ZABBIX Forums  

Go Back   ZABBIX Forums > Zabbix Discussions and Feedback > Zabbix Cookbook

Reply
 
Thread Tools Display Modes
  #1  
Old 02-01-2010, 01:00
ericgearhart ericgearhart is offline
Senior Member
 
Join Date: Jan 2009
Posts: 114
Default Monitoring Cisco PIX/ASA IPsec VPN tunnels

This "recipe" outlines what I went through with Zabbix to enable it to monitor the bandwidth of individual IPsec VPN tunnels.

This is not as easy as it seems at first glance... on Cisco devices the bandwidth of IPsec tunnels can be monitored via SNMP, but each tunnel has a unique "session" that has to be matched up to the peer IP address of the tunnel you want to monitor (even more fun: you must convert the peer IP address to its hex equivalent and then do the equivalent of an snmpget with that hex value to get the IPsec session).

On top of that, if an IPsec tunnel goes down and then an hour later comes back up, it will have a different session ID, so its SNMP OID will have changed... even if you looked up the original SNMP OID for a given tunnel as soon as it goes down your graphs stop updating.

(backstory: I "discovered" Zabbix over the past two weeks... we are currently using Cacti to monitor many metrics of our network, but I'm pitching for Zabbix to completely replace Cacti at my work because it combines graphing, trending and alerts. This is one pretty crucial function that I would need Zabbix to be able to take over from Cacti).

Last edited by ericgearhart; 02-01-2010 at 01:37. Reason: Doh PIX should be VPN Concentrator... I think the script can query all three device types, not sure
Reply With Quote
  #2  
Old 02-01-2010, 01:30
ericgearhart ericgearhart is offline
Senior Member
 
Join Date: Jan 2009
Posts: 114
Default

I must first point out that this solution borrows heavily from this thread on the Cacti forums... I also use the perl script that enables this functionality in Cacti (query_asa_lan2lan_cisco.pl) and just "port it over" to the equivalent in Zabbix.

The only significant change I had to make was the order of the arguments to the script... Zabbix expects to call external scripts with the first argument being the hostname/IP matching the item, so I had to flip the order of the arguments in query_asa_lan2lan_cisco.pl

The basic technical overview of setting this up:
-pick a folder you want to store custom scripts in on your Zabbix server. I personally use /etc/zabbix/externalscripts.

-enable the "external_scripts" folder in your zabbix_server.conf, and point it at that folder.

-copy the query_asa_lan2lan_cisco.txt script attached to this post to that external_scripts folder previously mentioned... rename it to a .pl file instead of .txt. I had to do that because of forum attachment rules.

-the script depends on the Net::SNMP perl module. On CentOS and RHEL all I had to do to get this module was "yum install perl-Net-SNMP"... your mileage may vary depending on your OS. It probably should be as easy as an 'emerge' or an 'apt-get' depending on your distribution

-Make sure you 'chown zabbix:zabbix' that script so your zabbix server user owns the script

In the Zabbix web console:
-create a Host for your PIX/ASA (unless you already have)
-create an inbound Item similar to the screenshot attached. Note the data type is decimal and the custom multiplier is 8 (this converts raw bps to Kbps or Mbps in the graphs... much prettier)

For a Cisco ASA, the format for the Key part of the item you create will be:

Code:
query_asa_lan2lan.pl[<snmp community string> ASA get RX <IPsec peer IP>]
-create an outbound item... instead of using RX in the key just mentioned use TX (transmit)


If you're querying a VPN Concentrator just switch ASA with CONCENTRATOR in the item's key.... I haven't tested anything other than ASAs though because we've moved completely to them at work

Note: in my example replace <snmp community string> with your community string and <IPsec peer IP> with the IP address of the peer that corresponds to the tunnel you'd like to monitor - for example:

Code:
query_asa_lan2lan.pl[public ASA get RX 4.2.2.2]
would query your ASA for the bandwidth of the tunnel that corresponds with IPsec peer 4.2.2.2

After you setup these Items, you can go nuts with Zabbix and create pretty graphs, triggers based on bandwidth if you like, etc etc.
Attached Images
 
Attached Files
File Type: txt query_asa_lan2lan.txt (7.7 KB, 1718 views)

Last edited by ericgearhart; 02-01-2010 at 01:49. Reason: copyedit, added yum install perl-Net-SNMP blurb
Reply With Quote
  #3  
Old 02-01-2010, 01:36
ericgearhart ericgearhart is offline
Senior Member
 
Join Date: Jan 2009
Posts: 114
Default

If you're having problems getting this setup you should first make sure the script is working OK.

Run the script by hand and make sure it returns your tunnels first:

Code:
perl query_asa_lan2lan.pl <YourASA> <YourSNMP string> index
should return a list of IPsec tunnels you have established on your ASA/VPN concentrator

Here's an example:

Code:
perl query_asa_lan2lan.pl 192.168.1.1 my_snmp_string ASA index
Reply With Quote
  #4  
Old 28-04-2010, 14:27
kefear kefear is offline
Junior Member
 
Join Date: Apr 2010
Posts: 3
Default

I've been trying to use this script to monitor if the tunnel is up. I've set up everything without problems until triggers. I did:
{ASA:query_asa_lan2lan.pl[public ASA get RX peerIP].nodata(30)}=1

Trigger fires up for a while and then goes down. And this repeats every 2-3 minutes. Shouldn't it be up for the whole time because the tunnel is constantly down ?

I got the following message in logs:

Use of uninitialized value $value in string eq at /etc/zabbix/externalscripts/query_asa_lan2lan.pl line 250.

Everything seems to be OK except that the trigger doesn't stay up.
Thanks in advance for any help
Reply With Quote
  #5  
Old 13-05-2010, 19:09
Setarcos Setarcos is offline
Junior Member
 
Join Date: May 2010
Location: San Jose, CA
Posts: 1
Send a message via AIM to Setarcos
Default

Hi Folks,

You probably want to have a look at the changes I introduced to the Cacti script in March of this year. Some newer versions of net-snmp didn't like the way the the original script was referencing the OIDs.
Reply With Quote
  #6  
Old 29-05-2013, 20:12
aderr aderr is offline
Junior Member
 
Join Date: Dec 2011
Posts: 13
Default

I have been able to get this script to work well with our ASA, but we still have some PIX firewalls as well. Does anyone know of a similar script that would work for a PIX.
When I run the Index against our PIX I get this returned:

Code:
request error: Requested table is empty or does not exist at query_asa_lan2lan.pl line 225
Thank you.
Reply With Quote
  #7  
Old 09-08-2013, 16:23
expouser expouser is offline
Junior Member
 
Join Date: Aug 2013
Posts: 5
Default ASA 5510 VPN monitoring

/query_asa_lan2lan.pl 10.2.5.1 enterprice [ASA,get] query {RX,TX}
Odd number of elements in hash assignment at /usr/lib/perl5/vendor_perl/5.16.2/Net/SNMP.pm line 2278.
request error: The argument "1.3.6.1.4.1.3076.2.1.2.17.2.1.4." is unknown at ./query_asa_lan2lan.pl line 208.


I'm getting this error when I run the script.
Please help.
Reply With Quote
  #8  
Old 15-09-2013, 21:54
ericgearhart ericgearhart is offline
Senior Member
 
Join Date: Jan 2009
Posts: 114
Default

Quote:
Originally Posted by expouser View Post
/query_asa_lan2lan.pl 10.2.5.1 enterprice [ASA,get] query {RX,TX}
Odd number of elements in hash assignment at /usr/lib/perl5/vendor_perl/5.16.2/Net/SNMP.pm line 2278.
request error: The argument "1.3.6.1.4.1.3076.2.1.2.17.2.1.4." is unknown at ./query_asa_lan2lan.pl line 208.


I'm getting this error when I run the script.
Please help.
expouser I'm not with the company I was originally with who had a handful of ASAs deployed. We're thinking about deploying ASAs where I now work, and if we do I can try to get this script working again. As it stands right now I don't have an ASA that I can even test script against.
Reply With Quote
  #9  
Old 16-09-2013, 10:48
expouser expouser is offline
Junior Member
 
Join Date: Aug 2013
Posts: 5
Default

Quote:
Originally Posted by ericgearhart View Post
expouser I'm not with the company I was originally with who had a handful of ASAs deployed. We're thinking about deploying ASAs where I now work, and if we do I can try to get this script working again. As it stands right now I don't have an ASA that I can even test script against.
Don't worry ericgearhart I have figured out how does this script is working.
Unfortunately the script version you provides was not fully worked under my system OS.
It has some bugs is output.
I found on a cacti forum a newer version of a script
That is worked for me.
Attaching it here.
Attached Files
File Type: zip query_lan2_lan_cisco_final.zip (2.7 KB, 594 views)

Last edited by expouser; 16-09-2013 at 10:51.
Reply With Quote
  #10  
Old 08-01-2014, 22:02
darwinaloot darwinaloot is offline
Junior Member
 
Join Date: Jan 2014
Posts: 4
Default

Hi, Im new to Zabbix and im trying to add VPN tunnels to our zabbix, I follow all the procedure that was posted here. But when I checked on the logs I saw that zabbix excute this - /home/zabbix/zabbix-2.2.1/scripts/query_asa_lan2lan_cisco.pl "<community string> <ASA> ASA get TX <IP peer gateway>"

Zabbix is automatically adding quotation mark

instead of zabbix executing this one:

/home/zabbix/zabbix-2.2.1/scripts/query_asa_lan2lan_cisco.pl <community string> <ASA> ASA get TX <IP peer gateway>

It execute this one:

/home/zabbix/zabbix-2.2.1/scripts/query_asa_lan2lan_cisco.pl " <community string> <ASA> ASA get TX <IP peer gateway>"

Im getting:

usage:

./query_lan2lan_cisco.pl community host {ASA,CONCENTRATOR} index
./query_lan2lan_cisco.pl community host {ASA,CONCENTRATOR} query {RX,TX}
./query_lan2lan_cisco.pl community host {ASA,CONCENTRATOR} get {RX,TX} DEVICE

Im using zabbix 2.2.1 and the latest script that was posted here- Please help me out

Here is the log:

17548:20140108:105002.393 In substitute_key_macros() data:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get RX <IP peer gateway>]'
17548:20140108:105002.393 End of substitute_key_macros():SUCCEED data:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get RX <IP peer gateway>]'
17548:20140108:105002.393 In get_value() key:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get RX <IP peer gateway>]'
17548:20140108:105002.393 In get_value_external() key:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get RX <IP peer gateway>]'
17548:20140108:105002.393 In zbx_popen() command:'/home/zabbix/zabbix-2.2.1/scripts/query_asa_lan2lan_cisco.pl "<community string> <ASA> ASA get RX <IP peer gateway>"'
17548:20140108:105002.532 Item [MANILA-PIX:query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get RX <IP peer gateway>]] error: Received value [usage:./query_lan2lan_cisco.pl community host {ASA,CONCENTRATOR} index./query_lan2lan_cisco.pl community host {ASA,CONCENTRATOR} query {RX,TX}./query_lan2lan_cisco.pl community host {ASA,CONCENTRATOR} get {RX,TX} DEVICE] is not suitable for value type [Numeric (unsigned)] and data type [Decimal]
17549:20140108:105003.394 In substitute_key_macros() data:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get TX <IP peer gateway>]'
17549:20140108:105003.394 End of substitute_key_macros():SUCCEED data:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get TX <IP peer gateway>]'
17549:20140108:105003.394 In get_value() key:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get TX <IP peer gateway>]'
17549:20140108:105003.394 In get_value_external() key:'query_asa_lan2lan_cisco.pl[<community string> <ASA> ASA get TX <IP peer gateway>]'
17549:20140108:105003.394 In zbx_popen() command:'/home/zabbix/zabbix-2.2.1/scripts/query_asa_lan2lan_cisco.pl "<community string> <ASA> ASA get TX <IP peer gateway>"'
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 10:21.