.2.3.1.7.1011 = "CUST_IP"

and

enterprises.9.9.171.1.3.2.1.2.986 = INTEGER: 1011

and

enterprises.9.9.171.1.3.2.1.32.986 = Counter32: 21450

So you need the intermediate step to get the final index...

[nduda78]

I dont follow you....sent you a PM if you could look at it.

[nduda78]

oh wait i think i got it....

so:

SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.7 = STRING: "69.x.x.x"
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.9 = STRING: "193.x.x.x"
SNMPv2-SMI::enterprises.9.9.171.1.2.3.1.7.27 = STRING: "142.x.x.x"

then:

SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.2.168 = INTEGER: 7
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.2.507 = INTEGER: 9
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.2.689 = INTEGER: 27

then:

(rx)
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.14 = Counter32: 2054840717
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.15 = Counter32: 20513721
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.16 = Counter32: 59703
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.17 = Counter32: 92654790
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.18 = Counter32: 42852158
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.19 = Counter32: 10006265
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.20 = Counter32: 2409455
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.21 = Counter32: 443150
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.168 = Counter32: 5973914
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.507 = Counter32: 541253
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.689 = Counter32: 17767814
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.690 = Counter32: 444419
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.692 = Counter32: 4527
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.759 = Counter32: 383112
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.760 = Counter32: 19613
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.761 = Counter32: 8791
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.762 = Counter32: 51
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.32.763 = Counter32: 357

(tx)
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.14 = Counter32: 1211751983
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.15 = Counter32: 24053445
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.16 = Counter32: 92334
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.17 = Counter32: 108325220
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.18 = Counter32: 36267204
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.19 = Counter32: 7142011
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.20 = Counter32: 2412909
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.21 = Counter32: 568791
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.168 = Counter32: 6305735
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.507 = Counter32: 497502
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.689 = Counter32: 27768398
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.690 = Counter32: 445670
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.692 = Counter32: 3895
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.759 = Counter32: 411479
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.760 = Counter32: 20242
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.761 = Counter32: 8690
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.762 = Counter32: 0
SNMPv2-SMI::enterprises.9.9.171.1.3.2.1.45.763 = Counter32: 298


So from this I can see that the tunnel with peer 69.x.x.x. received 5973914 bits/sec and transfered 6305735 bits/sec , or is that packets (as the cisco oid tool states)....i'd like to get bits/sec so i can graph the bandwidth usage

Correct?

[Setarcos]

Indexing off the IKE peer only works if you have a single subnet defined on each end of the connection. To be totally unambiguous requires using both cipSecTunLocalAddr and cipSecTunRemoteAddr.

[aquila125]

I think I got it working on my ASA 5510!
I adapted the script so it's a bit faster and cleaner. I added a parameter (ASA or CONCENTRATOR) and remove the rx/tx parameters. Both values will be returned now (since that is what you most likely want).

I'm not sure that the Concentrator works since I'm not able to test it.

<EDIT>
I uploaded a new version of the script.
I noticed that I had several entries in my asa related to a certain PEER ID, so now I accumulate all the values of those OID's. The result seems to match my test (running an FTP session over an further unused vpn tunnel and the results are correct.

<EDIT2>
I noticed that if the tunnel is not up when the snmp call is running, no data is returned. This means that if the tunnel was up for a short time (and transmitting data) it is not always shown in the charts... There is not much you can do about this except shortening the checking interval...

[aquila125]

Indexing off the IKE peer only works if you have a single subnet defined on each end of the connection. To be totally unambiguous requires using both cipSecTunLocalAddr and cipSecTunRemoteAddr.

I'm using cikeTunRemoteValue. So you only need the Peer IP address...

[nduda78]

Thanks for getting those done! but my graphs are all showing 0 (not nan)...looking at the log file it shows its getting results, just not filling in the graphs...

11/06/2007 10:30:04 AM - CACTID: Poller[0] Host[57] DS[5788] SCRIPT: perl /www/htdocs/cacti/scripts/lan2lan_cisco.pl mysnmpcommunity 192.168.95.7 some_remote_peer ASA, output: RX:3833585954 TX:3506554089
11/06/2007 10:30:05 AM - CACTID: Poller[0] Host[57] DS[5790] SCRIPT: perl /www/htdocs/cacti/scripts/lan2lan_cisco.pl mysnmpcommunity 192.168.95.7 some_remote_peer ASA, output: RX:3108853293 TX:870654177
11/06/2007 10:30:06 AM - CACTID: Poller[0] Host[57] DS[5791] SCRIPT: perl /www/htdocs/cacti/scripts/lan2lan_cisco.pl mysnmpcommunity 192.168.95.7 some_remote_peer ASA, output: RX:1505731407 TX:2355827662
11/06/2007 10:30:07 AM - CACTID: Poller[0] Host[57] DS[5789] SCRIPT: perl /www/htdocs/cacti/scripts/lan2lan_cisco.pl mysnmpcommunity 192.168.95.7 some_remote_peer ASA, output: RX:5621384918 TX:2813901160

[aquila125]

I had the same problem and deleted the RRD's that were linked to those data sources. Cacti will automatically recreate them..

This solved my problem...

[nduda78]

How exactly do you do that...I've blown away all this and redid them...maybe I did it wrong?

I just removed the phyiscal rrd file now, let me see if that works...<shrug>

[aquila125]

Just delete the files from the filesystem (site/rrd if I'm correct). You can find the names of the RRD's in the data sources.

You also need to wait for 2 intervals before the nr's are filled in. (default interval is 5 mins, so make sure you wait 10-15 mins, then you should see the first data)

[nduda78]

Just delete the files from the filesystem (site/rrd if I'm correct). You can find the names of the RRD's in the data sources.

You also need to wait for 2 intervals before the nr's are filled in. (default interval is 5 mins, so make sure you wait 10-15 mins, then you should see the first data)

ok waiting...i know first poll creates the graphs (showing NAN), then second usually fills the data in...ill post back in 15-20 min

[nduda78]

Weird....still nothing except one chart is working and I didnt blow that one away (I didnt blow a bunch of others away and they still not updating)....hmmmmmmmm