Monitoring Cisco PIX/ASA IPsec VPN tunnels

ericgearhart · #1 02-01-2010, 00:00

This "recipe" outlines what I went through with Zabbix to enable it to monitor the bandwidth of individual IPsec VPN tunnels.

This is not as easy as it seems at first glance... on Cisco devices the bandwidth of IPsec tunnels can be monitored via SNMP, but each tunnel has a unique "session" that has to be matched up to the peer IP address of the tunnel you want to monitor (even more fun: you must convert the peer IP address to its hex equivalent and then do the equivalent of an snmpget with that hex value to get the IPsec session).

On top of that, if an IPsec tunnel goes down and then an hour later comes back up, it will have a different session ID, so its SNMP OID will have changed... even if you looked up the original SNMP OID for a given tunnel as soon as it goes down your graphs stop updating.

(backstory: I "discovered" Zabbix over the past two weeks... we are currently using Cacti to monitor many metrics of our network, but I'm pitching for Zabbix to completely replace Cacti at my work because it combines graphing, trending and alerts. This is one pretty crucial function that I would need Zabbix to be able to take over from Cacti).

ericgearhart · #2 02-01-2010, 00:30

I must first point out that this solution borrows heavily from this thread on the Cacti forums... I also use the perl script that enables this functionality in Cacti (query_asa_lan2lan_cisco.pl) and just "port it over" to the equivalent in Zabbix.

The only significant change I had to make was the order of the arguments to the script... Zabbix expects to call external scripts with the first argument being the hostname/IP matching the item, so I had to flip the order of the arguments in query_asa_lan2lan_cisco.pl

The basic technical overview of setting this up:
-pick a folder you want to store custom scripts in on your Zabbix server. I personally use /etc/zabbix/externalscripts.

-enable the "external_scripts" folder in your zabbix_server.conf, and point it at that folder.

-copy the query_asa_lan2lan_cisco.txt script attached to this post to that external_scripts folder previously mentioned... rename it to a .pl file instead of .txt. I had to do that because of forum attachment rules.

-the script depends on the Net::SNMP perl module. On CentOS and RHEL all I had to do to get this module was "yum install perl-Net-SNMP"... your mileage may vary depending on your OS. It probably should be as easy as an 'emerge' or an 'apt-get' depending on your distribution

-Make sure you 'chown zabbix:zabbix' that script so your zabbix server user owns the script

In the Zabbix web console:
-create a Host for your PIX/ASA (unless you already have)
-create an inbound Item similar to the screenshot attached. Note the data type is decimal and the custom multiplier is 8 (this converts raw bps to Kbps or Mbps in the graphs... much prettier)

For a Cisco ASA, the format for the Key part of the item you create will be:

Code:

query_asa_lan2lan.pl[<snmp community string> ASA get RX <IPsec peer IP>]

-create an outbound item... instead of using RX in the key just mentioned use TX (transmit)

If you're querying a VPN Concentrator just switch ASA with CONCENTRATOR in the item's key.... I haven't tested anything other than ASAs though because we've moved completely to them at work

Note: in my example replace <snmp community string> with your community string and <IPsec peer IP> with the IP address of the peer that corresponds to the tunnel you'd like to monitor - for example:

Code:

query_asa_lan2lan.pl[public ASA get RX 4.2.2.2]

would query your ASA for the bandwidth of the tunnel that corresponds with IPsec peer 4.2.2.2

After you setup these Items, you can go nuts with Zabbix and create pretty graphs, triggers based on bandwidth if you like, etc etc.

ericgearhart · #3 02-01-2010, 00:36

If you're having problems getting this setup you should first make sure the script is working OK.

Run the script by hand and make sure it returns your tunnels first:

Code:

perl query_asa_lan2lan.pl <YourASA> <YourSNMP string> index

should return a list of IPsec tunnels you have established on your ASA/VPN concentrator

Here's an example:

Code:

perl query_asa_lan2lan.pl 192.168.1.1 my_snmp_string ASA index

kefear · #4 28-04-2010, 13:27

I've been trying to use this script to monitor if the tunnel is up. I've set up everything without problems until triggers. I did:
{ASA:query_asa_lan2lan.pl[public ASA get RX peerIP].nodata(30)}=1

Trigger fires up for a while and then goes down. And this repeats every 2-3 minutes. Shouldn't it be up for the whole time because the tunnel is constantly down ?

I got the following message in logs:

Use of uninitialized value $value in string eq at /etc/zabbix/externalscripts/query_asa_lan2lan.pl line 250.

Everything seems to be OK except that the trigger doesn't stay up.
Thanks in advance for any help

Setarcos · #5 13-05-2010, 18:09

Hi Folks,

You probably want to have a look at the changes I introduced to the Cacti script in March of this year. Some newer versions of net-snmp didn't like the way the the original script was referencing the OIDs.