Skip navigation
6282 Views 14 Replies Latest reply: Sep 21, 2012 6:21 AM by jcurry RSS
philipp Rank: White Belt 9 posts since
Mar 5, 2012
Currently Being Moderated

Mar 6, 2012 4:21 AM

Time for a more sophisticated Cisco ASA VPN Monitoring ZenPack?

Hi,

 

I'm thinking about to develop a more sophisticated VPN Monitoring on Cisco ASA, but I ask all zenoss pro's first about your opinion and advice.

 

I want a per VPN-Tunnel Monitoring with graphs, thresholds and alarms in case a VPN-Tunnel went down. AFAIK ZenPacks are a collection of templates or mibs for a certain device class. I think about a extension to zenoss as a component of a device class, e.g. network routes or interfaces. Distinct between Remote-Access and Site-2-Site-VPN, filterable and more detailed.

 

The MIBs contain the required information (CISCO-IPSEC-FLOW-MONITOR-MIB, CISCO-FIREWALL-MIB, CISCO-CRYPTO-ACCELERATOR-MIB.my) but I'm definitly not the only geek who have thought about it?

 

In my opinion a snmp-based solution gives you more and detailed information about the vpn-tunnel from a life perspective, but the system collects the data every 5 mins (depending on configuration). So you'll get the alarm between 0-5 minutes and not shorthand when it happends. Time vs. comfort.

 

I also think that we could reuse the code for other platformes, because other vendors also disperse the vpn-info in their mibs. So you need code to bring them in relation and even more code to make them usable in the GUI.

 

How do you make vpn monitoring?

What do you think about a snmp-based solution as a device class component?

Do you already have a approach and know some pitfalls?

 

Looking forward to your reply.

 

Cheers, Philipp

  • Shane Scott ZenossMaster 1,373 posts since
    Jul 6, 2009

    phillip:

     

    I'm unfamilliar with that pack but it sounds like you want to monitor tunnels like interfaces. If thats the case and those tunnels aren't showing up during an interface model you'll need to write a modeler and a custom sub class of interface to add these items to supporting devices.

     

    I think we're modeling ASA's here.

     

    Let me check on that and I'll get back to you.

     

    If you don't hear from me, just give a shout. I forget a lot.

     

    Best,

    --Shane

  • Vaibhav.Narula Rank: Green Belt 78 posts since
    Sep 24, 2010

    Hi Philip,

     

    I am trying to build the same  using the below script

     

    #!/usr/bin/perl

    ######

    1. LAN2LAN Traffic Perl Script

    2. Created by Dan

    3. This script will walk the LAN2LAN sessions on a Cisco VPN3000 and return RX/TX                                                                              Octets

    4. based on a session IP search criteria

    #

    1. Usage: lan2lantraffic.pl community host sessionip rx|tx

    2. Session IP is the IP of the LAN2LAN session

    3. You must supply tx or rx fields for output octets

    ######

     

    use Switch;

    use Net::SNMP;

     

    1. Set variables based on input parameters

    $community      = $ARGV[0];

    $host           = $ARGV[1];

    $sessionip      = $ARGV[2];

    $flow           = $ARGV[3];

     

    1. Set OID variables

    $alActiveSessionIpAddressOID    = "1.3.6.1.4.1.3076.2.1.2.17.2.1.4.";

    $alActiveSessionOctetsRcvd              = "1.3.6.1.4.1.3076.2.1.2.17.2.1.10.";

    $alActiveSessionOctetsSent              = "1.3.6.1.4.1.3076.2.1.2.17.2.1.9.";

     

     

    1. Check variables to make sure data is there

    if(!$community||!$host||!$sessionip||!$flow){

            print "Not all parameters filled.\n";

            print "Usage: lan2lantraffic.pl community host sessionip tx|rx\n";

            exit;

    }

     

    1. Create SNMP Session

     

    ($session, $error) = Net::SNMP->session(-hostname=>$host,-community=>$community,                                                                             -port=>161);

    die "session error: $error" unless ($session);

     

    1. Walk alActiveSessionIpAddress for list of active session OIDs

     

    %result = $session->get_table($alActiveSessionIpAddressOID);

    die "request error: ".$session->error unless (defined %result);

     

    1. Grab the oids and stick it into an array (ghetto)

    @indexoids = $session->var_bind_names;

     

    1. Loop through the oid array and make a seperate request to get the data (even m                                                                             ore ghetto)

    foreach $oid (@indexoids){

     

             

    1. Split the full OID to get the index

            @splits = split($alActiveSessionIpAddressOID,$oid);

     

             

    1. Set index var

            $dataindex = @splits[1];

     

             

    1. Grab a hash of the IP address from the OID

            $getdata = $session->get_request($oid);

     

             

    1. Take the oid index and the returned value and create a hash

             

    1. This is your datatable with index => ipaddress

            $datatable{$dataindex} = $getdata->{$oid};

     

    }

     

    1. Search datatable for session ip parameter

     

    foreach $key (sort keys (%datatable)){

            #print "$key => $datatable{$key}\n";

     

            if($datatable{$key} == $sessionip){

     

                     

    1. We have a match, set output index

                    $outindex = $key;

     

            } else {

     

                     

    1. No match, no data

     

            }

    }

     

    1. We now have an index of a matching session ip, lets grab the data

     

    1. Get session traffic octect based on index and flow (tx or rx)

    switch ($flow){

     

            case 'rx' {     # Set output to RX Octets (alActiveSessionOctetsRcvd)

     

                    $outdata = $session->get_request($alActiveSessionOctetsRcvd.$out                                                                             index);

                    $output = $outdata->{$alActiveSessionOctetsRcvd.$outindex};

     

            }

     

            case 'tx' {     # Set output to TX Octets (alActiveSessionOctetsSent)

     

                    $outdata = $session->get_request($alActiveSessionOctetsSent.$out                                                                             index);

                    $output = $outdata->{$alActiveSessionOctetsSent.$outindex};

     

            }

     

    }

     

    1. Close SNMP session

     

    $session->close;

     

    1. Output data cleanly

     

    chomp($output);

    print $output;

     

     

    Regards,

    Vaibhav Narula

  • Shane Scott ZenossMaster 1,373 posts since
    Jul 6, 2009

    Philip:

     

    I can confirm we're not monitoring what you're looking for. Try adapting the above solution by Vaibhav to a python modeler in ZenOSS. From that the tunnels can have templates applied to them with the correct OIDs much like interfaces. I can help you with that but I highly suggest you code the modeler in python and avoid at all costs commandData sources.

     

    Best,

    --Shane

  • Shane Scott ZenossMaster 1,373 posts since
    Jul 6, 2009

    Phillip:

     

    There isn't a lot of good documentation on this. Good zenpacks to disassemble which contain the code you need are Jane's Bridge pack and my IP SLA pack (the newer one).

     

    --Shane

  • Alex G. Newbie 4 posts since
    Sep 17, 2012

    Hello there Philipp,

     

    Have you been able to make the Sophisticated ASA VPN Monitoring Pack? Would really appreciate it....

     

    Thanks in advance,

    Alex

  • Shane Scott ZenossMaster 1,373 posts since
    Jul 6, 2009

    Alex:

     

    I will note that v4 enterprise has very good support for ASA monitoring.

     

    Best,

    --Shane Scott (Hackman238)

  • Alex G. Newbie 4 posts since
    Sep 17, 2012

    Hi Shane,

     

    I searched around but didn't find any specifics of ASA monitoring capabilities by v4 enterprise. Does it make graphs for individual VPN tunnels with ability to see amount of traffic inside the tunnel?

     

    Thanks in advance!

    Alex.

  • Shane Scott ZenossMaster 1,373 posts since
    Jul 6, 2009

    Alex:

     

    It doesn't appear to. It does graph traffic for each Vlan, model the peers and track HA status.

     

    Best,

    --Shane Scott (Hackman238)

  • Alex G. Newbie 4 posts since
    Sep 17, 2012

    Shane: thanks for the insight! and Enterprise costs...

     

    Philipp: I wish I had the necessary know how to help developing this. But I will keep watching this thread and I will be happy to perfrom beta tests if needed. Thanks in advance for your time!

  • Shane Scott ZenossMaster 1,373 posts since
    Jul 6, 2009

    Let me know if I can offer any help.

     

    Best,

    --Shane Scott (Hackman238)

  • jcurry ZenossMaster 1,021 posts since
    Apr 15, 2008

    I have done something like this in my Juniper ZenPack that models and collects data for VLANs and VPNs - see http://community.zenoss.org/docs/DOC-10328 .  It uses SNMP to gather the data.  It has both modeler plugins to collect configuration info and performance templates to give you graphs.

     

    What we would need are the SNMP OIDs that provide the data.  This is often fairly complex requiring data from several SNMP tables.  I don't have any of these devices but I might find time to provide some ZenPack coding skills if someone else finds the appropriate SNMP OIDs and can provide some test systems.

     

    Anyone interested in a collaborative project?

     

    Cheers,

    Jane

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points