Mar 6, 2012 4:21 AM
Time for a more sophisticated Cisco ASA VPN Monitoring ZenPack?
-
Like (0)
Hi,
I'm thinking about to develop a more sophisticated VPN Monitoring on Cisco ASA, but I ask all zenoss pro's first about your opinion and advice.
I want a per VPN-Tunnel Monitoring with graphs, thresholds and alarms in case a VPN-Tunnel went down. AFAIK ZenPacks are a collection of templates or mibs for a certain device class. I think about a extension to zenoss as a component of a device class, e.g. network routes or interfaces. Distinct between Remote-Access and Site-2-Site-VPN, filterable and more detailed.
The MIBs contain the required information (CISCO-IPSEC-FLOW-MONITOR-MIB, CISCO-FIREWALL-MIB, CISCO-CRYPTO-ACCELERATOR-MIB.my) but I'm definitly not the only geek who have thought about it?
In my opinion a snmp-based solution gives you more and detailed information about the vpn-tunnel from a life perspective, but the system collects the data every 5 mins (depending on configuration). So you'll get the alarm between 0-5 minutes and not shorthand when it happends. Time vs. comfort.
I also think that we could reuse the code for other platformes, because other vendors also disperse the vpn-info in their mibs. So you need code to bring them in relation and even more code to make them usable in the GUI.
How do you make vpn monitoring?
What do you think about a snmp-based solution as a device class component?
Do you already have a approach and know some pitfalls?
Looking forward to your reply.
Cheers, Philipp
phillip:
I'm unfamilliar with that pack but it sounds like you want to monitor tunnels like interfaces. If thats the case and those tunnels aren't showing up during an interface model you'll need to write a modeler and a custom sub class of interface to add these items to supporting devices.
I think we're modeling ASA's here.
Let me check on that and I'll get back to you.
If you don't hear from me, just give a shout. I forget a lot.
Best,
--Shane
Hi Philip,
I am trying to build the same using the below script
#!/usr/bin/perl
######
LAN2LAN Traffic Perl Script
Created by Dan
This script will walk the LAN2LAN sessions on a Cisco VPN3000 and return RX/TX Octets
based on a session IP search criteria
#
Usage: lan2lantraffic.pl community host sessionip rx|tx
Session IP is the IP of the LAN2LAN session
You must supply tx or rx fields for output octets
######
use Switch;
use Net::SNMP;
Set variables based on input parameters
$community = $ARGV[0];
$host = $ARGV[1];
$sessionip = $ARGV[2];
$flow = $ARGV[3];
Set OID variables
$alActiveSessionIpAddressOID = "1.3.6.1.4.1.3076.2.1.2.17.2.1.4.";
$alActiveSessionOctetsRcvd = "1.3.6.1.4.1.3076.2.1.2.17.2.1.10.";
$alActiveSessionOctetsSent = "1.3.6.1.4.1.3076.2.1.2.17.2.1.9.";
Check variables to make sure data is there
if(!$community||!$host||!$sessionip||!$flow){
print "Not all parameters filled.\n";
print "Usage: lan2lantraffic.pl community host sessionip tx|rx\n";
exit;
}
Create SNMP Session
($session, $error) = Net::SNMP->session(-hostname=>$host,-community=>$community, -port=>161);
die "session error: $error" unless ($session);
Walk alActiveSessionIpAddress for list of active session OIDs
%result = $session->get_table($alActiveSessionIpAddressOID);
die "request error: ".$session->error unless (defined %result);
Grab the oids and stick it into an array (ghetto)
@indexoids = $session->var_bind_names;
Loop through the oid array and make a seperate request to get the data (even m ore ghetto)
foreach $oid (@indexoids){
Split the full OID to get the index
@splits = split($alActiveSessionIpAddressOID,$oid);
Set index var
$dataindex = @splits[1];
Grab a hash of the IP address from the OID
$getdata = $session->get_request($oid);
Take the oid index and the returned value and create a hash
This is your datatable with index => ipaddress
$datatable{$dataindex} = $getdata->{$oid};
}
Search datatable for session ip parameter
foreach $key (sort keys (%datatable)){
#print "$key => $datatable{$key}\n";
if($datatable{$key} == $sessionip){
We have a match, set output index
$outindex = $key;
} else {
No match, no data
}
}
We now have an index of a matching session ip, lets grab the data
Get session traffic octect based on index and flow (tx or rx)
switch ($flow){
case 'rx' { # Set output to RX Octets (alActiveSessionOctetsRcvd)
$outdata = $session->get_request($alActiveSessionOctetsRcvd.$out index);
$output = $outdata->{$alActiveSessionOctetsRcvd.$outindex};
}
case 'tx' { # Set output to TX Octets (alActiveSessionOctetsSent)
$outdata = $session->get_request($alActiveSessionOctetsSent.$out index);
$output = $outdata->{$alActiveSessionOctetsSent.$outindex};
}
}
Close SNMP session
$session->close;
Output data cleanly
chomp($output);
print $output;
Regards,
Vaibhav Narula
Philip:
I can confirm we're not monitoring what you're looking for. Try adapting the above solution by Vaibhav to a python modeler in ZenOSS. From that the tunnels can have templates applied to them with the correct OIDs much like interfaces. I can help you with that but I highly suggest you code the modeler in python and avoid at all costs commandData sources.
Best,
--Shane
Hi Shane, Hi Vaibhav,
thanks for your fast response and code
It's true that I want monitor vpn-tunnels like interfaces.
I'll write a new modeler in python and adapt the code from Vaibhav in it. I made my first experiences today with a new modeler for NEWAVE APC's which was easy enough.
But I was struggling a bit at the data-structure-definitions of the models. I could not find a comprehensive reference. Finally I checked out the source code and read the class-definitions.
Where can I find the documentation of class and structures?
Cheers, Philipp
Phillip:
There isn't a lot of good documentation on this. Good zenpacks to disassemble which contain the code you need are Jane's Bridge pack and my IP SLA pack (the newer one).
--Shane
alright thanks for the hint! I'll check out the code and come back to you with my first prototype. Cheers, Philipp
Hello there Philipp,
Have you been able to make the Sophisticated ASA VPN Monitoring Pack? Would really appreciate it....
Thanks in advance,
Alex
Alex:
I will note that v4 enterprise has very good support for ASA monitoring.
Best,
--Shane Scott (Hackman238)
Hi Shane,
I searched around but didn't find any specifics of ASA monitoring capabilities by v4 enterprise. Does it make graphs for individual VPN tunnels with ability to see amount of traffic inside the tunnel?
Thanks in advance!
Alex.
Alex:
It doesn't appear to. It does graph traffic for each Vlan, model the peers and track HA status.
Best,
--Shane Scott (Hackman238)
Hi Alex, I'm really a bit shocked about how much time passed by after my last post! To be honest, nothing new is happend :/
It's the truth, on Monday my boss came to my office and he asked me again for a solution of VPN Tunnel monitoring. Looks like a wakeup call
I already grabbed Shanes IP SLA code, but I became stuck building the skeleton. New topics definitely need time and patience...I have both at the moment.
If anybody is interested in collaboration on this topic and already have python experience, I'd very glad working in a team on it!
So far, Philipp
Shane: thanks for the insight! and Enterprise costs...
Philipp: I wish I had the necessary know how to help developing this. But I will keep watching this thread and I will be happy to perfrom beta tests if needed. Thanks in advance for your time!
Let me know if I can offer any help.
Best,
--Shane Scott (Hackman238)
I have done something like this in my Juniper ZenPack that models and collects data for VLANs and VPNs - see docs/DOC-10328 . It uses SNMP to gather the data. It has both modeler plugins to collect configuration info and performance templates to give you graphs.
What we would need are the SNMP OIDs that provide the data. This is often fairly complex requiring data from several SNMP tables. I don't have any of these devices but I might find time to provide some ZenPack coding skills if someone else finds the appropriate SNMP OIDs and can provide some test systems.
Anyone interested in a collaborative project?
Cheers,
Jane
Follow Us On Twitter »
|
Latest from the Zenoss Blog » | Community | Products | Services Resources | Customers Partners | About Us | ||
Copyright © 2005-2011 Zenoss, Inc.
|
||||||||